a3x/nyaa
1
0
Fork 0
mirror of https://gitlab.com/SIGBUS/nyaa.git synced 2024-12-21 16:50:01 +00:00
Code Issues Projects Releases Wiki Activity

backend: count IP uploads in the user ratelimit (#583)

Browse source 
Users could double their ratelimit by uploading some torrents as
anonymous submissions, then log into their account and post more.

We can stop this by making the filter_uploader helper function use
an sqlalchemy.or_ query to check for uploads from either that user
or that user's IP.
This commit is contained in:
Nicolas F 2019-08-22 14:22:12 +02:00 committed by A nyaa developer
parent 532439356f
commit 97c32a483f
1 changed files with 3 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
nyaa/backend.py
View file

@ -139,7 +139,9 @@ def check_uploader_ratelimit(user):
def filter_uploader(query):
if user:
return query.filter(Torrent.user == user)
return query.filter(sqlalchemy.or_(
Torrent.user == user,
Torrent.uploader_ip == ip_address(flask.request.remote_addr).packed))
else:
return query.filter(Torrent.uploader_ip == ip_address(flask.request.remote_addr).packed)