From af677c234228614f480dba09de8b0b4ea93ffca8 Mon Sep 17 00:00:00 2001 From: Erkin Alp Güney Date: Wed, 2 Feb 2022 22:07:27 +0300 Subject: Allow self-ban of non-owners --- api/src/routes/guilds/#guild_id/bans.ts | 35 ++++++++++++++++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) (limited to 'api/src') diff --git a/api/src/routes/guilds/#guild_id/bans.ts b/api/src/routes/guilds/#guild_id/bans.ts index 1e09a38d..298acd5c 100644 --- a/api/src/routes/guilds/#guild_id/bans.ts +++ b/api/src/routes/guilds/#guild_id/bans.ts @@ -54,7 +54,8 @@ router.put("/:user_id", route({ body: "BanCreateSchema", permission: "BAN_MEMBER const banned_user = await User.getPublicUser(banned_user_id); - if (req.user_id === banned_user_id) throw new HTTPError("You can't ban yourself", 400); + if ( (req.user_id === banned_user_id) && (banned_user_id === req.permission!.cache.guild?.owner_id)) + throw new HTTPError("You are the guild owner, hence can't ban yourself", 403); if (req.permission!.cache.guild?.owner_id === banned_user_id) throw new HTTPError("You can't ban the owner", 400); const ban = new Ban({ @@ -81,6 +82,38 @@ router.put("/:user_id", route({ body: "BanCreateSchema", permission: "BAN_MEMBER return res.json(ban); }); +router.put("/@me", route({ body: "BanCreateSchema"}), async (req: Request, res: Response) => { + // TODO: make self-bans irreversible + const { guild_id } = req.params; + + const banned_user = await User.getPublicUser(req.params.user_id); + + if (req.permission!.cache.guild?.owner_id === req.params.user_id) + throw new HTTPError("You are the guild owner, hence can't ban yourself", 403); + const ban = new Ban({ + user_id: req.params.user_id, + guild_id: guild_id, + ip: getIpAdress(req), + executor_id: req.params.user_id, + reason: req.body.reason // || otherwise empty + }); + + await Promise.all([ + Member.removeFromGuild(req.user_id, guild_id), + ban.save(), + emitEvent({ + event: "GUILD_BAN_ADD", + data: { + guild_id: guild_id, + user: banned_user + }, + guild_id: guild_id + } as GuildBanAddEvent) + ]); + + return res.json(ban); +}); + router.delete("/:user_id", route({ permission: "BAN_MEMBERS" }), async (req: Request, res: Response) => { const { guild_id, user_id } = req.params; -- cgit 1.5.1 From 89822c625b95f243c82fa1e034a735b7a1df3761 Mon Sep 17 00:00:00 2001 From: Erkin Alp Güney Date: Wed, 2 Feb 2022 23:14:35 +0300 Subject: Make self-bans irreversible --- api/src/routes/guilds/#guild_id/bans.ts | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'api/src') diff --git a/api/src/routes/guilds/#guild_id/bans.ts b/api/src/routes/guilds/#guild_id/bans.ts index 298acd5c..d9f62961 100644 --- a/api/src/routes/guilds/#guild_id/bans.ts +++ b/api/src/routes/guilds/#guild_id/bans.ts @@ -56,6 +56,7 @@ router.put("/:user_id", route({ body: "BanCreateSchema", permission: "BAN_MEMBER if ( (req.user_id === banned_user_id) && (banned_user_id === req.permission!.cache.guild?.owner_id)) throw new HTTPError("You are the guild owner, hence can't ban yourself", 403); + if (req.permission!.cache.guild?.owner_id === banned_user_id) throw new HTTPError("You can't ban the owner", 400); const ban = new Ban({ @@ -83,13 +84,13 @@ router.put("/:user_id", route({ body: "BanCreateSchema", permission: "BAN_MEMBER }); router.put("/@me", route({ body: "BanCreateSchema"}), async (req: Request, res: Response) => { - // TODO: make self-bans irreversible const { guild_id } = req.params; const banned_user = await User.getPublicUser(req.params.user_id); if (req.permission!.cache.guild?.owner_id === req.params.user_id) throw new HTTPError("You are the guild owner, hence can't ban yourself", 403); + const ban = new Ban({ user_id: req.params.user_id, guild_id: guild_id, @@ -118,6 +119,8 @@ router.delete("/:user_id", route({ permission: "BAN_MEMBERS" }), async (req: Req const { guild_id, user_id } = req.params; const banned_user = await User.getPublicUser(user_id); + + if (banned_user.user_id === banned_user.executor_id) throw new HTTPError("Self-bans are irreversible", 400); await Promise.all([ Ban.delete({ -- cgit 1.5.1 From f9c371f01f3f1a2d29443270d4999b233ac279cb Mon Sep 17 00:00:00 2001 From: Erkin Alp Güney Date: Wed, 2 Feb 2022 23:21:38 +0300 Subject: Better protection against self-bans --- api/src/routes/guilds/#guild_id/bans.ts | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'api/src') diff --git a/api/src/routes/guilds/#guild_id/bans.ts b/api/src/routes/guilds/#guild_id/bans.ts index d9f62961..c73cc3e6 100644 --- a/api/src/routes/guilds/#guild_id/bans.ts +++ b/api/src/routes/guilds/#guild_id/bans.ts @@ -120,8 +120,9 @@ router.delete("/:user_id", route({ permission: "BAN_MEMBERS" }), async (req: Req const banned_user = await User.getPublicUser(user_id); - if (banned_user.user_id === banned_user.executor_id) throw new HTTPError("Self-bans are irreversible", 400); - + if (banned_user.user_id === banned_user.executor_id) throw DiscordApiErrors.UNKNOWN_BAN; + // make self-bans irreversible and hide them from view to avoid victim chasing + await Promise.all([ Ban.delete({ user_id: user_id, -- cgit 1.5.1 From 3dd20d86f17a30f6cf64598bf58fae8a32a33ca5 Mon Sep 17 00:00:00 2001 From: Erkin Alp Güney Date: Wed, 2 Feb 2022 23:27:54 +0300 Subject: Extend the pretense of non-existence of self-bans to API view route too --- api/src/routes/guilds/#guild_id/bans.ts | 2 ++ 1 file changed, 2 insertions(+) (limited to 'api/src') diff --git a/api/src/routes/guilds/#guild_id/bans.ts b/api/src/routes/guilds/#guild_id/bans.ts index c73cc3e6..5a425680 100644 --- a/api/src/routes/guilds/#guild_id/bans.ts +++ b/api/src/routes/guilds/#guild_id/bans.ts @@ -27,6 +27,8 @@ router.get("/", route({ permission: "BAN_MEMBERS" }), async (req: Request, res: let bans = await Ban.find({ guild_id: guild_id }); /* Filter secret from database registry.*/ + if (banned_user.user_id === banned_user.executor_id) throw DiscordApiErrors.UNKNOWN_BAN; + // hide self-bans from view to prevent victim chasing bans.forEach((registry: BanRegistrySchema) => { delete registry.ip; -- cgit 1.5.1 From 9c941284ea188353846fbb21469b5b972073866c Mon Sep 17 00:00:00 2001 From: Erkin Alp Güney Date: Fri, 4 Feb 2022 08:49:28 +0300 Subject: remove pretense of nonexistence from main view route for now to make it compile while thinking of a fix --- api/src/routes/guilds/#guild_id/bans.ts | 2 -- 1 file changed, 2 deletions(-) (limited to 'api/src') diff --git a/api/src/routes/guilds/#guild_id/bans.ts b/api/src/routes/guilds/#guild_id/bans.ts index 5a425680..c73cc3e6 100644 --- a/api/src/routes/guilds/#guild_id/bans.ts +++ b/api/src/routes/guilds/#guild_id/bans.ts @@ -27,8 +27,6 @@ router.get("/", route({ permission: "BAN_MEMBERS" }), async (req: Request, res: let bans = await Ban.find({ guild_id: guild_id }); /* Filter secret from database registry.*/ - if (banned_user.user_id === banned_user.executor_id) throw DiscordApiErrors.UNKNOWN_BAN; - // hide self-bans from view to prevent victim chasing bans.forEach((registry: BanRegistrySchema) => { delete registry.ip; -- cgit 1.5.1 From 71e229dffcc8b3dcebb2c10129c358f46ac5c57a Mon Sep 17 00:00:00 2001 From: Erkin Alp Güney Date: Fri, 4 Feb 2022 10:04:41 +0300 Subject: Try to commit this one again, this time over the web --- api/src/routes/guilds/#guild_id/bans.ts | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'api/src') diff --git a/api/src/routes/guilds/#guild_id/bans.ts b/api/src/routes/guilds/#guild_id/bans.ts index c73cc3e6..cc1dbda3 100644 --- a/api/src/routes/guilds/#guild_id/bans.ts +++ b/api/src/routes/guilds/#guild_id/bans.ts @@ -1,5 +1,5 @@ import { Request, Response, Router } from "express"; -import { emitEvent, getPermission, GuildBanAddEvent, GuildBanRemoveEvent, Guild, Ban, User, Member } from "@fosscord/util"; +import { DiscordApiErrors, emitEvent, getPermission, GuildBanAddEvent, GuildBanRemoveEvent, Guild, Ban, User, Member } from "@fosscord/util"; import { HTTPError } from "lambert-server"; import { getIpAdress, route } from "@fosscord/api"; @@ -39,7 +39,10 @@ router.get("/:user", route({ permission: "BAN_MEMBERS" }), async (req: Request, const { guild_id } = req.params; const user_id = req.params.ban; - let ban = await Ban.findOneOrFail({ guild_id: guild_id, user_id: user_id }) as BanRegistrySchema; + let ban = await Ban.findOneOrFail({ guild_id: guild_id, user_id: user_id }) as BanCreateSchema; + + if (ban.user_id === ban.executor_id) throw DiscordApiErrors.UNKNOWN_BAN; + // pretend self-bans don't exist to prevent victim chasing /* Filter secret from registry. */ @@ -118,11 +121,12 @@ router.put("/@me", route({ body: "BanCreateSchema"}), async (req: Request, res: router.delete("/:user_id", route({ permission: "BAN_MEMBERS" }), async (req: Request, res: Response) => { const { guild_id, user_id } = req.params; - const banned_user = await User.getPublicUser(user_id); + let ban = await Ban.findOneOrFail({ guild_id: guild_id, user_id: user_id }) as BanCreateSchema; - if (banned_user.user_id === banned_user.executor_id) throw DiscordApiErrors.UNKNOWN_BAN; + if (ban.user_id === ban.executor_id) throw DiscordApiErrors.UNKNOWN_BAN; // make self-bans irreversible and hide them from view to avoid victim chasing + await Promise.all([ Ban.delete({ user_id: user_id, -- cgit 1.5.1 From 006570f9f33be5cf40fe8ec07425eb2a039bf4a9 Mon Sep 17 00:00:00 2001 From: Erkin Alp Güney Date: Fri, 4 Feb 2022 22:45:53 +0300 Subject: some important changes --- api/src/routes/guilds/#guild_id/bans.ts | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'api/src') diff --git a/api/src/routes/guilds/#guild_id/bans.ts b/api/src/routes/guilds/#guild_id/bans.ts index cc1dbda3..3b943476 100644 --- a/api/src/routes/guilds/#guild_id/bans.ts +++ b/api/src/routes/guilds/#guild_id/bans.ts @@ -39,7 +39,7 @@ router.get("/:user", route({ permission: "BAN_MEMBERS" }), async (req: Request, const { guild_id } = req.params; const user_id = req.params.ban; - let ban = await Ban.findOneOrFail({ guild_id: guild_id, user_id: user_id }) as BanCreateSchema; + let ban = await Ban.findOneOrFail({ guild_id: guild_id, user_id: user_id }); if (ban.user_id === ban.executor_id) throw DiscordApiErrors.UNKNOWN_BAN; // pretend self-bans don't exist to prevent victim chasing @@ -55,12 +55,12 @@ router.put("/:user_id", route({ body: "BanCreateSchema", permission: "BAN_MEMBER const { guild_id } = req.params; const banned_user_id = req.params.user_id; - const banned_user = await User.getPublicUser(banned_user_id); - if ( (req.user_id === banned_user_id) && (banned_user_id === req.permission!.cache.guild?.owner_id)) throw new HTTPError("You are the guild owner, hence can't ban yourself", 403); if (req.permission!.cache.guild?.owner_id === banned_user_id) throw new HTTPError("You can't ban the owner", 400); + + const banned_user = await User.getPublicUser(banned_user_id); const ban = new Ban({ user_id: banned_user_id, @@ -121,7 +121,7 @@ router.put("/@me", route({ body: "BanCreateSchema"}), async (req: Request, res: router.delete("/:user_id", route({ permission: "BAN_MEMBERS" }), async (req: Request, res: Response) => { const { guild_id, user_id } = req.params; - let ban = await Ban.findOneOrFail({ guild_id: guild_id, user_id: user_id }) as BanCreateSchema; + let ban = await Ban.findOneOrFail({ guild_id: guild_id, user_id: user_id }); if (ban.user_id === ban.executor_id) throw DiscordApiErrors.UNKNOWN_BAN; // make self-bans irreversible and hide them from view to avoid victim chasing -- cgit 1.5.1 From 1fa1c759e55d3f9e2f933aa7331db5e827dbe367 Mon Sep 17 00:00:00 2001 From: Erkin Alp Güney Date: Fri, 4 Feb 2022 23:07:43 +0300 Subject: ban moderator schema change --- api/src/routes/guilds/#guild_id/bans.ts | 1 + 1 file changed, 1 insertion(+) (limited to 'api/src') diff --git a/api/src/routes/guilds/#guild_id/bans.ts b/api/src/routes/guilds/#guild_id/bans.ts index 3b943476..8c0bdee6 100644 --- a/api/src/routes/guilds/#guild_id/bans.ts +++ b/api/src/routes/guilds/#guild_id/bans.ts @@ -126,6 +126,7 @@ router.delete("/:user_id", route({ permission: "BAN_MEMBERS" }), async (req: Req if (ban.user_id === ban.executor_id) throw DiscordApiErrors.UNKNOWN_BAN; // make self-bans irreversible and hide them from view to avoid victim chasing + const banned_user = await User.getPublicUser(banned_user_id); await Promise.all([ Ban.delete({ -- cgit 1.5.1 From fd5c5d5d5112abbbdde007167af54a9c216fa2dd Mon Sep 17 00:00:00 2001 From: Erkin Alp Güney Date: Fri, 4 Feb 2022 23:08:34 +0300 Subject: ban moderator schema actually change --- api/src/routes/guilds/#guild_id/bans.ts | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'api/src') diff --git a/api/src/routes/guilds/#guild_id/bans.ts b/api/src/routes/guilds/#guild_id/bans.ts index 8c0bdee6..4c5ba48f 100644 --- a/api/src/routes/guilds/#guild_id/bans.ts +++ b/api/src/routes/guilds/#guild_id/bans.ts @@ -17,6 +17,14 @@ export interface BanRegistrySchema { reason?: string | undefined; }; +export interface BanModeratorSchema { + id: string; + user_id: string; + guild_id: string; + executor_id: string; + reason?: string | undefined; +}; + const router: Router = Router(); /* TODO: Deleting the secrets is just a temporary go-around. Views should be implemented for both safety and better handling. */ @@ -39,12 +47,14 @@ router.get("/:user", route({ permission: "BAN_MEMBERS" }), async (req: Request, const { guild_id } = req.params; const user_id = req.params.ban; - let ban = await Ban.findOneOrFail({ guild_id: guild_id, user_id: user_id }); + let ban = await Ban.findOneOrFail({ guild_id: guild_id, user_id: user_id }) as BanRegistrySchema; if (ban.user_id === ban.executor_id) throw DiscordApiErrors.UNKNOWN_BAN; // pretend self-bans don't exist to prevent victim chasing /* Filter secret from registry. */ + + ban = ban as BanModeratorSchema; delete ban.ip @@ -126,7 +136,7 @@ router.delete("/:user_id", route({ permission: "BAN_MEMBERS" }), async (req: Req if (ban.user_id === ban.executor_id) throw DiscordApiErrors.UNKNOWN_BAN; // make self-bans irreversible and hide them from view to avoid victim chasing - const banned_user = await User.getPublicUser(banned_user_id); + const banned_user = await User.getPublicUser(user_id); await Promise.all([ Ban.delete({ -- cgit 1.5.1 From 6a67f50c39a87614c66ffb74705a7ca746815979 Mon Sep 17 00:00:00 2001 From: Erkin Alp Güney Date: Fri, 4 Feb 2022 23:36:42 +0300 Subject: pretend self-bans don't exist in the views too --- api/src/routes/guilds/#guild_id/bans.ts | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'api/src') diff --git a/api/src/routes/guilds/#guild_id/bans.ts b/api/src/routes/guilds/#guild_id/bans.ts index 4c5ba48f..7ccf34d7 100644 --- a/api/src/routes/guilds/#guild_id/bans.ts +++ b/api/src/routes/guilds/#guild_id/bans.ts @@ -35,11 +35,14 @@ router.get("/", route({ permission: "BAN_MEMBERS" }), async (req: Request, res: let bans = await Ban.find({ guild_id: guild_id }); /* Filter secret from database registry.*/ + + bans.filter(ban => ban.user_id !== ban.executor_id); + // pretend self-bans don't exist to prevent victim chasing bans.forEach((registry: BanRegistrySchema) => { delete registry.ip; }); - + return res.json(bans); }); -- cgit 1.5.1