febc1d761f
## APIs Restricted for Restricted Users
A restricted user is blocked from performing the following actions, and will typically receive a `403 Forbidden` error:
* **Chat & Notifications:**
* Sending any chat messages (public or private).
* Joining or leaving chat channels.
* Creating new PM channels.
* **User Profile & Content:**
* Uploading a new avatar.
* Uploading a new profile cover image.
* Changing their username.
* Updating their userpage content.
* **Scores & Gameplay:**
* Submitting scores in multiplayer rooms.
* Deleting their own scores (to prevent hiding evidence of cheating).
* **Beatmaps:**
* Rating beatmaps.
* Taging beatmaps.
* **Relationship:**
* Adding friends or blocking users.
* Removing friends or unblocking users.
* **Teams:**
* Creating, updating, or deleting a team.
* Requesting to join a team.
* Handling join requests for a team they manage.
* Kicking a member from a team they manage.
* **Multiplayer:**
* Creating or deleting multiplayer rooms.
* Joining or leaving multiplayer rooms.
## What is Invisible to Normal Users
* **Leaderboards:**
* Beatmap leaderboards.
* Multiplayer (playlist) room leaderboards.
* **User Search/Lists:**
* Restricted users will not appear in the results of the `/api/v2/users` endpoint.
* They will not appear in the list of a team's members.
* **Relationship:**
* They will not appear in a user's friend list (`/friends`).
* **Profile & History:**
* Attempting to view a restricted user's profile, events, kudosu history, or score history will result in a `404 Not Found` error, effectively making their profile invisible (unless the user viewing the profile is the restricted user themselves).
* **Chat:**
* Normal users cannot start a new PM with a restricted user (they will get a `404 Not Found` error).
* **Ranking:**
* Restricted users are excluded from any rankings.
### How to Restrict a User
Insert into `user_account_history` with `type=restriction`.
```sql
-- length is in seconds
INSERT INTO user_account_history (`description`, `length`, `permanent`, `timestamp`, `type`, `user_id`) VALUE ('some description', 86400, 0, '2025-10-05 01:00:00', 'RESTRICTION', 1);
```
---
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
56 lines
1.6 KiB
Python
56 lines
1.6 KiB
Python
import hashlib
|
|
from typing import Annotated
|
|
|
|
from app.dependencies.database import Database
|
|
from app.dependencies.storage import StorageService
|
|
from app.dependencies.user import ClientUser
|
|
from app.utils import check_image
|
|
|
|
from .router import router
|
|
|
|
from fastapi import File, HTTPException
|
|
|
|
|
|
@router.post("/avatar/upload", name="上传头像", tags=["用户", "g0v0 API"])
|
|
async def upload_avatar(
|
|
session: Database,
|
|
content: Annotated[bytes, File(...)],
|
|
current_user: ClientUser,
|
|
storage: StorageService,
|
|
):
|
|
"""上传用户头像
|
|
|
|
接收图片数据,验证图片格式和大小后存储到存储服务,并更新用户的头像 URL
|
|
|
|
限制条件:
|
|
- 支持的图片格式: PNG、JPEG、GIF
|
|
- 最大文件大小: 5MB
|
|
- 最大图片尺寸: 256x256 像素
|
|
|
|
返回:
|
|
- 头像 URL 和文件哈希值
|
|
"""
|
|
if await current_user.is_restricted(session):
|
|
raise HTTPException(status_code=403, detail="Your account is restricted and cannot perform this action.")
|
|
|
|
# check file
|
|
format_ = check_image(content, 5 * 1024 * 1024, 256, 256)
|
|
|
|
if url := current_user.avatar_url:
|
|
path = storage.get_file_name_by_url(url)
|
|
if path:
|
|
await storage.delete_file(path)
|
|
|
|
filehash = hashlib.sha256(content).hexdigest()
|
|
storage_path = f"avatars/{current_user.id}_{filehash}.png"
|
|
if not await storage.is_exists(storage_path):
|
|
await storage.write_file(storage_path, content, f"image/{format_}")
|
|
url = await storage.get_file_url(storage_path)
|
|
current_user.avatar_url = url
|
|
await session.commit()
|
|
|
|
return {
|
|
"url": url,
|
|
"filehash": filehash,
|
|
}
|