Skip to main content
Ayase Quart includes a comprehensive moderation system for managing user reports, filtering content, and maintaining archive quality. Moderation is available through web interface, API, and command-line tools.

Overview

The moderation system provides:

Report management

Track and process user-submitted content reports

Content filtering

Automatically hide reported or filtered posts

User authentication

Role-based access with admin and moderator permissions

Multi-interface access

Moderate via web UI, REST API, or CLI

Authentication

Moderation requires authentication. Three interfaces are supported:

Web authentication

1

Navigate to login

Visit /login or click the login link
2

Solve captcha

Complete a math captcha to prevent automated abuse
3

Enter credentials

Provide your username and password
4

Access tools

Once logged in, moderation tools appear on posts and in the navigation
Cookie-based sessions are used for web authentication. HTTPS is required unless moderation.auth.cookie_secure=false in configuration.

API authentication

API access uses bearer token authentication:
1

Request token

POST credentials to /api/v1/login:
{
  "username": "admin",
  "password": "your_password"
}
2

Receive token

Response includes an authentication token:
{
  "token": "eyJhbGciOiJIUzI1NiIs...",
  "expires": "2024-01-01T12:00:00Z"
}
3

Use token

Include token in Authorization header:
Authorization: bearer eyJhbGciOiJIUzI1NiIs...

CLI access

Command-line tools require no authentication since they run directly on the server: 
python -m ayase_quart.cli.reports cli-get-reports

User management

Administrators can create and manage moderator accounts:

Default credentials

The default admin account is created on first startup:
  • Username: admin
  • Password: admin (or configured value from config.toml)
Change the default admin password immediately in production!

User roles

Administrator
  • Full system access
  • Create and manage users
  • All moderation permissions
  • Delete posts permanently
Moderator
  • Report management based on assigned permissions
  • Hide/show posts
  • Close reports
  • Limited by permission flags

Permissions system

Granular permissions control what moderators can do:
  • report_read: View reports
  • report_write: Modify report status
  • post_hide: Hide posts from public view
  • post_show: Restore hidden posts
  • Additional permissions for advanced features

Report system

Users can report inappropriate or illegal content:

Submitting reports

1

Open report form

Click the “Report” button on any post (appears when CSRF token is active)
2

Select category

Choose a report category:
  • NSFW content on SFW board
  • Illegal content
  • DCMA violation
  • Spam
  • Other violations
3

Add notes

Optionally provide details about the issue (max 512 characters)
4

Submit

Click Submit to create the report
Report submissions are rate limited to 4 reports per hour per IP address

Report behavior

When a post is reported:
  1. Report record created: Stored in moderation database with submitter IP, category, and notes
  2. Automatic hiding (optional): If hide_post_if_reported is enabled, post media is immediately hidden
  3. Threshold hiding (optional): If n_reports_then_hide is set, posts are hidden after N reports
  4. Filter cache update: Hidden posts are added to the filter cache (Redis or SQLite)

Viewing reports

Moderators can view reports in the web interface: Open reports: /reports/open
  • Active reports requiring attention
  • Paginated view (20 per page)
  • Sortable and filterable
Closed reports: /reports/closed
  • Resolved reports for reference
  • Same pagination and filtering

Report details

Each report shows:
  • Post preview: Full post with media and content
  • Report metadata: IP count, category, submitter notes
  • Moderation notes: Internal notes for moderator collaboration
  • Actions: Hide/show post, open/close report
  • Links: View in thread, view on source (4chan/Lainchan)

Moderation actions

Moderators can perform several actions on reported posts:

Post actions

Removes post from public view:
  • Post marked as hidden in filter cache
  • Regular users don’t see the post
  • Moderators and admins still see it
  • Reversible with “Show post” action
Route: src/ayase_quart/blueprints/web/bp_moderation.py:239
Restores a hidden post:
  • Post becomes visible to all users
  • Removes from filter cache
  • Marks report as closed (optional)
Route: src/ayase_quart/blueprints/web/bp_moderation.py:239
Permanently deletes a post:
  • Removes from database
  • Cannot be undone
  • Requires admin privileges
Route: src/ayase_quart/blueprints/web/bp_moderation.py:49

Report actions

Marks report as resolved:
  • Moves to closed reports list
  • Post visibility unchanged
  • Can be reopened later
Marks report as active:
  • Moves to open reports list
  • Requires moderator attention
Add internal notes:
  • Visible only to moderators
  • Document decisions and context
  • Useful for collaboration

Bulk actions

Process multiple reports simultaneously:
  1. Select reports: Check boxes next to reports
  2. Choose action: Hide/show posts or close/open reports
  3. Confirm: Apply action to all selected reports
Bulk actions are processed via: src/ayase_quart/blueprints/web/bp_moderation.py:260

Filter cache

The filter cache tracks hidden posts for fast lookup:

Cache backends

Redis

Recommended for production. Fast in-memory cache.

SQLite

Good for single-instance deployments.

Null

Disables filtering (not recommended).

Cache operations

  • Insert post: Add post to hidden list
  • Remove post: Remove from hidden list
  • Check post: Verify if post is hidden
  • Filter list: Remove hidden posts from result sets

Configuring Redis

For best performance, use Redis: 
[moderation.filter_cache]
backend = "redis"
host = "localhost"
port = 6379
Start Redis: 
sudo systemctl start redis
sudo systemctl enable redis

Content filtering

Posts are filtered from view based on moderation status:

Filter logic

When loading posts:
  1. Query posts from database
  2. Check each post against filter cache
  3. Remove hidden posts (for regular users)
  4. Return filtered results
Moderators see all posts regardless of status.

Filter points

Filtering occurs at:
  • Board index: src/ayase_quart/blueprints/web/bp_app.py:101
  • Thread view: src/ayase_quart/blueprints/web/bp_app.py:295
  • Catalog: src/ayase_quart/blueprints/web/bp_app.py:215
  • Search results: src/ayase_quart/blueprints/web/bp_search.py:192
  • API endpoints: All JSON responses

CLI tools

Manage moderation from the command line:

View reports

# Get report count
python -m ayase_quart.cli.reports cli-get-report-count

# List reports
python -m ayase_quart.cli.reports cli-get-reports

# Filter by status
python -m ayase_quart.cli.reports cli-get-reports --mod_status open

# Filter by date
python -m ayase_quart.cli.reports cli-get-reports --created_at_gte "2024-01-01"

Manage reports

# Close a report
python -m ayase_quart.cli.reports cli-reports-action \
  -id 123 \
  -action report_close

# Hide a post
python -m ayase_quart.cli.reports cli-reports-action \
  -id 123 \
  -action post_hide

# Add moderation notes
python -m ayase_quart.cli.reports cli-reports-action \
  -id 123 \
  -action report_save_notes \
  -notes "Reviewed and confirmed violation"

Available actions

  • report_close: Close report
  • report_open: Reopen report
  • post_hide: Hide post from public
  • post_show: Show hidden post
  • post_delete: Delete post (admin only)
  • media_hide: Hide only media
  • media_show: Show hidden media
  • report_save_notes: Update moderation notes

Security features

CSRF protection

All moderation actions require CSRF tokens:
  • Tokens generated per-session
  • Validated on form submission
  • Prevents cross-site request forgery
Route: src/ayase_quart/security/captcha.py

Rate limiting

  • Report submissions: 4 per hour per IP
  • Search requests: 5 per minute per IP
  • Configurable limits for other endpoints

SSL/TLS requirement

For production:
  • HTTPS required for cookie security
  • SSL certificates in cert.pem and key.pem
  • Generate with: openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
Running without HTTPS in production exposes authentication cookies to interception

Configuration

Key moderation settings in config.toml: 
[moderation]
enabled = true
admin_user = "admin"
admin_password = "admin"  # Change this!
hide_post_if_reported = true
n_reports_then_hide = 3

[moderation.auth]
cookie_secure = true
token_expiration_hours = 24

[moderation.filter_cache]
backend = "redis"  # or "sqlite" or "null"
host = "localhost"
port = 6379

API endpoints

Moderation APIs (require authentication):
  • POST /nuke/<board>/<num>: Delete post (admin only)
  • POST /report/<board>/<thread_num>/<num>: Submit report
  • GET /reports/open: List open reports
  • GET /reports/closed: List closed reports
  • POST /reports/<report_id>/<action>: Perform moderation action
  • POST /reports/bulk/<action>: Bulk moderation actions
See API reference documentation for request/response formats. References:
  • Moderation init: src/ayase_quart/moderation/__init__.py:8
  • Web routes: src/ayase_quart/blueprints/web/bp_moderation.py:46
  • API routes: src/ayase_quart/blueprints/api/bp_moderation.py
  • Report system: src/ayase_quart/moderation/report.py

Build docs developers (and LLMs) love

Get started for freeTalk to us