1
0
Fork 0
mirror of https://gitlab.com/SIGBUS/nyaa.git synced 2024-12-22 15:40:00 +00:00

Comment deletion: fix small lack of validation (#395)

People could delete their own comments on torrents other than
the one the URL would indicate, which meant they could mess with
the total comment count on a torrent by having it be higher than
it actually is through repeatedly posting and deleting comments
that way.

However, they could only ever delete their own comments, so this
isn't a huge issue in the first place.
This commit is contained in:
Nicolas F 2017-10-29 19:01:19 +01:00 committed by Anna-Maria Meriniemi
parent ca7dc276e2
commit 7095567b29

View file

@ -342,6 +342,9 @@ def delete_comment(torrent_id, comment_id):
if not (comment.user.id == flask.g.user.id or flask.g.user.is_moderator): if not (comment.user.id == flask.g.user.id or flask.g.user.is_moderator):
flask.abort(403) flask.abort(403)
if torrent_id != comment.torrent_id:
flask.abort(400)
db.session.delete(comment) db.session.delete(comment)
db.session.flush() db.session.flush()
torrent.update_comment_count() torrent.update_comment_count()