Merge branch 'master' into slowcord

author: Madeline <46743919+MaddyUnderStars@users.noreply.github.com> 2022-03-06 15:34:42 +1100
committer: Madeline <46743919+MaddyUnderStars@users.noreply.github.com> 2022-03-06 15:34:42 +1100
commit: 44aa39515b535948f3ce390fb35eb48ee4c23cc6 (patch)
tree: 58e20e21abbe04870f15b011f0d322988d46507a /api/src
parent: Merge branch 'fosscord:master' into slowcord (diff)
parent: Merge pull request #621 from fosscord/origin/dev/erkinalp/self-bans (diff)
download: server-44aa39515b535948f3ce390fb35eb48ee4c23cc6.tar.xz
2 files changed, 62 insertions, 8 deletions
diff --git a/api/src/routes/guilds/#guild_id/bans.ts b/api/src/routes/guilds/#guild_id/bans.ts
index 1e09a38d..7ccf34d7 100644
--- a/api/src/routes/guilds/#guild_id/bans.ts
+++ b/api/src/routes/guilds/#guild_id/bans.ts
@@ -1,5 +1,5 @@
 import { Request, Response, Router } from "express";
-import { emitEvent, getPermission, GuildBanAddEvent, GuildBanRemoveEvent, Guild, Ban, User, Member } from "@fosscord/util";
+import { DiscordApiErrors, emitEvent, getPermission, GuildBanAddEvent, GuildBanRemoveEvent, Guild, Ban, User, Member } from "@fosscord/util";
 import { HTTPError } from "lambert-server";
 import { getIpAdress, route } from "@fosscord/api";
 
@@ -17,6 +17,14 @@ export interface BanRegistrySchema {
 	reason?: string | undefined;
 };
 
+export interface BanModeratorSchema {
+	id: string;
+	user_id: string;
+	guild_id: string;
+	executor_id: string;
+	reason?: string | undefined;
+};
+
 const router: Router = Router();
 
 /* TODO: Deleting the secrets is just a temporary go-around. Views should be implemented for both safety and better handling. */
@@ -27,11 +35,14 @@ router.get("/", route({ permission: "BAN_MEMBERS" }), async (req: Request, res:
 	let bans = await Ban.find({ guild_id: guild_id });
 
 	/* Filter secret from database registry.*/
+
+	bans.filter(ban => ban.user_id !== ban.executor_id);
+	// pretend self-bans don't exist to prevent victim chasing
 	
 	bans.forEach((registry: BanRegistrySchema) => {
 	delete registry.ip;
 	});
-
+	
 	return res.json(bans);
 });
 
@@ -41,7 +52,12 @@ router.get("/:user", route({ permission: "BAN_MEMBERS" }), async (req: Request,
 
 	let ban = await Ban.findOneOrFail({ guild_id: guild_id, user_id: user_id }) as BanRegistrySchema;
 	
+	if (ban.user_id === ban.executor_id) throw DiscordApiErrors.UNKNOWN_BAN;
+	// pretend self-bans don't exist to prevent victim chasing
+	
 	/* Filter secret from registry. */
+	
+	ban = ban as BanModeratorSchema;
 
 	delete ban.ip
 
@@ -52,10 +68,12 @@ router.put("/:user_id", route({ body: "BanCreateSchema", permission: "BAN_MEMBER
 	const { guild_id } = req.params;
 	const banned_user_id = req.params.user_id;
 
-	const banned_user = await User.getPublicUser(banned_user_id);
-
-	if (req.user_id === banned_user_id) throw new HTTPError("You can't ban yourself", 400);
+	if ( (req.user_id === banned_user_id) && (banned_user_id === req.permission!.cache.guild?.owner_id))
+		throw new HTTPError("You are the guild owner, hence can't ban yourself", 403);
+	
 	if (req.permission!.cache.guild?.owner_id === banned_user_id) throw new HTTPError("You can't ban the owner", 400);
+	
+	const banned_user = await User.getPublicUser(banned_user_id);
 
 	const ban = new Ban({
 		user_id: banned_user_id,
@@ -81,11 +99,48 @@ router.put("/:user_id", route({ body: "BanCreateSchema", permission: "BAN_MEMBER
 	return res.json(ban);
 });
 
+router.put("/@me", route({ body: "BanCreateSchema"}), async (req: Request, res: Response) => {
+	const { guild_id } = req.params;
+
+	const banned_user = await User.getPublicUser(req.params.user_id);
+
+	if (req.permission!.cache.guild?.owner_id === req.params.user_id) 
+		throw new HTTPError("You are the guild owner, hence can't ban yourself", 403);
+	
+	const ban = new Ban({
+		user_id: req.params.user_id,
+		guild_id: guild_id,
+		ip: getIpAdress(req),
+		executor_id: req.params.user_id,
+		reason: req.body.reason // || otherwise empty
+	});
+
+	await Promise.all([
+		Member.removeFromGuild(req.user_id, guild_id),
+		ban.save(),
+		emitEvent({
+			event: "GUILD_BAN_ADD",
+			data: {
+				guild_id: guild_id,
+				user: banned_user
+			},
+			guild_id: guild_id
+		} as GuildBanAddEvent)
+	]);
+
+	return res.json(ban);
+});
+
 router.delete("/:user_id", route({ permission: "BAN_MEMBERS" }), async (req: Request, res: Response) => {
 	const { guild_id, user_id } = req.params;
 
+	let ban = await Ban.findOneOrFail({ guild_id: guild_id, user_id: user_id });
+	
+	if (ban.user_id === ban.executor_id) throw DiscordApiErrors.UNKNOWN_BAN;
+	// make self-bans irreversible and hide them from view to avoid victim chasing
+	
 	const banned_user = await User.getPublicUser(user_id);
-
+	
 	await Promise.all([
 		Ban.delete({
 			user_id: user_id,
diff --git a/api/src/routes/users/@me/index.ts b/api/src/routes/users/@me/index.ts
index 93d2cb01..9ae57685 100644
--- a/api/src/routes/users/@me/index.ts
+++ b/api/src/routes/users/@me/index.ts
@@ -65,8 +65,7 @@ router.patch("/", route({ body: "UserModifySchema" }), async (req: Request, res:
 	}
 
 	var check_username = body?.username?.replace(/\s/g, '');
-	//claiming an account does not provide username so check if username in body before throw
-	if (!check_username && body.username) {
+	if(!check_username && !body?.avatar && !body?.banner) {
 		throw FieldErrors({
 			username: { code: "BASE_TYPE_REQUIRED", message: req.t("common:field.BASE_TYPE_REQUIRED") }
 		});
author	Madeline <46743919+MaddyUnderStars@users.noreply.github.com>	2022-03-06 15:34:42 +1100
committer	Madeline <46743919+MaddyUnderStars@users.noreply.github.com>	2022-03-06 15:34:42 +1100
commit	44aa39515b535948f3ce390fb35eb48ee4c23cc6 (patch)
tree	58e20e21abbe04870f15b011f0d322988d46507a /api/src
parent	Merge branch 'fosscord:master' into slowcord (diff)
parent	Merge pull request #621 from fosscord/origin/dev/erkinalp/self-bans (diff)
download	server-44aa39515b535948f3ce390fb35eb48ee4c23cc6.tar.xz