Disallow editing first party apps via the web interface.

jewel-andraia · Apr 20, 2016 · 543486c · 543486c
1 parent d0a8491
commit 543486c
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 0 deletions.
diff --git a/r2/r2/controllers/api.py b/r2/r2/controllers/api.py
@@ -4828,6 +4828,9 @@ def POST_updateapp(self, form, jquery, name, about_url, icon_url,
         if client_id:
             # client_id was specified, updating existing OAuth2Client
             client = OAuth2Client.get_token(client_id)
+            if client.is_first_party() and not c.user_is_admin:
+                form.set_text('.status', _('this app can not be modified from this interface'))
+                return
             if app_type != client.app_type:
                 # App type cannot be changed after creation
                 abort(400, "invalid request")
@@ -4875,6 +4878,10 @@ def POST_adddeveloper(self, form, jquery, client, account):
             return
         if form.has_errors('name', errors.USER_DOESNT_EXIST, errors.NO_USER):
             return
+        if client.is_first_party() and not c.user_is_admin:
+            c.errors.add(errors.DEVELOPER_FIRST_PARTY_APP, field='name')
+            form.set_error(errors.DEVELOPER_FIRST_PARTY_APP, 'name')
+            return
         if client.has_developer(account):
             c.errors.add(errors.DEVELOPER_ALREADY_ADDED, field='name')
             form.set_error(errors.DEVELOPER_ALREADY_ADDED, 'name')
@@ -4897,6 +4904,10 @@ def POST_adddeveloper(self, form, jquery, client, account):
                    client=VOAuth2ClientDeveloper(),
                    account=VExistingUname('name'))
     def POST_removedeveloper(self, form, jquery, client, account):
+        if client.is_first_party() and not c.user_is_admin:
+            c.errors.add(errors.DEVELOPER_FIRST_PARTY_APP, field='name')
+            form.set_error(errors.DEVELOPER_FIRST_PARTY_APP, 'name')
+            return
         if client and account and not form.has_errors('name'):
             client.remove_developer(account)
             if account._id == c.user._id:

diff --git a/r2/r2/lib/errors.py b/r2/r2/lib/errors.py
@@ -138,6 +138,7 @@
         ('BAD_IMAGE', _('image problem')),
         ('DEVELOPER_ALREADY_ADDED', _('already added')),
         ('TOO_MANY_DEVELOPERS', _('too many developers')),
+        ('DEVELOPER_FIRST_PARTY_APP', _('this app can not be modified from this interface')),
         ('INVALID_MODHASH', _("invalid modhash")),
         ('ALREADY_MODERATOR', _('that user is already a moderator')),
         ('CANT_RESTRICT_MODERATOR', _("You can't perform that action because that user is a moderator.")),

diff --git a/r2/r2/templates/prefapps.html b/r2/r2/templates/prefapps.html
@@ -194,6 +194,7 @@ <h3>${app._id}</h3>
                 ${error_field('DEVELOPER_ALREADY_ADDED', 'name')}
                 ${error_field('USER_DOESNT_EXIST', 'name')}
                 ${error_field('NO_USER', 'name')}
+                ${error_field('DEVELOPER_FIRST_PARTY_APP', 'name')}
                 <span class="status"></span>
               </form>
             </td>