From d56135e0cbc713884c9378832952f7ad490fa315 Mon Sep 17 00:00:00 2001 From: Christopher Hultin Date: Tue, 10 Mar 2026 16:38:41 -0600 Subject: [PATCH] fix: Check for appropriate permission for removing other users avatar (#657) * Check for appropriate permission for removing other users avatar Signed-off-by: Chris Hultin * limit check for non-self to just removal Signed-off-by: Chris Hultin * else if change Signed-off-by: Chris Hultin --------- Signed-off-by: Chris Hultin --- crates/delta/src/routes/servers/member_edit.rs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/crates/delta/src/routes/servers/member_edit.rs b/crates/delta/src/routes/servers/member_edit.rs index 9c6a1d58..87b45524 100644 --- a/crates/delta/src/routes/servers/member_edit.rs +++ b/crates/delta/src/routes/servers/member_edit.rs @@ -15,9 +15,7 @@ use revolt_database::{ }; use revolt_models::v0::{self, FieldsMember}; -use revolt_permissions::{ - calculate_channel_permissions, calculate_server_permissions, ChannelPermission, -}; +use revolt_permissions::{calculate_channel_permissions, calculate_server_permissions, ChannelPermission, UserPermission}; use revolt_result::{create_error, Result}; use rocket::{form::validate::Contains, serde::json::Json, State}; use validator::Validate; @@ -69,8 +67,10 @@ pub async fn edit( if data.avatar.is_some() || data.remove.contains(&v0::FieldsMember::Avatar) { if user.id == member.id.user { permissions.throw_if_lacking_channel_permission(ChannelPermission::ChangeAvatar)?; + } else if data.remove.contains(&v0::FieldsMember::Avatar) { + permissions.throw_if_lacking_channel_permission(ChannelPermission::RemoveAvatars)?; } else { - return Err(create_error!(InvalidOperation)); + return Err(create_error!(InvalidOperation)) } }