Don't allow moderators to remove posts by other moderators

2019-08-13 16:03:34 +01:00 · 2019-08-13 16:03:34 +01:00 · febb4258bd
parent 4a80c94cbe
commit febb4258bd
2 changed files with 39 additions and 6 deletions
--- a/daemon.py
+++ b/daemon.py
@ -30,6 +30,7 @@ from person import isSuspended
 from person import suspendAccount
 from person import unsuspendAccount
 from person import removeAccount
+from person import canRemovePost
 from posts import outboxMessageCreateWrap
 from posts import savePostToBox
 from posts import sendToFollowers
@ -2147,16 +2148,22 @@ class PubServer(BaseHTTPRequestHandler):
                                          self.server.domain, \
                                          self.server.port)
                        else:
+                            # remove a post or thread                            
                            postFilename= \
                                locatePost(self.server.baseDir, \
                                           nickname,self.server.domain, \
                                           moderationText)
-                            if postFilename:                            
-                                deletePost(self.server.baseDir, \
-                                           self.server.httpPrefix, \
-                                           nickname,self.server.omain, \
-                                           postFilename, \
-                                           self.server.debug)
+                            if postFilename:
+                                if canRemovePost(self.server.baseDir, \
+                                                 nickname, \
+                                                 self.server.domain, \
+                                                 self.server.port, \
+                                                 moderationText):                                
+                                    deletePost(self.server.baseDir, \
+                                               self.server.httpPrefix, \
+                                               nickname,self.server.omain, \
+                                               postFilename, \
+                                               self.server.debug)
            self._redirect_headers(actorStr+'/moderation',cookie)
            self.server.POSTbusy=False
            return
--- a/person.py
+++ b/person.py
@ -536,6 +536,32 @@ def suspendAccount(baseDir: str,nickname: str,salts: {}) -> None:
            suspendedFile.close()
            salts[nickname]=createPassword(32)            

+def canRemovePost(baseDir: str,nickname: str,domain: str,port: int,postId: str) -> bool:
+    """Returns true if the given post can be removed
+    """
+    if '/statuses/' not in postId:
+        return False
+
+    domainFull=domain
+    if port:
+        if port!=80 and port!=443:
+            domainFull=domain+':'+str(port)
+
+    # is the post by the admin?
+    adminNickname=getConfigParam(baseDir,'admin')
+    if domainFull+'/users/'+adminNickname+'/' in postId:
+        return False
+
+    # is the post by a moderator?
+    moderatorsFile=baseDir+'/accounts/moderators.txt'
+    if os.path.isfile(moderatorsFile):
+        with open(moderatorsFile, "r") as f:
+            lines = f.readlines()
+        for moderator in lines:
+            if domainFull+'/users/'+moderator.strip('\n')+'/' in postId:
+                return False
+    return True
+
 def removeTagsForNickname(baseDir: str,nickname: str,domain: str,port: int) -> None:
    """Removes tags for a nickname
    """