feat: Transfer ownership (#396)

* feat: Transfer ownership

Signed-off-by: LazyCat2 <68156188+LazyCat2@users.noreply.github.com>

* Allow privileged users to change ownership

Signed-off-by: LazyCat2 <68156188+LazyCat2@users.noreply.github.com>

* Require TOTP

Signed-off-by: LazyCat2 <68156188+LazyCat2@users.noreply.github.com>

* Require TOTP or password

Signed-off-by: LazyCat2 <68156188+LazyCat2@users.noreply.github.com>

---------

Signed-off-by: LazyCat2 <68156188+LazyCat2@users.noreply.github.com>
Signed-off-by: Tom <iamtomahawkx@gmail.com>
Co-authored-by: Tom <iamtomahawkx@gmail.com>
This commit is contained in:
LazyCat
2026-03-28 03:24:53 +03:00
committed by GitHub
parent d1e72cee42
commit 735d644e04
2 changed files with 36 additions and 1 deletions

View File

@@ -252,6 +252,9 @@ auto_derived!(
/// Must be enabled in order to show up on [Revolt Discover](https://rvlt.gg).
pub analytics: Option<bool>,
/// User id of the new owner
pub owner: Option<String>,
/// Fields to remove from server object
#[cfg_attr(feature = "serde", serde(default))]
pub remove: Vec<FieldsServer>,

View File

@@ -1,5 +1,6 @@
use std::collections::HashSet;
use authifier::models::{totp::Totp, Account, ValidatedTicket};
use revolt_database::{
util::{permissions::DatabasePermissionQuery, reference::Reference},
Database, File, PartialServer, User,
@@ -7,7 +8,7 @@ use revolt_database::{
use revolt_models::v0;
use revolt_permissions::{calculate_server_permissions, ChannelPermission};
use revolt_result::{create_error, Result};
use rocket::{serde::json::Json, State};
use rocket::{serde::json::Json, Request, State};
use validator::Validate;
/// # Edit Server
@@ -17,9 +18,11 @@ use validator::Validate;
#[patch("/<target>", data = "<data>")]
pub async fn edit(
db: &State<Database>,
account: Account,
user: User,
target: Reference<'_>,
data: Json<v0::DataEditServer>,
validated_ticket: Option<ValidatedTicket>,
) -> Result<Json<v0::Server>> {
let data = data.into_inner();
data.validate().map_err(|error| {
@@ -43,6 +46,7 @@ pub async fn edit(
&& data.flags.is_none()
&& data.analytics.is_none()
&& data.discoverable.is_none()
&& data.owner.is_none()
&& data.remove.is_empty()
{
return Ok(Json(server.into()));
@@ -57,6 +61,17 @@ pub async fn edit(
permissions.throw_if_lacking_channel_permission(ChannelPermission::ManageServer)?;
}
// Check we are the server owner or privileged if changing sensitive fields
if data.owner.is_some() {
if user.id != server.owner && !user.privileged {
return Err(create_error!(NotOwner));
}
if validated_ticket.is_none() {
return Err(create_error!(InvalidCredentials));
}
}
// Check we are privileged if changing sensitive fields
if (data.flags.is_some() /*|| data.nsfw.is_some()*/ || data.discoverable.is_some())
&& !user.privileged
@@ -80,6 +95,7 @@ pub async fn edit(
// nsfw,
discoverable,
analytics,
owner,
remove,
} = data;
@@ -92,6 +108,7 @@ pub async fn edit(
// nsfw,
discoverable,
analytics,
owner: owner.clone(),
..Default::default()
};
@@ -146,6 +163,21 @@ pub async fn edit(
server.banner = partial.banner.clone();
}
// 5. Transfer ownership
if let Some(owner) = owner {
let owner_reference = Reference { id: owner.clone() };
// Check if member exists
owner_reference.as_member(db, &server.id).await?;
let owner_user = owner_reference.as_user(db).await?;
if owner_user.bot.is_some() {
return Err(create_error!(InvalidOperation));
}
server.owner = owner;
partial.owner = Some(server.owner.clone());
}
server
.update(db, partial, remove.into_iter().map(Into::into).collect())
.await?;