Merge pull request from GHSA-9qvc-84ch-5p2x

* Check permissions and rights * Prevent editing message type unless MANAGE_MESSAGES right. Also don't send sensitive data in patch response.
2024-11-05 10:22:31 +01:00 · 2023-02-02 22:26:22 +11:00 · 2023-02-02 22:26:22 +11:00 · df199227f8
commit df199227f8
parent 69c55884e5
1 changed files with 26 additions and 1 deletions
--- a/src/api/routes/channels/#channel_id/messages/#message_id/index.ts
+++ b/src/api/routes/channels/#channel_id/messages/#message_id/index.ts
@ -81,6 +81,10 @@ router.patch(
 			}
 		} else rights.hasThrow("SELF_EDIT_MESSAGES");

+		// The permision should obviously not allow editing the message type
+		// But for people with the right, does this make sense?
+		if (body.type) rights.hasThrow("MANAGE_MESSAGES");
+
 		const new_message = await handleMessage({
 			...message,
 			// TODO: should message_reference be overridable?
@ -105,7 +109,28 @@ router.patch(

 		postHandleMessage(new_message);

-		return res.json(new_message);
+		// TODO: a DTO?
+		return res.json({
+			id: new_message.id,
+			type: new_message.type,
+			content: new_message.content,
+			channel_id: new_message.channel_id,
+			author: new_message.author?.toPublicUser(),
+			attachments: new_message.attachments,
+			embeds: new_message.embeds,
+			mentions: new_message.embeds,
+			mention_roles: new_message.mention_roles,
+			mention_everyone: new_message.mention_everyone,
+			pinned: new_message.pinned,
+			tts: new_message.tts,
+			timestamp: new_message.timestamp,
+			edited_timestamp: new_message.edited_timestamp,
+			flags: new_message.flags,
+			components: new_message.components,
+
+			// these are not in the Discord.com response
+			mention_channels: new_message.mention_channels,
+		});
 	},
 );