From 8ee687cb89e41acdaf328bed6656cf448e62ad68 Mon Sep 17 00:00:00 2001 From: Nicolas F Date: Thu, 22 Aug 2019 11:55:11 +0200 Subject: [PATCH] backend: count IP uploads in the user ratelimit Users could double their ratelimit by uploading some torrents as anonymous submissions, then log into their account and post more. We can stop this by making the filter_uploader helper function use an sqlalchemy.or_ query to check for uploads from either that user or that user's IP. --- nyaa/backend.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/nyaa/backend.py b/nyaa/backend.py index 2bf9849..e0b0aa7 100644 --- a/nyaa/backend.py +++ b/nyaa/backend.py @@ -139,7 +139,9 @@ def check_uploader_ratelimit(user): def filter_uploader(query): if user: - return query.filter(Torrent.user == user) + return query.filter(sqlalchemy.or_( + Torrent.user == user, + Torrent.uploader_ip == ip_address(flask.request.remote_addr).packed)) else: return query.filter(Torrent.uploader_ip == ip_address(flask.request.remote_addr).packed)