diff --git a/src/routes/api/v8/channels/#channel_id/messages.ts b/src/routes/api/v8/channels/#channel_id/messages.ts
index 0826cf94..b11c0015 100644
--- a/src/routes/api/v8/channels/#channel_id/messages.ts
+++ b/src/routes/api/v8/channels/#channel_id/messages.ts
@@ -1,6 +1,7 @@
import { Router } from "express";
import { ChannelModel, ChannelType, getPermission, MessageModel } from "fosscord-server-util";
import { HTTPError } from "lambert-server";
+import { instanceOf, Length } from "../../../../../util/instanceOf";
const router: Router = Router();
export default router;
@@ -14,14 +15,34 @@ router.get("/", async (req, res) => {
if (!channel) throw new HTTPError("Channel not found", 404);
const type: ChannelType = channel.type;
+ switch (type) {
+ case ChannelType.GUILD_VOICE:
+ case ChannelType.GUILD_CATEGORY:
+ throw new HTTPError("not a text channel", 400);
+ case ChannelType.DM:
+ case ChannelType.GROUP_DM:
+ case ChannelType.GUILD_NEWS:
+ case ChannelType.GUILD_STORE:
+ case ChannelType.GUILD_TEXT:
+ break;
+ }
- getPermission(req.userid, channel.guild_id, channel_id);
+ instanceOf({ $around: BigInt, $after: BigInt, $before: BigInt, $limit: new Length(Number, 1, 100) }, req.query, {
+ path: "query",
+ req,
+ });
if (channel.guild_id) {
- channel.permission_overwrites;
+ const permissions = await getPermission(req.userid, channel.guild_id, channel_id, { channel });
+ if (!permissions.has("VIEW_CHANNEL"))
+ throw new HTTPError("You don't have permission to view this channel", 401);
+ if (permissions.has("READ_MESSAGE_HISTORY")) return res.json([]);
} else if (channel.recipients) {
// group/dm channel
+ if (!channel.recipients.includes(req.userid))
+ throw new HTTPError("You don't have permission to view this channel", 401);
} else {
// idk what this channel is, can probably be removed
+ throw new HTTPError("Unkown channel type", 500);
}
});
diff --git a/src/util/instanceOf.ts b/src/util/instanceOf.ts
index be7124d4..b5b2f587 100644
--- a/src/util/instanceOf.ts
+++ b/src/util/instanceOf.ts
@@ -66,8 +66,11 @@ export function instanceOf(
errors = {},
req,
ref,
- }: { path?: string; optional?: boolean; errors?: any; req: Request; ref: { key: string | number; obj: any } }
+ }: { path?: string; optional?: boolean; errors?: any; req: Request; ref?: { key: string | number; obj: any } }
): Boolean {
+ if (!ref) ref = { obj: null, key: "" };
+ if (!path) path = "body";
+
try {
if (!type) return true; // no type was specified
|
