From 00e881799f255fecfb302eb08b82dd50b1de784e Mon Sep 17 00:00:00 2001 From: Paul Makles Date: Wed, 26 Jun 2024 18:24:38 +0100 Subject: [PATCH] fix: replace user with target user when editing someone else --- crates/delta/src/routes/users/edit_user.rs | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/crates/delta/src/routes/users/edit_user.rs b/crates/delta/src/routes/users/edit_user.rs index b6aab49e..d98c01ee 100644 --- a/crates/delta/src/routes/users/edit_user.rs +++ b/crates/delta/src/routes/users/edit_user.rs @@ -24,23 +24,26 @@ pub async fn edit( }) })?; + // Filter out invalid edit fields + if !user.privileged && (data.badges.is_some() || data.flags.is_some()) { + return Err(create_error!(NotPrivileged)); + } + // If we want to edit a different user than self, ensure we have // permissions and subsequently replace the user in question if target.id != "@me" && target.id != user.id { let target_user = target.as_user(db).await?; let is_bot_owner = target_user .bot + .as_ref() .map(|bot| bot.owner == user.id) .unwrap_or_default(); if !is_bot_owner && !user.privileged { return Err(create_error!(NotPrivileged)); } - } - // Otherwise, filter out invalid edit fields - if !user.privileged && (data.badges.is_some() || data.flags.is_some()) { - return Err(create_error!(NotPrivileged)); + user = target_user; } // Exit out early if nothing is changed