Spacebar/server
1
0
Fork 0
mirror of https://github.com/spacebarchat/server.git synced 2024-11-13 06:02:39 +01:00
Code Issues Releases Activity

🐛 fix message permission check

Browse Source
This commit is contained in:
Flam3rboy 2021-08-08 01:10:43 +02:00
parent 9a16cfb558
commit 8e25f13796
2 changed files with 25 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
src/routes/channels/#channel_id/messages/index.ts
View File

@ -30,7 +30,13 @@ export function isTextChannel(type: ChannelType): boolean {
// get messages // get messages
router.get("/", async (req: Request, res: Response) => { router.get("/", async (req: Request, res: Response) => {
const channel_id = req.params.channel_id; const channel_id = req.params.channel_id;
const channel = await ChannelModel.findOne({ id: channel_id }, { guild_id: true, type: true, permission_overwrites: true }).exec(); const channel = await ChannelModel.findOne(
{ id: channel_id },
{ guild_id: true, type: true, permission_overwrites: true, recipient_ids: true, owner_id: true }
)
.lean() // lean is needed, because we don't want to populate .recipients that also auto deletes .recipient_ids
.exec();
if (!channel) throw new HTTPError("Channel not found", 404);
isTextChannel(channel.type); isTextChannel(channel.type);
@ -46,6 +52,7 @@ router.get("/", async (req: Request, res: Response) => {
if (!limit) limit = 50; if (!limit) limit = 50;
var halfLimit = Math.floor(limit / 2); var halfLimit = Math.floor(limit / 2);
// @ts-ignore
const permissions = await getPermission(req.user_id, channel.guild_id, channel_id, { channel }); const permissions = await getPermission(req.user_id, channel.guild_id, channel_id, { channel });
permissions.hasThrow("VIEW_CHANNEL"); permissions.hasThrow("VIEW_CHANNEL");
if (!permissions.has("READ_MESSAGE_HISTORY")) return res.json([]); if (!permissions.has("READ_MESSAGE_HISTORY")) return res.json([]);
@ -126,7 +133,16 @@ router.post("/", messageUpload.single("file"), async (req: Request, res: Respons
const embeds = []; const embeds = [];
if (body.embed) embeds.push(body.embed); if (body.embed) embeds.push(body.embed);
const data = await sendMessage({ ...body, type: 0, pinned: false, author_id: req.user_id, embeds, channel_id, attachments, edited_timestamp: null }); const data = await sendMessage({
...body,
type: 0,
pinned: false,
author_id: req.user_id,
embeds,
channel_id,
attachments,
edited_timestamp: null
});
return res.send(data); return res.send(data);
}); });

8
src/util/Message.ts
View File

@ -25,10 +25,16 @@ const DEFAULT_FETCH_OPTIONS: any = {
}; };
export async function handleMessage(opts: Partial<Message>) { export async function handleMessage(opts: Partial<Message>) {
const channel = await ChannelModel.findOne({ id: opts.channel_id }, { guild_id: true, type: true, permission_overwrites: true }).exec(); const channel = await ChannelModel.findOne(
{ id: opts.channel_id },
{ guild_id: true, type: true, permission_overwrites: true, recipient_ids: true, owner_id: true }
)
.lean() // lean is needed, because we don't want to populate .recipients that also auto deletes .recipient_ids
.exec();
if (!channel || !opts.channel_id) throw new HTTPError("Channel not found", 404); if (!channel || !opts.channel_id) throw new HTTPError("Channel not found", 404);
// TODO: are tts messages allowed in dm channels? should permission be checked? // TODO: are tts messages allowed in dm channels? should permission be checked?
// @ts-ignore
const permissions = await getPermission(opts.author_id, channel.guild_id, opts.channel_id, { channel }); const permissions = await getPermission(opts.author_id, channel.guild_id, opts.channel_id, { channel });
permissions.hasThrow("SEND_MESSAGES"); permissions.hasThrow("SEND_MESSAGES");
if (opts.tts) permissions.hasThrow("SEND_TTS_MESSAGES"); if (opts.tts) permissions.hasThrow("SEND_TTS_MESSAGES");