a3x/nyaa
1
0
Fork 0
mirror of https://gitlab.com/SIGBUS/nyaa.git synced 2025-04-23 00:22:54 +00:00
Code Issues Projects Releases Wiki Activity

Comment deletion: fix small lack of validation ()

Browse source 
People could delete their own comments on torrents other than
the one the URL would indicate, which meant they could mess with
the total comment count on a torrent by having it be higher than
it actually is through repeatedly posting and deleting comments
that way.

However, they could only ever delete their own comments, so this
isn't a huge issue in the first place.
This commit is contained in:
Nicolas F 2017-10-29 19:01:19 +01:00 committed by Anna-Maria Meriniemi
parent ca7dc276e2
commit 7095567b29
1 changed files with 3 additions and 0 deletions

3
nyaa/views/torrents.py
View file

@ -342,6 +342,9 @@ def delete_comment(torrent_id, comment_id):
if not (comment.user.id == flask.g.user.id or flask.g.user.is_moderator):
flask.abort(403)
if torrent_id != comment.torrent_id:
flask.abort(400)
db.session.delete(comment)
db.session.flush()
torrent.update_comment_count()