Merge pull request #734 from MaddyUnderStars/fix/sanitisation

Fix users arbitrarily editing their own User object, and disallow sending messages to certain channels ( eg categories )

2 files changed, 6 insertions, 2 deletions

diff --git a/api/src/routes/channels/#channel_id/messages/index.ts b/api/src/routes/channels/#channel_id/messages/index.ts

index af0ae32d..34cc5ff8 100644
--- a/api/src/routes/channels/#channel_id/messages/index.ts
+++ b/api/src/routes/channels/#channel_id/messages/index.ts
@@ -183,6 +183,9 @@ router.post(
 			}
 		}
 		const channel = await Channel.findOneOrFail({ where: { id: channel_id }, relations: ["recipients", "recipients.user"] });
+		if (!channel.isWritable()) {
+			throw new HTTPError(`Cannot send messages to channel of type ${channel.type}`, 400)
+		}
 
 		const embeds = body.embeds || [];
 		if (body.embed) embeds.push(body.embed);
@@ -220,6 +223,8 @@ router.post(
 				})
 			);
 		}
+
+
 	
 		//Fix for the client bug
 		delete message.member
diff --git a/api/src/routes/users/@me/index.ts b/api/src/routes/users/@me/index.ts

index d32b44f9..1af413c4 100644
--- a/api/src/routes/users/@me/index.ts
+++ b/api/src/routes/users/@me/index.ts
@@ -46,8 +46,6 @@ router.patch("/", route({ body: "UserModifySchema" }), async (req: Request, res:
 		}
 	}
 
-	user.assign(body);
-
 	if (body.new_password) {
 		if (!body.password && !user.email) {
 			throw FieldErrors({
@@ -66,6 +64,7 @@ router.patch("/", route({ body: "UserModifySchema" }), async (req: Request, res:
         }
     }
 
+	user.assign(body);
 	await user.save();
 
 	// @ts-ignore