From ae24433b8c4816f3ba692d5a698425b2690bbf18 Mon Sep 17 00:00:00 2001 From: Daniel Supernault Date: Wed, 29 Jan 2020 22:03:34 -0700 Subject: [PATCH 1/4] Update StatusController, restrict edits to 24 hours --- app/Http/Controllers/StatusController.php | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/app/Http/Controllers/StatusController.php b/app/Http/Controllers/StatusController.php index a5e9e09d..ef1d5939 100644 --- a/app/Http/Controllers/StatusController.php +++ b/app/Http/Controllers/StatusController.php @@ -229,8 +229,8 @@ class StatusController extends Controller $user = Auth::user()->profile; $status = Status::whereProfileId($user->id) ->with(['media']) + ->where('created_at', '>', now()->subHours(24)) ->findOrFail($id); - return view('status.edit', compact('user', 'status')); } @@ -240,6 +240,7 @@ class StatusController extends Controller $user = Auth::user()->profile; $status = Status::whereProfileId($user->id) ->with(['media']) + ->where('created_at', '>', now()->subHours(24)) ->findOrFail($id); $this->validate($request, [ @@ -254,7 +255,7 @@ class StatusController extends Controller $media = Media::whereProfileId($user->id) ->whereStatusId($status->id) - ->find($id); + ->findOrFail($id); $changed = false; @@ -263,7 +264,7 @@ class StatusController extends Controller $changed = true; } - if ($media->filter_class != $filter) { + if ($media->filter_class != $filter && in_array($filter, Filter::classes())) { $media->filter_class = $filter; $changed = true; } From 51fbfcdcf7cd01d3be360056a4c7f120239ee24c Mon Sep 17 00:00:00 2001 From: Daniel Supernault Date: Wed, 29 Jan 2020 22:07:09 -0700 Subject: [PATCH 2/4] Update RateLimit, add max post edits per hour and day --- app/Util/RateLimit/User.php | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/app/Util/RateLimit/User.php b/app/Util/RateLimit/User.php index c6cbf85c..796e0fca 100644 --- a/app/Util/RateLimit/User.php +++ b/app/Util/RateLimit/User.php @@ -113,4 +113,14 @@ trait User { { return 35; } + + public function getMaxPostEditsPerHourAttribute() + { + return 10; + } + + public function getMaxPostEditsPerDayAttribute() + { + return 20; + } } \ No newline at end of file From d366adab7dac0678246480cebc2d7ac3a0691977 Mon Sep 17 00:00:00 2001 From: Daniel Supernault Date: Wed, 29 Jan 2020 22:08:12 -0700 Subject: [PATCH 3/4] Update web routes, add rate limits to post edit endpoint --- routes/web.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/routes/web.php b/routes/web.php index ea77b10d..b4c75426 100644 --- a/routes/web.php +++ b/routes/web.php @@ -405,7 +405,7 @@ Route::domain(config('pixelfed.domain.app'))->middleware(['validemail', 'twofact Route::get('p/{username}/{id}/c', 'CommentController@showAll'); Route::get('p/{username}/{id}/embed', 'StatusController@showEmbed'); Route::get('p/{username}/{id}/edit', 'StatusController@edit'); - Route::post('p/{username}/{id}/edit', 'StatusController@editStore'); + Route::post('p/{username}/{id}/edit', 'StatusController@editStore')->middleware('throttle:maxPostEditsPerHour,60')->middleware('throttle:maxPostEditsPerDay,1440'); Route::get('p/{username}/{id}.json', 'StatusController@showObject'); Route::get('p/{username}/{id}', 'StatusController@show'); Route::get('{username}/embed', 'ProfileController@embed'); From 28bc9c192349911ccc6c15aac15a818295446472 Mon Sep 17 00:00:00 2001 From: Daniel Supernault Date: Wed, 29 Jan 2020 23:04:25 -0700 Subject: [PATCH 4/4] Update status edit view --- app/Http/Controllers/Api/ApiV1Controller.php | 7 +++++-- app/Http/Controllers/Api/BaseApiController.php | 8 ++++++-- resources/views/status/edit.blade.php | 7 ++----- 3 files changed, 13 insertions(+), 9 deletions(-) diff --git a/app/Http/Controllers/Api/ApiV1Controller.php b/app/Http/Controllers/Api/ApiV1Controller.php index 61948f94..442ce41b 100644 --- a/app/Http/Controllers/Api/ApiV1Controller.php +++ b/app/Http/Controllers/Api/ApiV1Controller.php @@ -978,6 +978,9 @@ class ApiV1Controller extends Controller } } + $filterClass = in_array($request->input('filter_class'), Filter::classes()) ? $request->input('filter_class') : null; + $filterName = in_array($request->input('filter_name'), Filter::names()) ? $request->input('filter_name') : null; + $monthHash = hash('sha1', date('Y').date('m')); $userHash = hash('sha1', $user->id . (string) $user->created_at); @@ -1001,8 +1004,8 @@ class ApiV1Controller extends Controller $media->size = $photo->getSize(); $media->mime = $photo->getMimeType(); $media->caption = $request->input('description'); - $media->filter_class = $request->input('filter_class'); - $media->filter_name = $request->input('filter_name'); + $media->filter_class = $filterClass; + $media->filter_name = $filterName; $media->save(); switch ($media->mime) { diff --git a/app/Http/Controllers/Api/BaseApiController.php b/app/Http/Controllers/Api/BaseApiController.php index e47d61e5..a3a450c6 100644 --- a/app/Http/Controllers/Api/BaseApiController.php +++ b/app/Http/Controllers/Api/BaseApiController.php @@ -24,6 +24,7 @@ use App\Transformer\Api\{ StatusTransformer }; use League\Fractal; +use App\Util\Media\Filter; use League\Fractal\Serializer\ArraySerializer; use League\Fractal\Pagination\IlluminatePaginatorAdapter; use App\Jobs\AvatarPipeline\AvatarOptimize; @@ -231,6 +232,9 @@ class BaseApiController extends Controller } } + $filterClass = in_array($request->input('filter_class'), Filter::classes()) ? $request->input('filter_class') : null; + $filterName = in_array($request->input('filter_name'), Filter::names()) ? $request->input('filter_name') : null; + $monthHash = hash('sha1', date('Y').date('m')); $userHash = hash('sha1', $user->id . (string) $user->created_at); @@ -253,8 +257,8 @@ class BaseApiController extends Controller $media->original_sha256 = $hash; $media->size = $photo->getSize(); $media->mime = $photo->getMimeType(); - $media->filter_class = $request->input('filter_class'); - $media->filter_name = $request->input('filter_name'); + $media->filter_class = $filterClass; + $media->filter_name = $filterName; $media->save(); $url = URL::temporarySignedRoute( diff --git a/resources/views/status/edit.blade.php b/resources/views/status/edit.blade.php index f16aa2bf..5d7203ad 100644 --- a/resources/views/status/edit.blade.php +++ b/resources/views/status/edit.blade.php @@ -38,7 +38,7 @@ @csrf
- +
@@ -69,12 +69,9 @@ @endsection @push('scripts') -