fix: Check for appropriate permission for removing other users avatar (#657)

* Check for appropriate permission for removing other users avatar

Signed-off-by: Chris Hultin <chris.hultin@gmail.com>

* limit check for non-self to just removal

Signed-off-by: Chris Hultin <chris.hultin@gmail.com>

* else if change

Signed-off-by: Chris Hultin <chris.hultin@gmail.com>

---------

Signed-off-by: Chris Hultin <chris.hultin@gmail.com>
This commit is contained in:
Christopher Hultin
2026-03-10 16:38:41 -06:00
committed by GitHub
parent 52c0d2f266
commit d56135e0cb

View File

@@ -15,9 +15,7 @@ use revolt_database::{
};
use revolt_models::v0::{self, FieldsMember};
use revolt_permissions::{
calculate_channel_permissions, calculate_server_permissions, ChannelPermission,
};
use revolt_permissions::{calculate_channel_permissions, calculate_server_permissions, ChannelPermission, UserPermission};
use revolt_result::{create_error, Result};
use rocket::{form::validate::Contains, serde::json::Json, State};
use validator::Validate;
@@ -69,8 +67,10 @@ pub async fn edit(
if data.avatar.is_some() || data.remove.contains(&v0::FieldsMember::Avatar) {
if user.id == member.id.user {
permissions.throw_if_lacking_channel_permission(ChannelPermission::ChangeAvatar)?;
} else if data.remove.contains(&v0::FieldsMember::Avatar) {
permissions.throw_if_lacking_channel_permission(ChannelPermission::RemoveAvatars)?;
} else {
return Err(create_error!(InvalidOperation));
return Err(create_error!(InvalidOperation))
}
}