From: phiresky <phireskyde+git@gmail.com>
Date: Tue, 25 Jul 2023 16:46:00 +0000 (+0200)
Subject: prevent ordering by comment path without post filter (#3717)
X-Git-Url: http://these/git/%22%7Burl%7D/static/README.md?a=commitdiff_plain;h=3b09d8c882c2effcfad9fda4ae06350dd20c0e5f;p=lemmy.git

prevent ordering by comment path without post filter (#3717)
---

diff --git a/crates/db_views/src/comment_view.rs b/crates/db_views/src/comment_view.rs
index 1b77168d..6e06e1ba 100644
--- a/crates/db_views/src/comment_view.rs
+++ b/crates/db_views/src/comment_view.rs
@@ -340,8 +340,11 @@ impl<'a> CommentQuery<'a> {
 
       query = query.filter(nlevel(comment::path).le(depth_limit));
 
-      // Always order by the parent path first
-      query = query.order_by(subpath(comment::path, 0, -1));
+      // only order if filtering by a post id. DOS potential otherwise and max_depth + !post_id isn't used anyways (afaik)
+      if self.post_id.is_some() {
+        // Always order by the parent path first
+        query = query.order_by(subpath(comment::path, 0, -1));
+      }
 
       // TODO limit question. Limiting does not work for comment threads ATM, only max_depth
       // For now, don't do any limiting for tree fetches