feat(roles delete): only allow members to delete roles lower ranking then themself

This commit is contained in:
Paul Makles
2022-02-23 14:42:08 +00:00
parent 04c2f8f293
commit 0ecce98056
2 changed files with 10 additions and 5 deletions

View File

@@ -3,14 +3,19 @@ use revolt_quark::{models::User, perms, Db, EmptyResponse, Error, Permission, Re
#[delete("/<target>/roles/<role_id>")] #[delete("/<target>/roles/<role_id>")]
pub async fn req(db: &Db, user: User, target: Ref, role_id: String) -> Result<EmptyResponse> { pub async fn req(db: &Db, user: User, target: Ref, role_id: String) -> Result<EmptyResponse> {
let mut server = target.as_server(db).await?; let mut server = target.as_server(db).await?;
perms(&user) let mut permissions = perms(&user).server(&server);
.server(&server)
permissions
.throw_permission(db, Permission::ManageRole) .throw_permission(db, Permission::ManageRole)
.await?; .await?;
// ! FIXME_PERMISSIONS let member_rank = permissions.get_member_rank().unwrap_or(0);
if let Some(role) = server.roles.remove(&role_id) { if let Some(role) = server.roles.remove(&role_id) {
if role.rank <= member_rank {
return Err(Error::NotElevated);
}
role.delete(db, &server.id, &role_id) role.delete(db, &server.id, &role_id)
.await .await
.map(|_| EmptyResponse) .map(|_| EmptyResponse)

View File

@@ -41,7 +41,7 @@ pub async fn req(
.throw_permission(db, Permission::ManageRole) .throw_permission(db, Permission::ManageRole)
.await?; .await?;
let member_rank = permissions.get_member_rank(); let member_rank = permissions.get_member_rank().unwrap_or(i64::MIN);
if let Some(mut role) = server.roles.remove(&role_id) { if let Some(mut role) = server.roles.remove(&role_id) {
let Data { let Data {
@@ -53,7 +53,7 @@ pub async fn req(
} = data; } = data;
if let Some(rank) = &rank { if let Some(rank) = &rank {
if rank <= &member_rank.unwrap_or(i64::MIN) { if rank <= &member_rank {
return Err(Error::NotElevated); return Err(Error::NotElevated);
} }
} }