feat(set server perm): prevent users giving out permissions they don't have

This commit is contained in:
Paul Makles
2022-02-23 15:53:58 +00:00
parent 0ecce98056
commit 30af92bee4

View File

@@ -3,7 +3,7 @@ use serde::{Deserialize, Serialize};
use revolt_quark::{ use revolt_quark::{
models::{Server, User}, models::{Server, User},
perms, Db, Override, Permission, Ref, Result, perms, Db, Error, Override, Permission, Ref, Result,
}; };
#[derive(Serialize, Deserialize)] #[derive(Serialize, Deserialize)]
@@ -22,16 +22,34 @@ pub async fn req(
let data = data.into_inner(); let data = data.into_inner();
let mut server = target.as_server(db).await?; let mut server = target.as_server(db).await?;
perms(&user) if let Some(current_value) = server.roles.get(&role_id).map(|x| x.permissions) {
.server(&server) let mut permissions = perms(&user).server(&server);
.throw_permission(db, Permission::ManagePermissions)
.await?;
// ! FIXME_PERMISSIONS permissions
.throw_permission(db, Permission::ManagePermissions)
.await?;
server if !permissions
.set_role_permission(db, &role_id, data.permissions.into()) .has_permission_value(db, data.permissions.allows())
.await?; .await?
{
return Err(Error::CannotGiveMissingPermissions);
}
Ok(Json(server)) let current_value: Override = current_value.into();
if !permissions
.has_permission_value(db, current_value.denies() & (!data.permissions.denies()))
.await?
{
return Err(Error::CannotGiveMissingPermissions);
}
server
.set_role_permission(db, &role_id, data.permissions.into())
.await?;
Ok(Json(server))
} else {
Err(Error::NotFound)
}
} }