Fix cookie localhost and everyone permission calculation

This commit is contained in:
Jeremy Zhang 2020-09-05 01:01:47 -07:00
parent a3b9e0ff33
commit 70b54a299b
3 changed files with 27 additions and 7 deletions

View File

@ -38,6 +38,7 @@ app.config['RATELIMIT_STORAGE_URL'] = config["redis-uri"]
app.config['PERMANENT_SESSION_LIFETIME'] = timedelta(days=3)
app.config['REDIS_URL'] = config["redis-uri"]
app.config['MAX_CONTENT_LENGTH'] = 4 * 1024 * 1024 # Limit upload size to 4mb
if not config.get("disable-samesite-cookie-flag", False):
app.config['SESSION_COOKIE_SAMESITE'] = "None"
app.secret_key = config['app-secret']

View File

@ -118,7 +118,10 @@ def noscript():
def cookietest1():
js = "window._3rd_party_test_step1_loaded();"
response = make_response(js, 200, {'Content-Type': 'application/javascript'})
if not config.get("disable-samesite-cookie-flag", False):
response.set_cookie('third_party_c_t', "works", max_age=30, samesite='None')
else:
response.set_cookie('third_party_c_t', "works", max_age=30)
return response
@embed.route("/cookietest2")
@ -130,5 +133,8 @@ def cookietest2():
js = js + "false"
js = js + ");"
response = make_response(js, 200, {'Content-Type': 'application/javascript'})
if not config.get("disable-samesite-cookie-flag", False):
response.set_cookie('third_party_c_t', "", expires=0, samesite='None')
else:
response.set_cookie('third_party_c_t', "", expires=0)
return response

View File

@ -259,8 +259,8 @@ def get_channel_permission(channel, guild_id, guild_owner, guild_roles, member_r
# @everyone
for role in guild_roles:
if role["id"] == guild_id:
channel_perm |= role["permissions"]
continue
channel_perm = role["permissions"]
break
# User Guild Roles
for m_role in member_roles:
@ -278,11 +278,24 @@ def get_channel_permission(channel, guild_id, guild_owner, guild_roles, member_r
result["embed_links"] = True
return result
# Apply @everyone allow/deny first since it's special
try:
maybe_everyone = channel["permission_overwrites"][0]
if maybe_everyone["id"] == guild_id:
allows = maybe_everyone["allow"]
denies = maybe_everyone["deny"]
channel_perm = (channel_perm & ~denies) | allows
remaining_overwrites = channel["permission_overwrites"][1:]
else:
remaining_overwrites = channel["permission_overwrites"]
except IndexError:
remaining_overwrites = channel["permission_overwrites"]
denies = 0
allows = 0
# channel specific
for overwrite in channel["permission_overwrites"]:
for overwrite in remaining_overwrites:
if overwrite["type"] == "role" and overwrite["id"] in member_roles:
denies |= overwrite["deny"]
allows |= overwrite["allow"]
@ -290,7 +303,7 @@ def get_channel_permission(channel, guild_id, guild_owner, guild_roles, member_r
channel_perm = (channel_perm & ~denies) | allows
# member specific
for overwrite in channel["permission_overwrites"]:
for overwrite in remaining_overwrites:
if overwrite["type"] == "member" and overwrite["id"] == str(session.get("user_id")):
channel_perm = (channel_perm & ~overwrite['deny']) | overwrite['allow']
break