From 437a620274389637cd5048b171044629fd34b0b9 Mon Sep 17 00:00:00 2001 From: Paul Makles Date: Wed, 23 Feb 2022 15:58:54 +0000 Subject: [PATCH] fix: also consider role ranking on setting role perm --- src/routes/servers/permissions_set.rs | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/routes/servers/permissions_set.rs b/src/routes/servers/permissions_set.rs index b7b039e0..1180a4c3 100644 --- a/src/routes/servers/permissions_set.rs +++ b/src/routes/servers/permissions_set.rs @@ -22,13 +22,18 @@ pub async fn req( let data = data.into_inner(); let mut server = target.as_server(db).await?; - if let Some(current_value) = server.roles.get(&role_id).map(|x| x.permissions) { + if let Some((current_value, rank)) = server.roles.get(&role_id).map(|x| (x.permissions, x.rank)) + { let mut permissions = perms(&user).server(&server); permissions .throw_permission(db, Permission::ManagePermissions) .await?; + if rank <= permissions.get_member_rank().unwrap_or(i64::MIN) { + return Err(Error::NotElevated); + } + if !permissions .has_permission_value(db, data.permissions.allows()) .await?