fix: enforce role permissions on member_edit
This commit is contained in:
2
Cargo.lock
generated
2
Cargo.lock
generated
@@ -2992,7 +2992,7 @@ dependencies = [
|
|||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "revolt-delta"
|
name = "revolt-delta"
|
||||||
version = "0.5.3-5-patch.2"
|
version = "0.5.3-6"
|
||||||
dependencies = [
|
dependencies = [
|
||||||
"async-channel",
|
"async-channel",
|
||||||
"async-std",
|
"async-std",
|
||||||
|
|||||||
@@ -1,6 +1,6 @@
|
|||||||
[package]
|
[package]
|
||||||
name = "revolt-delta"
|
name = "revolt-delta"
|
||||||
version = "0.5.3-5-patch.2"
|
version = "0.5.3-6"
|
||||||
license = "AGPL-3.0-or-later"
|
license = "AGPL-3.0-or-later"
|
||||||
authors = ["Paul Makles <paulmakles@gmail.com>"]
|
authors = ["Paul Makles <paulmakles@gmail.com>"]
|
||||||
edition = "2018"
|
edition = "2018"
|
||||||
|
|||||||
@@ -1,9 +1,11 @@
|
|||||||
|
use std::collections::HashSet;
|
||||||
|
|
||||||
use revolt_quark::{
|
use revolt_quark::{
|
||||||
models::{
|
models::{
|
||||||
server_member::{FieldsMember, PartialMember},
|
server_member::{FieldsMember, PartialMember},
|
||||||
File, Member, User,
|
File, Member, User,
|
||||||
},
|
},
|
||||||
perms, Db, Error, Ref, Result,
|
perms, Db, Error, Permission, Ref, Result,
|
||||||
};
|
};
|
||||||
|
|
||||||
use rocket::serde::json::Json;
|
use rocket::serde::json::Json;
|
||||||
@@ -41,11 +43,91 @@ pub async fn req(
|
|||||||
data.validate()
|
data.validate()
|
||||||
.map_err(|error| Error::FailedValidation { error })?;
|
.map_err(|error| Error::FailedValidation { error })?;
|
||||||
|
|
||||||
let server = server.as_server(db).await?;
|
// Fetch server, target member and current permissions
|
||||||
perms(&user).server(&server).calc(db).await?;
|
let mut server = server.as_server(db).await?;
|
||||||
|
|
||||||
let mut member = target.as_member(db, &server.id).await?;
|
let mut member = target.as_member(db, &server.id).await?;
|
||||||
|
let mut permissions = perms(&user).server(&server);
|
||||||
|
|
||||||
|
// Check permissions in server
|
||||||
|
let mut required = vec![];
|
||||||
|
|
||||||
|
if data.nickname.is_some()
|
||||||
|
|| data
|
||||||
|
.remove
|
||||||
|
.as_ref()
|
||||||
|
.map(|x| x.contains(&FieldsMember::Nickname))
|
||||||
|
.unwrap_or_default()
|
||||||
|
{
|
||||||
|
if user.id == member.id.user {
|
||||||
|
required.push(Permission::ChangeNickname);
|
||||||
|
} else {
|
||||||
|
required.push(Permission::ManageNicknames);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if data.avatar.is_some()
|
||||||
|
|| data
|
||||||
|
.remove
|
||||||
|
.as_ref()
|
||||||
|
.map(|x| x.contains(&FieldsMember::Avatar))
|
||||||
|
.unwrap_or_default()
|
||||||
|
{
|
||||||
|
if user.id == member.id.user {
|
||||||
|
required.push(Permission::ChangeAvatar);
|
||||||
|
} else {
|
||||||
|
return Err(Error::InvalidOperation);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if data.roles.is_some()
|
||||||
|
|| data
|
||||||
|
.remove
|
||||||
|
.as_ref()
|
||||||
|
.map(|x| x.contains(&FieldsMember::Roles))
|
||||||
|
.unwrap_or_default()
|
||||||
|
{
|
||||||
|
required.push(Permission::AssignRoles);
|
||||||
|
}
|
||||||
|
|
||||||
|
for permission in required {
|
||||||
|
permissions.throw_permission(db, permission).await?;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Resolve our ranking
|
||||||
|
let our_ranking = permissions.get_member_rank().unwrap_or(i64::MIN);
|
||||||
|
|
||||||
|
// Check that we have permissions to act against this member
|
||||||
|
if member.id.user != user.id
|
||||||
|
&& member.get_ranking(permissions.server.get().unwrap()) <= our_ranking
|
||||||
|
{
|
||||||
|
return Err(Error::NotElevated);
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check permissions against roles in diff
|
||||||
|
if let Some(roles) = &data.roles {
|
||||||
|
let fallback = vec![];
|
||||||
|
let current_roles = member
|
||||||
|
.roles
|
||||||
|
.as_ref()
|
||||||
|
.unwrap_or(&fallback)
|
||||||
|
.iter()
|
||||||
|
.collect::<HashSet<&String>>();
|
||||||
|
|
||||||
|
let new_roles = roles.iter().collect::<HashSet<&String>>();
|
||||||
|
let added_roles: Vec<&&String> = new_roles.difference(¤t_roles).collect();
|
||||||
|
|
||||||
|
for role_id in added_roles {
|
||||||
|
if let Some(role) = server.roles.remove(*role_id) {
|
||||||
|
if role.rank <= our_ranking {
|
||||||
|
return Err(Error::NotElevated);
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
return Err(Error::InvalidRole);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Apply edits to the member object
|
||||||
let DataMemberEdit {
|
let DataMemberEdit {
|
||||||
nickname,
|
nickname,
|
||||||
avatar,
|
avatar,
|
||||||
@@ -59,9 +141,6 @@ pub async fn req(
|
|||||||
..Default::default()
|
..Default::default()
|
||||||
};
|
};
|
||||||
|
|
||||||
// ! FIXME: calculate permission against member
|
|
||||||
// ! FIXME: also check roles exist lol
|
|
||||||
|
|
||||||
// 1. Remove fields from object
|
// 1. Remove fields from object
|
||||||
if let Some(fields) = &remove {
|
if let Some(fields) = &remove {
|
||||||
if fields.contains(&FieldsMember::Avatar) {
|
if fields.contains(&FieldsMember::Avatar) {
|
||||||
|
|||||||
Reference in New Issue
Block a user