From cf04de4add3239b0bfd3c551f6613a033d79b828 Mon Sep 17 00:00:00 2001
From: Madeline <46743919+MaddyUnderStars@users.noreply.github.com>
Date: Thu, 2 Feb 2023 22:22:30 +1100
Subject: Merge pull request from GHSA-9q7f-pv47-cxp9

---
 .../routes/guilds/#guild_id/members/#member_id/index.ts    | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/src/api/routes/guilds/#guild_id/members/#member_id/index.ts b/src/api/routes/guilds/#guild_id/members/#member_id/index.ts
index 2daa7d9b..d40f2772 100644
--- a/src/api/routes/guilds/#guild_id/members/#member_id/index.ts
+++ b/src/api/routes/guilds/#guild_id/members/#member_id/index.ts
@@ -63,6 +63,15 @@ router.patch(
 			where: { guild_id: guild_id, name: "@everyone", position: 0 },
 		});
 
+		if ("nick" in body) {
+			permission.hasThrow("MANAGE_NICKNAMES");
+		}
+
+		if (("bio" in body || "avatar" in body) && member_id != "@me") {
+			const rights = await getRights(req.user_id);
+			rights.hasThrow("MANAGE_USERS");
+		}
+
 		if (body.avatar)
 			body.avatar = await handleFile(
 				`/guilds/${guild_id}/users/${member_id}/avatars`,
@@ -71,6 +80,8 @@ router.patch(
 
 		member.assign(body);
 
+		// must do this after the assign because the body roles array
+		// is string[] not Role[]
 		if ("roles" in body) {
 			permission.hasThrow("MANAGE_ROLES");
 
@@ -79,7 +90,8 @@ router.patch(
 
 			if (body.roles.indexOf(everyone.id) === -1)
 				body.roles.push(everyone.id);
-			member.roles = body.roles.map((x) => Role.create({ id: x })); // foreign key constraint will fail if role doesn't exist
+			// foreign key constraint will fail if role doesn't exist
+			member.roles = body.roles.map((x) => Role.create({ id: x }));
 		}
 
 		await member.save();
-- 
cgit 1.4.1