a3x/nyaa
1
0
Fork 0
mirror of https://gitlab.com/SIGBUS/nyaa.git synced 2025-03-30 08:01:46 +00:00
Code Issues Projects Releases Wiki Activity

backend: count IP uploads in the user ratelimit ()

Browse source 
Users could double their ratelimit by uploading some torrents as
anonymous submissions, then log into their account and post more.

We can stop this by making the filter_uploader helper function use
an sqlalchemy.or_ query to check for uploads from either that user
or that user's IP.
This commit is contained in:
Nicolas F 2019-08-22 14:22:12 +02:00 committed by A nyaa developer
parent 532439356f
commit 97c32a483f
1 changed files with 3 additions and 1 deletions

4
nyaa/backend.py
View file

@ -139,7 +139,9 @@ def check_uploader_ratelimit(user):
def filter_uploader(query):
if user:
return query.filter(Torrent.user == user)
return query.filter(sqlalchemy.or_(
Torrent.user == user,
Torrent.uploader_ip == ip_address(flask.request.remote_addr).packed))
else:
return query.filter(Torrent.uploader_ip == ip_address(flask.request.remote_addr).packed)