diff --git a/api/package-lock.json b/api/package-lock.json
index a7c29a79..cc851717 100644
--- a/api/package-lock.json
+++ b/api/package-lock.json
@@ -6711,8 +6711,9 @@
}
},
"../util/node_modules/url-parse": {
- "version": "1.5.3",
- "integrity": "sha512-IIORyIQD9rvj0A4CLWsHkBBJuNqWpFQe224b6j9t/ABmquIS0qDU2pY6kl6AuOrL5OkCXHMCFNe1jBcuAggjvQ==",
+ "version": "1.5.7",
+ "resolved": "https://registry.npmjs.org/url-parse/-/url-parse-1.5.7.tgz",
+ "integrity": "sha512-HxWkieX+STA38EDk7CE9MEryFeHCKzgagxlGvsdS7WBImq9Mk+PGwiT56w82WI3aicwJA8REp42Cxo98c8FZMA==",
"dependencies": {
"querystringify": "^2.1.1",
"requires-port": "^1.0.0"
@@ -15124,8 +15125,9 @@
}
},
"node_modules/url-parse": {
- "version": "1.5.3",
- "integrity": "sha512-IIORyIQD9rvj0A4CLWsHkBBJuNqWpFQe224b6j9t/ABmquIS0qDU2pY6kl6AuOrL5OkCXHMCFNe1jBcuAggjvQ==",
+ "version": "1.5.7",
+ "resolved": "https://registry.npmjs.org/url-parse/-/url-parse-1.5.7.tgz",
+ "integrity": "sha512-HxWkieX+STA38EDk7CE9MEryFeHCKzgagxlGvsdS7WBImq9Mk+PGwiT56w82WI3aicwJA8REp42Cxo98c8FZMA==",
"dependencies": {
"querystringify": "^2.1.1",
"requires-port": "^1.0.0"
@@ -21697,8 +21699,9 @@
}
},
"url-parse": {
- "version": "1.5.3",
- "integrity": "sha512-IIORyIQD9rvj0A4CLWsHkBBJuNqWpFQe224b6j9t/ABmquIS0qDU2pY6kl6AuOrL5OkCXHMCFNe1jBcuAggjvQ==",
+ "version": "1.5.7",
+ "resolved": "https://registry.npmjs.org/url-parse/-/url-parse-1.5.7.tgz",
+ "integrity": "sha512-HxWkieX+STA38EDk7CE9MEryFeHCKzgagxlGvsdS7WBImq9Mk+PGwiT56w82WI3aicwJA8REp42Cxo98c8FZMA==",
"requires": {
"querystringify": "^2.1.1",
"requires-port": "^1.0.0"
@@ -26849,8 +26852,9 @@
}
},
"url-parse": {
- "version": "1.5.3",
- "integrity": "sha512-IIORyIQD9rvj0A4CLWsHkBBJuNqWpFQe224b6j9t/ABmquIS0qDU2pY6kl6AuOrL5OkCXHMCFNe1jBcuAggjvQ==",
+ "version": "1.5.7",
+ "resolved": "https://registry.npmjs.org/url-parse/-/url-parse-1.5.7.tgz",
+ "integrity": "sha512-HxWkieX+STA38EDk7CE9MEryFeHCKzgagxlGvsdS7WBImq9Mk+PGwiT56w82WI3aicwJA8REp42Cxo98c8FZMA==",
"requires": {
"querystringify": "^2.1.1",
"requires-port": "^1.0.0"
diff --git a/api/src/routes/guilds/#guild_id/bans.ts b/api/src/routes/guilds/#guild_id/bans.ts
index 1e09a38d..7ccf34d7 100644
--- a/api/src/routes/guilds/#guild_id/bans.ts
+++ b/api/src/routes/guilds/#guild_id/bans.ts
@@ -1,5 +1,5 @@
import { Request, Response, Router } from "express";
-import { emitEvent, getPermission, GuildBanAddEvent, GuildBanRemoveEvent, Guild, Ban, User, Member } from "@fosscord/util";
+import { DiscordApiErrors, emitEvent, getPermission, GuildBanAddEvent, GuildBanRemoveEvent, Guild, Ban, User, Member } from "@fosscord/util";
import { HTTPError } from "lambert-server";
import { getIpAdress, route } from "@fosscord/api";
@@ -17,6 +17,14 @@ export interface BanRegistrySchema {
reason?: string | undefined;
};
+export interface BanModeratorSchema {
+ id: string;
+ user_id: string;
+ guild_id: string;
+ executor_id: string;
+ reason?: string | undefined;
+};
+
const router: Router = Router();
/* TODO: Deleting the secrets is just a temporary go-around. Views should be implemented for both safety and better handling. */
@@ -27,11 +35,14 @@ router.get("/", route({ permission: "BAN_MEMBERS" }), async (req: Request, res:
let bans = await Ban.find({ guild_id: guild_id });
/* Filter secret from database registry.*/
+
+ bans.filter(ban => ban.user_id !== ban.executor_id);
+ // pretend self-bans don't exist to prevent victim chasing
bans.forEach((registry: BanRegistrySchema) => {
delete registry.ip;
});
-
+
return res.json(bans);
});
@@ -41,7 +52,12 @@ router.get("/:user", route({ permission: "BAN_MEMBERS" }), async (req: Request,
let ban = await Ban.findOneOrFail({ guild_id: guild_id, user_id: user_id }) as BanRegistrySchema;
+ if (ban.user_id === ban.executor_id) throw DiscordApiErrors.UNKNOWN_BAN;
+ // pretend self-bans don't exist to prevent victim chasing
+
/* Filter secret from registry. */
+
+ ban = ban as BanModeratorSchema;
delete ban.ip
@@ -52,10 +68,12 @@ router.put("/:user_id", route({ body: "BanCreateSchema", permission: "BAN_MEMBER
const { guild_id } = req.params;
const banned_user_id = req.params.user_id;
- const banned_user = await User.getPublicUser(banned_user_id);
-
- if (req.user_id === banned_user_id) throw new HTTPError("You can't ban yourself", 400);
+ if ( (req.user_id === banned_user_id) && (banned_user_id === req.permission!.cache.guild?.owner_id))
+ throw new HTTPError("You are the guild owner, hence can't ban yourself", 403);
+
if (req.permission!.cache.guild?.owner_id === banned_user_id) throw new HTTPError("You can't ban the owner", 400);
+
+ const banned_user = await User.getPublicUser(banned_user_id);
const ban = new Ban({
user_id: banned_user_id,
@@ -81,11 +99,48 @@ router.put("/:user_id", route({ body: "BanCreateSchema", permission: "BAN_MEMBER
return res.json(ban);
});
+router.put("/@me", route({ body: "BanCreateSchema"}), async (req: Request, res: Response) => {
+ const { guild_id } = req.params;
+
+ const banned_user = await User.getPublicUser(req.params.user_id);
+
+ if (req.permission!.cache.guild?.owner_id === req.params.user_id)
+ throw new HTTPError("You are the guild owner, hence can't ban yourself", 403);
+
+ const ban = new Ban({
+ user_id: req.params.user_id,
+ guild_id: guild_id,
+ ip: getIpAdress(req),
+ executor_id: req.params.user_id,
+ reason: req.body.reason // || otherwise empty
+ });
+
+ await Promise.all([
+ Member.removeFromGuild(req.user_id, guild_id),
+ ban.save(),
+ emitEvent({
+ event: "GUILD_BAN_ADD",
+ data: {
+ guild_id: guild_id,
+ user: banned_user
+ },
+ guild_id: guild_id
+ } as GuildBanAddEvent)
+ ]);
+
+ return res.json(ban);
+});
+
router.delete("/:user_id", route({ permission: "BAN_MEMBERS" }), async (req: Request, res: Response) => {
const { guild_id, user_id } = req.params;
+ let ban = await Ban.findOneOrFail({ guild_id: guild_id, user_id: user_id });
+
+ if (ban.user_id === ban.executor_id) throw DiscordApiErrors.UNKNOWN_BAN;
+ // make self-bans irreversible and hide them from view to avoid victim chasing
+
const banned_user = await User.getPublicUser(user_id);
-
+
await Promise.all([
Ban.delete({
user_id: user_id,
diff --git a/api/src/routes/users/@me/index.ts b/api/src/routes/users/@me/index.ts
index 93d2cb01..9ae57685 100644
--- a/api/src/routes/users/@me/index.ts
+++ b/api/src/routes/users/@me/index.ts
@@ -65,8 +65,7 @@ router.patch("/", route({ body: "UserModifySchema" }), async (req: Request, res:
}
var check_username = body?.username?.replace(/\s/g, '');
- //claiming an account does not provide username so check if username in body before throw
- if (!check_username && body.username) {
+ if(!check_username && !body?.avatar && !body?.banner) {
throw FieldErrors({
username: { code: "BASE_TYPE_REQUIRED", message: req.t("common:field.BASE_TYPE_REQUIRED") }
});
|