mirror of
https://github.com/stoatchat/stoatchat.git
synced 2026-07-14 05:26:59 +00:00
fix: server owner should bypass rank check on channel role-permission overrides (#805)
fix: allow true server owner to bypass rank check on channel role-permission overrides The set_role_permissions route blocks editing a role's channel permission overrides whenever role.rank <= the acting member's rank (NotElevated), to prevent privilege-escalation loops. However this check has no exemption for the server's true owner (server.owner == user.id). If an owner has assigned themselves their own top-level role (e.g. "Admin"/"Server Admin" - extremely common since most server setups have the owner hold their highest role for visible status/cosmetics), that role's rank is necessarily equal to their own computed member rank, so the check incorrectly throws NotElevated for the owner too - even though server owners by definition outrank every role and every member, owner-held roles included. This produces a confusing experience: the owner cannot edit channel-level overrides for their own top role via the UI, with no clear explanation, and may reasonably believe something is broken or their permissions are miscconfigured (they aren't). This adds a short-circuit: if the acting user is the server's owner, skip the rank comparison entirely, matching how Stoat already treats true ownership as an absolute bypass elsewhere in the permission system (e.g. channel-visibility lockout cascades). Signed-off-by: bluecords <133072610+bluecords@users.noreply.github.com>
This commit is contained in:
@@ -29,7 +29,9 @@ pub async fn set_role_permissions(
|
||||
|
||||
if let Some(server) = query.server_ref() {
|
||||
if let Some(role) = server.roles.get(&role_id) {
|
||||
if role.rank <= query.get_member_rank().unwrap_or(i64::MIN) {
|
||||
if server.owner != user.id
|
||||
&& role.rank <= query.get_member_rank().unwrap_or(i64::MIN)
|
||||
{
|
||||
return Err(create_error!(NotElevated));
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user