summary refs log tree commit diff
diff options
context:
space:
mode:
authorFlam3rboy <34555296+Flam3rboy@users.noreply.github.com>2021-09-04 11:24:31 +0200
committerFlam3rboy <34555296+Flam3rboy@users.noreply.github.com>2021-09-04 11:24:31 +0200
commit8d69c9a871a855e370e8ae725b1236a939bc0c9b (patch)
tree5fa8870742bfb3179948a4490a93d3570bcd4931
parent:arrow_up: update mpath because of a security vulnerability (diff)
downloadserver-8d69c9a871a855e370e8ae725b1236a939bc0c9b.tar.xz
:bug: fix permissions if user is only member of guild
Diffstat
-rw-r--r--api/src/routes/channels/#channel_id/messages/index.ts5


-rw-r--r--util/src/util/Permissions.ts7


2 files changed, 7 insertions, 5 deletions
diff --git a/api/src/routes/channels/#channel_id/messages/index.ts b/api/src/routes/channels/#channel_id/messages/index.ts

index 86de6de8..1a3150cf 100644
--- a/api/src/routes/channels/#channel_id/messages/index.ts
+++ b/api/src/routes/channels/#channel_id/messages/index.ts
@@ -15,13 +15,13 @@ export default router;
 
 export function isTextChannel(type: ChannelType): boolean {
 	switch (type) {
+		case ChannelType.GUILD_STORE:
 		case ChannelType.GUILD_VOICE:
 		case ChannelType.GUILD_CATEGORY:
 			throw new HTTPError("not a text channel", 400);
 		case ChannelType.DM:
 		case ChannelType.GROUP_DM:
 		case ChannelType.GUILD_NEWS:
-		case ChannelType.GUILD_STORE:
 		case ChannelType.GUILD_TEXT:
 			return true;
 	}
@@ -48,8 +48,7 @@ router.get("/", async (req: Request, res: Response) => {
 	if (!limit) limit = 50;
 	var halfLimit = Math.floor(limit / 2);
 
-	// @ts-ignore
-	const permissions = await getPermission(req.user_id, channel.guild_id, channel_id, { channel });
+	const permissions = await getPermission(req.user_id, channel.guild_id, channel_id);
 	permissions.hasThrow("VIEW_CHANNEL");
 	if (!permissions.has("READ_MESSAGE_HISTORY")) return res.json([]);
 
diff --git a/util/src/util/Permissions.ts b/util/src/util/Permissions.ts

index 94fb3b51..ab8dd9b1 100644
--- a/util/src/util/Permissions.ts
+++ b/util/src/util/Permissions.ts
@@ -254,7 +254,7 @@ export async function getPermission(
 		if (guild.owner_id === user_id) return new Permissions(Permissions.FLAGS.ADMINISTRATOR);
 
 		member = await Member.findOneOrFail({
-			where: { guild_id, user_id },
+			where: { guild_id, id: user_id },
 			relations: ["roles", ...(opts.member_relations || [])],
 			select: [
 				"id",
@@ -265,6 +265,9 @@ export async function getPermission(
 		});
 	}
 
+	let recipient_ids: any = channel?.recipients?.map((x) => x.id);
+	if (!recipient_ids?.length) recipient_ids = null;
+
 	// TODO: remove guild.roles and convert recipient_ids to recipients
 	var permission = Permissions.finalPermission({
 		user: {
@@ -277,7 +280,7 @@ export async function getPermission(
 		channel: {
 			overwrites: channel?.permission_overwrites,
 			owner_id: channel?.owner_id,
-			recipient_ids: channel?.recipients?.map((x) => x.id),
+			recipient_ids,
 		},
 	});
 

 

generated by cgit-magenta 1.5.1 (git 2.48.1) at 2025-04-29 12:12:46 +0000