feat: reintroduce permission checks for send

This commit is contained in:
Paul Makles
2023-06-03 14:00:17 +01:00
parent 23188032ca
commit a0002d0b43
10 changed files with 82 additions and 57 deletions

View File

@@ -44,8 +44,6 @@ pub async fn req(
.throw_permission_and_view_channel(db, Permission::SendMessage)
.await?;
Message::validate_sum(&edit.content, &edit.embeds)?;
let mut message = msg.as_message(db).await?;
if message.channel != channel.id() {
return Err(Error::NotFound);
@@ -55,6 +53,12 @@ pub async fn req(
return Err(Error::CannotEditMessage);
}
if let Some(new_embeds) = &edit.embeds {
Message::validate_sum(&edit.content, new_embeds)?;
} else {
Message::validate_sum(&edit.content, &vec![])?;
}
message.edited = Some(Timestamp::now_utc());
let mut partial = PartialMessage {
edited: message.edited,

View File

@@ -1,11 +1,9 @@
use revolt_quark::{
models::{
message::DataMessageSend,
Message, User,
},
models::{message::DataMessageSend, Message, User},
perms,
types::push::MessageAuthor,
web::idempotency::IdempotencyKey,
Db, Error, Permission, Ref, Result, types::push::MessageAuthor,
Db, Error, Permission, Ref, Result,
};
use rocket::serde::json::Json;
@@ -35,7 +33,7 @@ pub async fn message_send(
.throw_permission_and_view_channel(db, Permission::SendMessage)
.await?;
// Verify permissions for masquerade.
// Verify permissions for masquerade
if let Some(masq) = &data.masquerade {
permissions
.throw_permission(db, Permission::Masquerade)
@@ -48,8 +46,37 @@ pub async fn message_send(
}
}
// Check permissions for embeds
if !data.embeds.is_empty() {
permissions
.throw_permission(db, Permission::SendEmbeds)
.await?;
}
// Check permissions for files
if !data.attachments.is_empty() {
permissions
.throw_permission(db, Permission::UploadFiles)
.await?;
}
// Ensure interactions information is correct
if let Some(interactions) = &data.interactions {
interactions.validate(db, &mut permissions).await?;
}
// Create the message
let message = channel.send_message(db, data, MessageAuthor::User(&user), idempotency).await?;
let message = channel
.send_message(
db,
data,
MessageAuthor::User(&user),
idempotency,
permissions
.has_permission(db, Permission::SendEmbeds)
.await?,
)
.await?;
Ok(Json(message))
}

View File

@@ -33,6 +33,9 @@ pub async fn webhook_execute(
webhook.assert_token(&token).map_err(Error::from_core)?;
// TODO: webhooks can currently always send masquerades, files, embeds, reactions (interactions)
// TODO: they can also mention anyone
let channel = legacy_db.fetch_channel(&webhook.channel_id).await?;
let message = channel
.send_message(
@@ -40,6 +43,7 @@ pub async fn webhook_execute(
data,
MessageAuthor::Webhook(&webhook.into()),
idempotency,
true,
)
.await?;