diff options
| author | Flam3rboy <34555296+Flam3rboy@users.noreply.github.com> | 2021-09-04 11:24:31 +0200 |
|---|---|---|
| committer | Flam3rboy <34555296+Flam3rboy@users.noreply.github.com> | 2021-09-04 11:24:31 +0200 |
| commit | 14628d80ba3d16f92284cbca7444416d33c03232 (patch) | |
| tree | b6fd25139634d9685ad66f789cf9a15fa667f5f9 | |
| parent | :arrow_up: update mpath because of a security vulnerability (diff) | |
| download | server-14628d80ba3d16f92284cbca7444416d33c03232.tar.xz | |
:bug: fix permissions if user is only member of guild
| -rw-r--r-- | api/src/routes/channels/#channel_id/messages/index.ts | 5 | ||||
| -rw-r--r-- | util/src/util/Permissions.ts | 7 |
2 files changed, 7 insertions, 5 deletions
diff --git a/api/src/routes/channels/#channel_id/messages/index.ts b/api/src/routes/channels/#channel_id/messages/index.ts index 86de6de8..1a3150cf 100644 --- a/api/src/routes/channels/#channel_id/messages/index.ts +++ b/api/src/routes/channels/#channel_id/messages/index.ts @@ -15,13 +15,13 @@ export default router; export function isTextChannel(type: ChannelType): boolean { switch (type) { + case ChannelType.GUILD_STORE: case ChannelType.GUILD_VOICE: case ChannelType.GUILD_CATEGORY: throw new HTTPError("not a text channel", 400); case ChannelType.DM: case ChannelType.GROUP_DM: case ChannelType.GUILD_NEWS: - case ChannelType.GUILD_STORE: case ChannelType.GUILD_TEXT: return true; } @@ -48,8 +48,7 @@ router.get("/", async (req: Request, res: Response) => { if (!limit) limit = 50; var halfLimit = Math.floor(limit / 2); - // @ts-ignore - const permissions = await getPermission(req.user_id, channel.guild_id, channel_id, { channel }); + const permissions = await getPermission(req.user_id, channel.guild_id, channel_id); permissions.hasThrow("VIEW_CHANNEL"); if (!permissions.has("READ_MESSAGE_HISTORY")) return res.json([]); diff --git a/util/src/util/Permissions.ts b/util/src/util/Permissions.ts index 94fb3b51..ab8dd9b1 100644 --- a/util/src/util/Permissions.ts +++ b/util/src/util/Permissions.ts @@ -254,7 +254,7 @@ export async function getPermission( if (guild.owner_id === user_id) return new Permissions(Permissions.FLAGS.ADMINISTRATOR); member = await Member.findOneOrFail({ - where: { guild_id, user_id }, + where: { guild_id, id: user_id }, relations: ["roles", ...(opts.member_relations || [])], select: [ "id", @@ -265,6 +265,9 @@ export async function getPermission( }); } + let recipient_ids: any = channel?.recipients?.map((x) => x.id); + if (!recipient_ids?.length) recipient_ids = null; + // TODO: remove guild.roles and convert recipient_ids to recipients var permission = Permissions.finalPermission({ user: { @@ -277,7 +280,7 @@ export async function getPermission( channel: { overwrites: channel?.permission_overwrites, owner_id: channel?.owner_id, - recipient_ids: channel?.recipients?.map((x) => x.id), + recipient_ids, }, }); |