diff options
| author | Flam3rboy <34555296+Flam3rboy@users.noreply.github.com> | 2021-08-08 01:10:43 +0200 |
|---|---|---|
| committer | Flam3rboy <34555296+Flam3rboy@users.noreply.github.com> | 2021-08-08 01:10:43 +0200 |
| commit | 8e25f13796676285cdeba579e944f5b76fb77696 (patch) | |
| tree | afc3cbae6d43c07e3627c1a695c1a7d08516b318 | |
| parent | :bug: fix relationships (diff) | |
| download | server-8e25f13796676285cdeba579e944f5b76fb77696.tar.xz | |
:bug: fix message permission check
| -rw-r--r-- | src/routes/channels/#channel_id/messages/index.ts | 20 | ||||
| -rw-r--r-- | src/util/Message.ts | 8 |
2 files changed, 25 insertions, 3 deletions
diff --git a/src/routes/channels/#channel_id/messages/index.ts b/src/routes/channels/#channel_id/messages/index.ts index 4e42d546..59494c7e 100644 --- a/src/routes/channels/#channel_id/messages/index.ts +++ b/src/routes/channels/#channel_id/messages/index.ts @@ -30,7 +30,13 @@ export function isTextChannel(type: ChannelType): boolean { // get messages router.get("/", async (req: Request, res: Response) => { const channel_id = req.params.channel_id; - const channel = await ChannelModel.findOne({ id: channel_id }, { guild_id: true, type: true, permission_overwrites: true }).exec(); + const channel = await ChannelModel.findOne( + { id: channel_id }, + { guild_id: true, type: true, permission_overwrites: true, recipient_ids: true, owner_id: true } + ) + .lean() // lean is needed, because we don't want to populate .recipients that also auto deletes .recipient_ids + .exec(); + if (!channel) throw new HTTPError("Channel not found", 404); isTextChannel(channel.type); @@ -46,6 +52,7 @@ router.get("/", async (req: Request, res: Response) => { if (!limit) limit = 50; var halfLimit = Math.floor(limit / 2); + // @ts-ignore const permissions = await getPermission(req.user_id, channel.guild_id, channel_id, { channel }); permissions.hasThrow("VIEW_CHANNEL"); if (!permissions.has("READ_MESSAGE_HISTORY")) return res.json([]); @@ -126,7 +133,16 @@ router.post("/", messageUpload.single("file"), async (req: Request, res: Respons const embeds = []; if (body.embed) embeds.push(body.embed); - const data = await sendMessage({ ...body, type: 0, pinned: false, author_id: req.user_id, embeds, channel_id, attachments, edited_timestamp: null }); + const data = await sendMessage({ + ...body, + type: 0, + pinned: false, + author_id: req.user_id, + embeds, + channel_id, + attachments, + edited_timestamp: null + }); return res.send(data); }); diff --git a/src/util/Message.ts b/src/util/Message.ts index 3e177517..e811f522 100644 --- a/src/util/Message.ts +++ b/src/util/Message.ts @@ -25,10 +25,16 @@ const DEFAULT_FETCH_OPTIONS: any = { }; export async function handleMessage(opts: Partial<Message>) { - const channel = await ChannelModel.findOne({ id: opts.channel_id }, { guild_id: true, type: true, permission_overwrites: true }).exec(); + const channel = await ChannelModel.findOne( + { id: opts.channel_id }, + { guild_id: true, type: true, permission_overwrites: true, recipient_ids: true, owner_id: true } + ) + .lean() // lean is needed, because we don't want to populate .recipients that also auto deletes .recipient_ids + .exec(); if (!channel || !opts.channel_id) throw new HTTPError("Channel not found", 404); // TODO: are tts messages allowed in dm channels? should permission be checked? + // @ts-ignore const permissions = await getPermission(opts.author_id, channel.guild_id, opts.channel_id, { channel }); permissions.hasThrow("SEND_MESSAGES"); if (opts.tts) permissions.hasThrow("SEND_TTS_MESSAGES"); |