fix: add elevation check to role edit route

This commit is contained in:
Paul Makles
2024-04-07 15:52:14 +01:00
parent 54a4eff623
commit aded2e3239
3 changed files with 9 additions and 0 deletions

View File

@@ -36,10 +36,12 @@ pub async fn req(
.throw_permission(db, Permission::ManagePermissions)
.await?;
// Prevent us from editing roles above us
if rank <= permissions.get_member_rank().unwrap_or(i64::MIN) {
return Err(Error::NotElevated);
}
// Ensure we have access to grant these permissions forwards
let current_value: Override = current_value.into();
permissions
.throw_permission_override(db, current_value, data.permissions)

View File

@@ -24,6 +24,7 @@ pub async fn req(
.throw_permission(db, Permission::ManagePermissions)
.await?;
// Ensure we have permissions to grant these permissions forwards
permissions
.throw_permission_value(db, data.permissions)
.await?;

View File

@@ -58,6 +58,11 @@ pub async fn req(
let member_rank = permissions.get_member_rank().unwrap_or(i64::MIN);
if let Some(mut role) = server.roles.remove(&role_id) {
// Prevent us from editing roles above us
if role.rank <= member_rank {
return Err(Error::NotElevated);
}
let DataEditRole {
name,
colour,
@@ -66,6 +71,7 @@ pub async fn req(
remove,
} = data;
// Prevent us from moving a role above other roles
if let Some(rank) = &rank {
if rank <= &member_rank {
return Err(Error::NotElevated);