From 30af92bee400a5e51b48ac851a25bc0d33df8a97 Mon Sep 17 00:00:00 2001 From: Paul Makles Date: Wed, 23 Feb 2022 15:53:58 +0000 Subject: [PATCH] feat(set server perm): prevent users giving out permissions they don't have --- src/routes/servers/permissions_set.rs | 38 ++++++++++++++++++++------- 1 file changed, 28 insertions(+), 10 deletions(-) diff --git a/src/routes/servers/permissions_set.rs b/src/routes/servers/permissions_set.rs index f83d0163..b7b039e0 100644 --- a/src/routes/servers/permissions_set.rs +++ b/src/routes/servers/permissions_set.rs @@ -3,7 +3,7 @@ use serde::{Deserialize, Serialize}; use revolt_quark::{ models::{Server, User}, - perms, Db, Override, Permission, Ref, Result, + perms, Db, Error, Override, Permission, Ref, Result, }; #[derive(Serialize, Deserialize)] @@ -22,16 +22,34 @@ pub async fn req( let data = data.into_inner(); let mut server = target.as_server(db).await?; - perms(&user) - .server(&server) - .throw_permission(db, Permission::ManagePermissions) - .await?; + if let Some(current_value) = server.roles.get(&role_id).map(|x| x.permissions) { + let mut permissions = perms(&user).server(&server); - // ! FIXME_PERMISSIONS + permissions + .throw_permission(db, Permission::ManagePermissions) + .await?; - server - .set_role_permission(db, &role_id, data.permissions.into()) - .await?; + if !permissions + .has_permission_value(db, data.permissions.allows()) + .await? + { + return Err(Error::CannotGiveMissingPermissions); + } - Ok(Json(server)) + let current_value: Override = current_value.into(); + if !permissions + .has_permission_value(db, current_value.denies() & (!data.permissions.denies())) + .await? + { + return Err(Error::CannotGiveMissingPermissions); + } + + server + .set_role_permission(db, &role_id, data.permissions.into()) + .await?; + + Ok(Json(server)) + } else { + Err(Error::NotFound) + } }