2019-12-03 20:32:01 +01:00
|
|
|
from flask_login import current_user
|
2021-01-12 16:40:52 +01:00
|
|
|
from flask import redirect, url_for, flash, abort
|
2021-02-21 20:17:48 +01:00
|
|
|
from sqlalchemy import desc
|
2019-12-03 20:32:01 +01:00
|
|
|
|
2019-12-04 13:58:48 +01:00
|
|
|
from app import app, db
|
|
|
|
from config import V5Config
|
2019-12-03 20:32:01 +01:00
|
|
|
from app.utils.render import render
|
2020-07-17 23:49:04 +02:00
|
|
|
from app.forms.forum import CommentForm, AnonymousCommentForm
|
2019-12-03 20:32:01 +01:00
|
|
|
from app.models.thread import Thread
|
|
|
|
from app.models.comment import Comment
|
2020-08-25 22:57:45 +02:00
|
|
|
from app.models.user import Guest
|
2020-08-01 21:26:06 +02:00
|
|
|
from app.models.attachment import Attachment
|
2019-12-03 20:32:01 +01:00
|
|
|
|
2021-02-21 20:17:48 +01:00
|
|
|
from datetime import datetime
|
2021-01-12 16:40:52 +01:00
|
|
|
|
2019-12-03 20:32:01 +01:00
|
|
|
|
2020-07-17 00:17:11 +02:00
|
|
|
@app.route('/forum/<forum:f>/<topicpage:page>', methods=['GET', 'POST'])
|
2020-07-16 23:58:21 +02:00
|
|
|
def forum_topic(f, page):
|
|
|
|
t, page = page
|
|
|
|
|
review of privileges and forum permissions
* Sorted privileges into categories, similar to the v4.3 style
Added privilege check utilities:
* Forum: is_news(), is_default_accessible() and is_default_postable()
* Member: can_access_forum(), can_post_in_forum(), can_edit_post(),
and can_delete_post()
Unfortunately current_user is not a Guest when logged out, so one
cannot usually write current_user.can_*() without checking for
authentication first, so the checks are still somewhat verbose.
Reviewed forum permissions; the following permission issues have been
fixed (I have tested most but not all of them prior to fixing):
* app/routes/forum/index.py: Users that were not meant to access a
forum could still obtain a listing of the topics
* app/routes/forum/topic.py: Users that were not meant to see topics
could still read them by browsing the URL
* app/routes/forum/topic.py: Authenticated users could post in any
topic, including ones that they should not have access to
* app/routes/posts/edit.py: Users with edit.posts (eg. mods) could edit
and delete messages in forums they can't access (eg. creativecalc)
* app/templates/account/user.html: Users with admin panel access would
see account editing links they can't use (affects developers)
* app/templates/base/navbar/forum.html: The "Forum" tab would list all
forums including ones the user doesn't have access to
* app/templates/forum/index.html: Users would see every single forum,
including ones they can't access
* app/template/widgets/thread.html: Anyone would see Edit/Delete links
on every message, even though most were unusable
Miscellaneous changes:
* app/routes/forum/topic.py: Ordered comments by date as intended,
which I assume worked by chance until now
* Removed the old assets/privs.txt files which is now superseded by the
list implemented in app/data/groups.yaml
This commit changes group and forum information, run master.py with:
@> forums update
@> groups update
2021-02-26 18:29:25 +01:00
|
|
|
if not f.is_default_accessible() and not (
|
|
|
|
current_user.is_authenticated and current_user.can_access_forum(f)):
|
|
|
|
abort(403)
|
|
|
|
|
2019-12-04 01:16:16 +01:00
|
|
|
# Quick n' dirty workaround to converters
|
|
|
|
if f != t.forum:
|
|
|
|
abort(404)
|
|
|
|
|
2020-07-17 23:49:04 +02:00
|
|
|
if current_user.is_authenticated:
|
|
|
|
form = CommentForm()
|
|
|
|
else:
|
|
|
|
form = AnonymousCommentForm()
|
2019-12-03 20:32:01 +01:00
|
|
|
|
review of privileges and forum permissions
* Sorted privileges into categories, similar to the v4.3 style
Added privilege check utilities:
* Forum: is_news(), is_default_accessible() and is_default_postable()
* Member: can_access_forum(), can_post_in_forum(), can_edit_post(),
and can_delete_post()
Unfortunately current_user is not a Guest when logged out, so one
cannot usually write current_user.can_*() without checking for
authentication first, so the checks are still somewhat verbose.
Reviewed forum permissions; the following permission issues have been
fixed (I have tested most but not all of them prior to fixing):
* app/routes/forum/index.py: Users that were not meant to access a
forum could still obtain a listing of the topics
* app/routes/forum/topic.py: Users that were not meant to see topics
could still read them by browsing the URL
* app/routes/forum/topic.py: Authenticated users could post in any
topic, including ones that they should not have access to
* app/routes/posts/edit.py: Users with edit.posts (eg. mods) could edit
and delete messages in forums they can't access (eg. creativecalc)
* app/templates/account/user.html: Users with admin panel access would
see account editing links they can't use (affects developers)
* app/templates/base/navbar/forum.html: The "Forum" tab would list all
forums including ones the user doesn't have access to
* app/templates/forum/index.html: Users would see every single forum,
including ones they can't access
* app/template/widgets/thread.html: Anyone would see Edit/Delete links
on every message, even though most were unusable
Miscellaneous changes:
* app/routes/forum/topic.py: Ordered comments by date as intended,
which I assume worked by chance until now
* Removed the old assets/privs.txt files which is now superseded by the
list implemented in app/data/groups.yaml
This commit changes group and forum information, run master.py with:
@> forums update
@> groups update
2021-02-26 18:29:25 +01:00
|
|
|
if form.validate_on_submit() and (
|
|
|
|
V5Config.ENABLE_GUEST_POST or \
|
|
|
|
(current_user.is_authenticated and current_user.can_post_in_forum(f))):
|
|
|
|
|
2020-08-01 21:26:06 +02:00
|
|
|
# Manage author
|
2020-07-17 23:49:04 +02:00
|
|
|
if current_user.is_authenticated:
|
|
|
|
author = current_user
|
|
|
|
else:
|
|
|
|
author = Guest(form.pseudo.data)
|
|
|
|
db.session.add(author)
|
|
|
|
|
2020-08-01 21:26:06 +02:00
|
|
|
# Create comment
|
2020-07-17 23:49:04 +02:00
|
|
|
c = Comment(author, form.message.data, t.thread)
|
2019-12-03 20:32:01 +01:00
|
|
|
db.session.add(c)
|
|
|
|
db.session.commit()
|
2022-05-26 21:08:01 +02:00
|
|
|
c.create_attachments(form.attachments.data)
|
2020-08-01 21:26:06 +02:00
|
|
|
|
2019-12-10 11:22:56 +01:00
|
|
|
# Update member's xp and trophies
|
2020-07-17 23:49:04 +02:00
|
|
|
if current_user.is_authenticated:
|
2020-08-05 22:52:56 +02:00
|
|
|
current_user.add_xp(1) # 1 point for a comment
|
2020-07-17 23:49:04 +02:00
|
|
|
current_user.update_trophies('new-post')
|
2019-12-04 12:22:42 +01:00
|
|
|
|
2019-12-03 20:32:01 +01:00
|
|
|
flash('Message envoyé', 'ok')
|
|
|
|
# Redirect to empty the form
|
2021-01-12 16:40:52 +01:00
|
|
|
return redirect(url_for('forum_topic', f=f, page=(t, "fin"),
|
2021-02-21 20:17:48 +01:00
|
|
|
_anchor=c.id))
|
2019-12-03 20:32:01 +01:00
|
|
|
|
|
|
|
# Update views
|
|
|
|
t.views += 1
|
|
|
|
db.session.merge(t)
|
|
|
|
db.session.commit()
|
|
|
|
|
2020-07-16 23:58:21 +02:00
|
|
|
if page == -1:
|
2021-01-12 16:40:52 +01:00
|
|
|
page = (t.thread.comments.count() - 1) // Thread.COMMENTS_PER_PAGE + 1
|
2019-12-07 16:06:00 +01:00
|
|
|
|
review of privileges and forum permissions
* Sorted privileges into categories, similar to the v4.3 style
Added privilege check utilities:
* Forum: is_news(), is_default_accessible() and is_default_postable()
* Member: can_access_forum(), can_post_in_forum(), can_edit_post(),
and can_delete_post()
Unfortunately current_user is not a Guest when logged out, so one
cannot usually write current_user.can_*() without checking for
authentication first, so the checks are still somewhat verbose.
Reviewed forum permissions; the following permission issues have been
fixed (I have tested most but not all of them prior to fixing):
* app/routes/forum/index.py: Users that were not meant to access a
forum could still obtain a listing of the topics
* app/routes/forum/topic.py: Users that were not meant to see topics
could still read them by browsing the URL
* app/routes/forum/topic.py: Authenticated users could post in any
topic, including ones that they should not have access to
* app/routes/posts/edit.py: Users with edit.posts (eg. mods) could edit
and delete messages in forums they can't access (eg. creativecalc)
* app/templates/account/user.html: Users with admin panel access would
see account editing links they can't use (affects developers)
* app/templates/base/navbar/forum.html: The "Forum" tab would list all
forums including ones the user doesn't have access to
* app/templates/forum/index.html: Users would see every single forum,
including ones they can't access
* app/template/widgets/thread.html: Anyone would see Edit/Delete links
on every message, even though most were unusable
Miscellaneous changes:
* app/routes/forum/topic.py: Ordered comments by date as intended,
which I assume worked by chance until now
* Removed the old assets/privs.txt files which is now superseded by the
list implemented in app/data/groups.yaml
This commit changes group and forum information, run master.py with:
@> forums update
@> groups update
2021-02-26 18:29:25 +01:00
|
|
|
comments = t.thread.comments.order_by(Comment.date_created.asc()) \
|
|
|
|
.paginate(page, Thread.COMMENTS_PER_PAGE, True)
|
2021-01-12 16:40:52 +01:00
|
|
|
|
2021-02-21 20:17:48 +01:00
|
|
|
# Anti-necropost
|
|
|
|
last_com = t.thread.comments.order_by(desc(Comment.date_modified)).first()
|
|
|
|
inactive = datetime.now() - last_com.date_modified
|
|
|
|
outdated = inactive.days if inactive >= V5Config.NECROPOST_LIMIT else None
|
2019-12-07 16:06:00 +01:00
|
|
|
|
2021-02-21 20:17:48 +01:00
|
|
|
return render('/forum/topic.html', t=t, form=form, comments=comments,
|
|
|
|
outdated=outdated)
|