forked from jmug/stoatchat
fix(safety): prevent reporting own content or self
This commit is contained in:
@@ -40,6 +40,11 @@ pub async fn report_content(db: &Db, user: User, data: Json<DataReportContent>)
|
|||||||
ReportedContent::Message { id, .. } => {
|
ReportedContent::Message { id, .. } => {
|
||||||
let message = db.fetch_message(id).await?;
|
let message = db.fetch_message(id).await?;
|
||||||
|
|
||||||
|
// Users cannot report themselves
|
||||||
|
if message.author == user.id {
|
||||||
|
return Err(Error::CannotReportYourself);
|
||||||
|
}
|
||||||
|
|
||||||
// Collect message attachments
|
// Collect message attachments
|
||||||
let files = message
|
let files = message
|
||||||
.attachments
|
.attachments
|
||||||
@@ -52,6 +57,11 @@ pub async fn report_content(db: &Db, user: User, data: Json<DataReportContent>)
|
|||||||
ReportedContent::Server { id, .. } => {
|
ReportedContent::Server { id, .. } => {
|
||||||
let server = db.fetch_server(id).await?;
|
let server = db.fetch_server(id).await?;
|
||||||
|
|
||||||
|
// Users cannot report their own server
|
||||||
|
if server.owner == user.id {
|
||||||
|
return Err(Error::CannotReportYourself);
|
||||||
|
}
|
||||||
|
|
||||||
// Collect server's icon and banner
|
// Collect server's icon and banner
|
||||||
let files = [&server.icon, &server.banner]
|
let files = [&server.icon, &server.banner]
|
||||||
.iter()
|
.iter()
|
||||||
@@ -61,12 +71,18 @@ pub async fn report_content(db: &Db, user: User, data: Json<DataReportContent>)
|
|||||||
(SnapshotContent::Server(server), files)
|
(SnapshotContent::Server(server), files)
|
||||||
}
|
}
|
||||||
ReportedContent::User { id, .. } => {
|
ReportedContent::User { id, .. } => {
|
||||||
let user = db.fetch_user(id).await?;
|
let reported_user = db.fetch_user(id).await?;
|
||||||
|
|
||||||
|
// Users cannot report themselves
|
||||||
|
if reported_user.id == user.id {
|
||||||
|
return Err(Error::CannotReportYourself);
|
||||||
|
}
|
||||||
|
|
||||||
// Collect user's avatar and profile background
|
// Collect user's avatar and profile background
|
||||||
let files = [
|
let files = [
|
||||||
user.avatar.as_ref(),
|
reported_user.avatar.as_ref(),
|
||||||
user.profile
|
reported_user
|
||||||
|
.profile
|
||||||
.as_ref()
|
.as_ref()
|
||||||
.and_then(|profile| profile.background.as_ref()),
|
.and_then(|profile| profile.background.as_ref()),
|
||||||
]
|
]
|
||||||
@@ -74,7 +90,7 @@ pub async fn report_content(db: &Db, user: User, data: Json<DataReportContent>)
|
|||||||
.filter_map(|x| x.as_ref().map(|x| x.id.to_string()))
|
.filter_map(|x| x.as_ref().map(|x| x.id.to_string()))
|
||||||
.collect();
|
.collect();
|
||||||
|
|
||||||
(SnapshotContent::User(user), files)
|
(SnapshotContent::User(reported_user), files)
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
@@ -64,6 +64,9 @@ pub enum Error {
|
|||||||
IsBot,
|
IsBot,
|
||||||
BotIsPrivate,
|
BotIsPrivate,
|
||||||
|
|
||||||
|
// ? User safety related errors
|
||||||
|
CannotReportYourself,
|
||||||
|
|
||||||
// ? Permission errors
|
// ? Permission errors
|
||||||
MissingPermission {
|
MissingPermission {
|
||||||
permission: Permission,
|
permission: Permission,
|
||||||
@@ -166,6 +169,8 @@ impl<'r> Responder<'r, 'static> for Error {
|
|||||||
Error::IsBot => Status::BadRequest,
|
Error::IsBot => Status::BadRequest,
|
||||||
Error::BotIsPrivate => Status::Forbidden,
|
Error::BotIsPrivate => Status::Forbidden,
|
||||||
|
|
||||||
|
Error::CannotReportYourself => Status::BadRequest,
|
||||||
|
|
||||||
Error::MissingPermission { .. } => Status::Forbidden,
|
Error::MissingPermission { .. } => Status::Forbidden,
|
||||||
Error::MissingUserPermission { .. } => Status::Forbidden,
|
Error::MissingUserPermission { .. } => Status::Forbidden,
|
||||||
Error::NotElevated => Status::Forbidden,
|
Error::NotElevated => Status::Forbidden,
|
||||||
|
|||||||
Reference in New Issue
Block a user