1
0
mirror of https://github.com/spacebarchat/server.git synced 2024-11-25 11:43:07 +01:00

Merge pull request from GHSA-9qvc-84ch-5p2x

* Check permissions and rights

* Prevent editing message type unless MANAGE_MESSAGES right. Also don't send sensitive data in patch response.
This commit is contained in:
Madeline 2023-02-02 22:26:22 +11:00 committed by GitHub
parent 69c55884e5
commit df199227f8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -81,6 +81,10 @@ router.patch(
}
} else rights.hasThrow("SELF_EDIT_MESSAGES");
// The permision should obviously not allow editing the message type
// But for people with the right, does this make sense?
if (body.type) rights.hasThrow("MANAGE_MESSAGES");
const new_message = await handleMessage({
...message,
// TODO: should message_reference be overridable?
@ -105,7 +109,28 @@ router.patch(
postHandleMessage(new_message);
return res.json(new_message);
// TODO: a DTO?
return res.json({
id: new_message.id,
type: new_message.type,
content: new_message.content,
channel_id: new_message.channel_id,
author: new_message.author?.toPublicUser(),
attachments: new_message.attachments,
embeds: new_message.embeds,
mentions: new_message.embeds,
mention_roles: new_message.mention_roles,
mention_everyone: new_message.mention_everyone,
pinned: new_message.pinned,
tts: new_message.tts,
timestamp: new_message.timestamp,
edited_timestamp: new_message.edited_timestamp,
flags: new_message.flags,
components: new_message.components,
// these are not in the Discord.com response
mention_channels: new_message.mention_channels,
});
},
);