From 8b5a9171862e9bc14b9a6cb4a612d87966ea327a Mon Sep 17 00:00:00 2001
From: Nobody <git@n0bodysec.com>
Date: Tue, 8 Mar 2022 09:18:19 -0300
Subject: fix(api): always add @everyone in user's roles

When you add or delete an user's role, you MUST always add "@everyone" role to the roles map
---
 api/src/routes/guilds/#guild_id/members/#member_id/index.ts | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'api/src')

diff --git a/api/src/routes/guilds/#guild_id/members/#member_id/index.ts b/api/src/routes/guilds/#guild_id/members/#member_id/index.ts
index 24c74af7..c33eb2fe 100644
--- a/api/src/routes/guilds/#guild_id/members/#member_id/index.ts
+++ b/api/src/routes/guilds/#guild_id/members/#member_id/index.ts
@@ -28,6 +28,9 @@ router.patch("/", route({ body: "MemberChangeSchema" }), async (req: Request, re
 
 	if (body.roles) {
 		permission.hasThrow("MANAGE_ROLES");
+
+		const everyone = await Role.findOneOrFail({ guild_id: guild_id, name: "@everyone", position: 0 });
+		body.roles.push(everyone?.id);
 		member.roles = body.roles.map((x) => new Role({ id: x })); // foreign key constraint will fail if role doesn't exist
 	}
 
-- 
cgit 1.5.1