From de5f688be80e541382c219f1f2931c33bbde9379 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Thu, 17 Dec 2020 10:50:19 +0000
Subject: [PATCH] Check that moderator actions are taken by moderators, and not
 anyone else

---
 daemon.py | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/daemon.py b/daemon.py
index df395737..c8c1fb2c 100644
--- a/daemon.py
+++ b/daemon.py
@@ -1409,8 +1409,17 @@ class PubServer(BaseHTTPRequestHandler):
         """
         usersPath = path.replace('/moderationaction', '')
         nickname = usersPath.replace('/users/', '')
-        actorStr = httpPrefix + '://' + domainFull + usersPath
+        if not isModerator(self.server.baseDir, nickname):
+            if callingDomain.endswith('.onion') and onionDomain:
+                actorStr = 'http://' + onionDomain + usersPath
+            elif (callingDomain.endswith('.i2p') and i2pDomain):
+                actorStr = 'http://' + i2pDomain + usersPath
+                self._redirect_headers(actorStr + '/moderation',
+                                       cookie, callingDomain)
+            self.server.POSTbusy = False
+            return
 
+        actorStr = httpPrefix + '://' + domainFull + usersPath
         length = int(self.headers['Content-length'])
 
         try: