From 97c32a483f2e5c553b8a01e147d441b06b48a195 Mon Sep 17 00:00:00 2001
From: Nicolas F <CounterPillow@users.noreply.github.com>
Date: Thu, 22 Aug 2019 14:22:12 +0200
Subject: [PATCH] backend: count IP uploads in the user ratelimit (#583)

Users could double their ratelimit by uploading some torrents as
anonymous submissions, then log into their account and post more.

We can stop this by making the filter_uploader helper function use
an sqlalchemy.or_ query to check for uploads from either that user
or that user's IP.
---
 nyaa/backend.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/nyaa/backend.py b/nyaa/backend.py
index 2bf9849..e0b0aa7 100644
--- a/nyaa/backend.py
+++ b/nyaa/backend.py
@@ -139,7 +139,9 @@ def check_uploader_ratelimit(user):
 
     def filter_uploader(query):
         if user:
-            return query.filter(Torrent.user == user)
+            return query.filter(sqlalchemy.or_(
+                Torrent.user == user,
+                Torrent.uploader_ip == ip_address(flask.request.remote_addr).packed))
         else:
             return query.filter(Torrent.uploader_ip == ip_address(flask.request.remote_addr).packed)