fix: Check for appropriate permission for removing other users avatar (#657)
* Check for appropriate permission for removing other users avatar Signed-off-by: Chris Hultin <chris.hultin@gmail.com> * limit check for non-self to just removal Signed-off-by: Chris Hultin <chris.hultin@gmail.com> * else if change Signed-off-by: Chris Hultin <chris.hultin@gmail.com> --------- Signed-off-by: Chris Hultin <chris.hultin@gmail.com>
This commit is contained in:
committed by
GitHub
parent
52c0d2f266
commit
d56135e0cb
@@ -15,9 +15,7 @@ use revolt_database::{
|
||||
};
|
||||
use revolt_models::v0::{self, FieldsMember};
|
||||
|
||||
use revolt_permissions::{
|
||||
calculate_channel_permissions, calculate_server_permissions, ChannelPermission,
|
||||
};
|
||||
use revolt_permissions::{calculate_channel_permissions, calculate_server_permissions, ChannelPermission, UserPermission};
|
||||
use revolt_result::{create_error, Result};
|
||||
use rocket::{form::validate::Contains, serde::json::Json, State};
|
||||
use validator::Validate;
|
||||
@@ -69,8 +67,10 @@ pub async fn edit(
|
||||
if data.avatar.is_some() || data.remove.contains(&v0::FieldsMember::Avatar) {
|
||||
if user.id == member.id.user {
|
||||
permissions.throw_if_lacking_channel_permission(ChannelPermission::ChangeAvatar)?;
|
||||
} else if data.remove.contains(&v0::FieldsMember::Avatar) {
|
||||
permissions.throw_if_lacking_channel_permission(ChannelPermission::RemoveAvatars)?;
|
||||
} else {
|
||||
return Err(create_error!(InvalidOperation));
|
||||
return Err(create_error!(InvalidOperation))
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user