feat: reintroduce permission checks for send
This commit is contained in:
@@ -44,8 +44,6 @@ pub async fn req(
|
||||
.throw_permission_and_view_channel(db, Permission::SendMessage)
|
||||
.await?;
|
||||
|
||||
Message::validate_sum(&edit.content, &edit.embeds)?;
|
||||
|
||||
let mut message = msg.as_message(db).await?;
|
||||
if message.channel != channel.id() {
|
||||
return Err(Error::NotFound);
|
||||
@@ -55,6 +53,12 @@ pub async fn req(
|
||||
return Err(Error::CannotEditMessage);
|
||||
}
|
||||
|
||||
if let Some(new_embeds) = &edit.embeds {
|
||||
Message::validate_sum(&edit.content, new_embeds)?;
|
||||
} else {
|
||||
Message::validate_sum(&edit.content, &vec![])?;
|
||||
}
|
||||
|
||||
message.edited = Some(Timestamp::now_utc());
|
||||
let mut partial = PartialMessage {
|
||||
edited: message.edited,
|
||||
|
||||
@@ -1,11 +1,9 @@
|
||||
use revolt_quark::{
|
||||
models::{
|
||||
message::DataMessageSend,
|
||||
Message, User,
|
||||
},
|
||||
models::{message::DataMessageSend, Message, User},
|
||||
perms,
|
||||
types::push::MessageAuthor,
|
||||
web::idempotency::IdempotencyKey,
|
||||
Db, Error, Permission, Ref, Result, types::push::MessageAuthor,
|
||||
Db, Error, Permission, Ref, Result,
|
||||
};
|
||||
|
||||
use rocket::serde::json::Json;
|
||||
@@ -35,7 +33,7 @@ pub async fn message_send(
|
||||
.throw_permission_and_view_channel(db, Permission::SendMessage)
|
||||
.await?;
|
||||
|
||||
// Verify permissions for masquerade.
|
||||
// Verify permissions for masquerade
|
||||
if let Some(masq) = &data.masquerade {
|
||||
permissions
|
||||
.throw_permission(db, Permission::Masquerade)
|
||||
@@ -48,8 +46,37 @@ pub async fn message_send(
|
||||
}
|
||||
}
|
||||
|
||||
// Check permissions for embeds
|
||||
if !data.embeds.is_empty() {
|
||||
permissions
|
||||
.throw_permission(db, Permission::SendEmbeds)
|
||||
.await?;
|
||||
}
|
||||
|
||||
// Check permissions for files
|
||||
if !data.attachments.is_empty() {
|
||||
permissions
|
||||
.throw_permission(db, Permission::UploadFiles)
|
||||
.await?;
|
||||
}
|
||||
|
||||
// Ensure interactions information is correct
|
||||
if let Some(interactions) = &data.interactions {
|
||||
interactions.validate(db, &mut permissions).await?;
|
||||
}
|
||||
|
||||
// Create the message
|
||||
let message = channel.send_message(db, data, MessageAuthor::User(&user), idempotency).await?;
|
||||
let message = channel
|
||||
.send_message(
|
||||
db,
|
||||
data,
|
||||
MessageAuthor::User(&user),
|
||||
idempotency,
|
||||
permissions
|
||||
.has_permission(db, Permission::SendEmbeds)
|
||||
.await?,
|
||||
)
|
||||
.await?;
|
||||
|
||||
Ok(Json(message))
|
||||
}
|
||||
|
||||
@@ -33,6 +33,9 @@ pub async fn webhook_execute(
|
||||
|
||||
webhook.assert_token(&token).map_err(Error::from_core)?;
|
||||
|
||||
// TODO: webhooks can currently always send masquerades, files, embeds, reactions (interactions)
|
||||
// TODO: they can also mention anyone
|
||||
|
||||
let channel = legacy_db.fetch_channel(&webhook.channel_id).await?;
|
||||
let message = channel
|
||||
.send_message(
|
||||
@@ -40,6 +43,7 @@ pub async fn webhook_execute(
|
||||
data,
|
||||
MessageAuthor::Webhook(&webhook.into()),
|
||||
idempotency,
|
||||
true,
|
||||
)
|
||||
.await?;
|
||||
|
||||
|
||||
Reference in New Issue
Block a user