From 18f70738d097e10441a448865318c9cd1f9382eb Mon Sep 17 00:00:00 2001
From: rubenwardy <rw@rubenwardy.com>
Date: Mon, 2 Jan 2023 15:51:19 +0000
Subject: [PATCH] Prevent reviewing unapproved packages

---
 app/blueprints/packages/reviews.py |  5 ++++-
 app/templates/packages/view.html   | 30 ++++++++++++++++++------------
 2 files changed, 22 insertions(+), 13 deletions(-)

diff --git a/app/blueprints/packages/reviews.py b/app/blueprints/packages/reviews.py
index 427e48d9..f9cf631c 100644
--- a/app/blueprints/packages/reviews.py
+++ b/app/blueprints/packages/reviews.py
@@ -25,7 +25,7 @@ from flask_wtf import FlaskForm
 from wtforms import *
 from wtforms.validators import *
 from app.models import db, PackageReview, Thread, ThreadReply, NotificationType, PackageReviewVote, Package, UserRank, \
-	Permission, AuditSeverity
+	Permission, AuditSeverity, PackageState
 from app.utils import is_package_page, addNotification, get_int_or_abort, isYes, is_safe_url, rank_required, addAuditLog
 from app.tasks.webhooktasks import post_discord_webhook
 
@@ -54,6 +54,9 @@ def review(package):
 		flash(gettext("You can't review your own package!"), "danger")
 		return redirect(package.getURL("packages.view"))
 
+	if package.state != PackageState.APPROVED:
+		abort(404)
+
 	review = PackageReview.query.filter_by(package=package, author=current_user).first()
 	can_review = review is not None or current_user.canReviewRL()
 
diff --git a/app/templates/packages/view.html b/app/templates/packages/view.html
index c76b37db..0a199b37 100644
--- a/app/templates/packages/view.html
+++ b/app/templates/packages/view.html
@@ -297,22 +297,28 @@
 				<h2 id="reviews" class="mt-0">{{ _("Reviews") }}</h2>
 
 				{% from "macros/reviews.html" import render_reviews, render_review_form, render_review_preview with context %}
-				{% if current_user.is_authenticated %}
-					{% if has_review %}
-						<p>
-							<a class="btn btn-primary" href="{{ package.getURL("packages.review") }}">
-								{{ _("Edit Review") }}
-							</a>
-						</p>
-					{% elif current_user in package.maintainers %}
-						<p>
-							{{ _("You can't review your own package.") }}
-						</p>
+				{% if package.state.name == "APPROVED" %}
+					{% if current_user.is_authenticated %}
+						{% if has_review %}
+							<p>
+								<a class="btn btn-primary" href="{{ package.getURL("packages.review") }}">
+									{{ _("Edit Review") }}
+								</a>
+							</p>
+						{% elif current_user in package.maintainers %}
+							<p>
+								{{ _("You can't review your own package.") }}
+							</p>
+						{% else %}
+							{{ render_review_preview(package) }}
+						{% endif %}
 					{% else %}
 						{{ render_review_preview(package) }}
 					{% endif %}
 				{% else %}
-					{{ render_review_preview(package) }}
+					<p>
+						{{ _("Package needs to be approved before it can be reviewed.") }}
+					</p>
 				{% endif %}
 
 				{% if current_user.is_authenticated and current_user.rank.atLeast(current_user.rank.ADMIN) %}