block suspended users

2020-01-17 08:22:59 -05:00 · 2020-01-17 08:22:59 -05:00 · 35673d4cc5
parent 3c3f49c110
commit 35673d4cc5
2 changed files with 26 additions and 4 deletions
--- a/paws/database.py
+++ b/paws/database.py
@ -67,7 +67,7 @@ def keys(actor):


 def get_handle(userid):
-	user_data = mastodb.query(f'SELECT * FROM public.accounts WHERE id = \'{userid}\'').dictresult()
+	user_data = mastodb.query(f'SELECT username,domain FROM public.accounts WHERE id = \'{userid}\'').dictresult()

 	if len(user_data) < 1:
 		return
@ -102,6 +102,18 @@ def get_bans(suspend=True, details=False):
 	return banlist


+def banned_user_check(access_user):
+	users = mastodb.query('SELECT username, domain FROM accounts WHERE suspended_at is not NULL').dictresult()
+
+	if not users:
+		return
+
+	allbans = [(user['username'].lower(), user['domain'].lower()) for user in users]
+
+	print(allbans)
+	return allbans
+
+
 def ban_check(url):
 	instance = urlparse(url).netloc if url.startswith('http') else url
 	domain = extract(url)
@ -112,11 +124,13 @@ def ban_check(url):
 		if ban in [instance, parsed]:
 			return True

+	
+
 	logging.debug(f'{parsed} not in blocklist')


 def user_ban_check(user, access_user):
-	user_data = mastodb.query(f'SELECT * FROM public.accounts WHERE username = \'{user}\'').dictresult()
+	user_data = mastodb.query(f'SELECT id FROM public.accounts WHERE LOWER(username) = \'{user}\' and domain is NULL').dictresult()

 	if len(user_data) < 1:
 		return
--- a/paws/middleware.py
+++ b/paws/middleware.py
@ -14,7 +14,7 @@ from aiohttp.client_exceptions import *
 from .signature import validate, pass_hash
 from .functions import error, user_check
 from .config import MASTOCONFIG, PAWSCONFIG, VERSION, script_path
-from .database import pawsdb, query, trans, ban_check, user_ban_check
+from .database import pawsdb, query, trans, ban_check, user_ban_check, banned_user_check


 # I'm a little teapot :3
@ -175,7 +175,7 @@ async def http_signatures(app, handler):
 				split_path = request.path.split('/')
 				user = split_path[1].replace('@', '') if request.path.startswith('/@') else split_path[2]

-				if user_ban_check(user, (access_user['handle'].lower(), access_user['instance'])):
+				if user_ban_check(user.lower(), (access_user['handle'].lower(), access_user['instance'])):
 					return render('pages/error.html', request, {'msg': 'Access Denied', 'code': '403'}, status=403)

 		return (await handler(request))
@ -192,6 +192,10 @@ async def http_filter(app, handler):
 				sig_domain = parse_sig(signature, short=True)
 				ua_domain = parse_ua(ua)
 				domain = ua_domain if not sig_domain else sig_domain
+				token = request.cookies.get('paws_token')
+				user_data = pawsdb.users.get(query.token == token)
+				user = (user_data['handle'], user_data['instance'])
+				full_user = f"{user_data['handle']}@{user_data['instance']}"

 				if not domain:
 					raise error(401, 'Can\'t find instance domain')
@ -204,6 +208,10 @@ async def http_filter(app, handler):
 					logging.info(f'Blocked instance: {domain}')
 					raise error(403, 'Forbidden')

+				if banned_user_check(user):
+					logging.info(f'Blocked user: {domain}')
+					return render('pages/error.html', request, {'msg': 'Access Denied', 'code': '403'}, status=403)
+
 		return (await handler(request))
 	return http_filter_handler