From 998eece95d6bd670788e8252b70f3ee33a22289b Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Sun, 16 Feb 2020 04:21:20 -0600
Subject: [PATCH] controllers: allow banned users to use GET actions.

Make member_only et al only apply to non-GET actions. This avoids doing
IP ban checks when simply viewing members-only pages.
---
 app/controllers/application_controller.rb | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 32dae9812..a68e056f2 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -154,11 +154,15 @@ class ApplicationController < ActionController::Base
     render_error_page(status, error)
   end
 
+  def role_only!(role)
+    raise User::PrivilegeError if !CurrentUser.send("is_#{role}?")
+    raise User::PrivilegeError if !request.get? && CurrentUser.user.is_banned?
+    raise User::PrivilegeError if !request.get? && IpBan.is_banned?(CurrentUser.ip_addr)
+  end
+
   User::Roles.each do |role|
     define_method("#{role}_only") do
-      if !CurrentUser.user.send("is_#{role}?") || CurrentUser.user.is_banned? || IpBan.is_banned?(CurrentUser.ip_addr)
-        raise User::PrivilegeError
-      end
+      role_only!(role)
     end
   end