From fce92382bfcd8c97e02694f7303bc57e9ec842f8 Mon Sep 17 00:00:00 2001 From: Paul Date: Mon, 7 Jun 2021 16:14:48 +0100 Subject: [PATCH] Servers: Fix create / leave. Prevent removal of self / owner. --- src/routes/servers/ban_remove.rs | 8 ++++++++ src/routes/servers/member_remove.rs | 4 ++++ src/routes/servers/server_create.rs | 3 +-- src/routes/servers/server_delete.rs | 21 +-------------------- 4 files changed, 14 insertions(+), 22 deletions(-) diff --git a/src/routes/servers/ban_remove.rs b/src/routes/servers/ban_remove.rs index ef27a50a..76e44ddb 100644 --- a/src/routes/servers/ban_remove.rs +++ b/src/routes/servers/ban_remove.rs @@ -16,6 +16,14 @@ pub async fn req(user: User, server: Ref, target: Ref) -> Result<()> { Err(Error::MissingPermission)? } + if target.id == user.id { + return Err(Error::InvalidOperation) + } + + if target.id == server.owner { + return Err(Error::MissingPermission) + } + let target = target.fetch_ban(&server.id).await?; get_collection("server_bans") .delete_one( diff --git a/src/routes/servers/member_remove.rs b/src/routes/servers/member_remove.rs index 645dccff..0c78cfb8 100644 --- a/src/routes/servers/member_remove.rs +++ b/src/routes/servers/member_remove.rs @@ -21,5 +21,9 @@ pub async fn req(user: User, target: Ref, member: String) -> Result<()> { return Err(Error::InvalidOperation) } + if target.id == target.owner { + return Err(Error::MissingPermission) + } + target.remove_member(&member.id.user).await } diff --git a/src/routes/servers/server_create.rs b/src/routes/servers/server_create.rs index 1142cd59..963e8b00 100644 --- a/src/routes/servers/server_create.rs +++ b/src/routes/servers/server_create.rs @@ -57,8 +57,6 @@ pub async fn req(user: User, info: Json) -> Result { banner: None, }; - server.join_member(&user.id).await?; - Channel::TextChannel { id: cid, server: id, @@ -71,6 +69,7 @@ pub async fn req(user: User, info: Json) -> Result { .await?; server.clone().publish().await?; + server.join_member(&user.id).await?; Ok(json!(server)) } diff --git a/src/routes/servers/server_delete.rs b/src/routes/servers/server_delete.rs index 29f13afc..e558c4ed 100644 --- a/src/routes/servers/server_delete.rs +++ b/src/routes/servers/server_delete.rs @@ -1,6 +1,5 @@ use crate::database::*; use crate::util::result::{Error, Result}; -use crate::notifications::events::ClientboundNotification; use mongodb::bson::doc; @@ -19,24 +18,6 @@ pub async fn req(user: User, target: Ref) -> Result<()> { if user.id == target.owner { target.delete().await } else { - get_collection("server_members") - .delete_one( - doc! { - - }, - None - ) - .await - .map_err(|_| Error::DatabaseError { - operation: "delete_one", - with: "server_member" - })?; - - ClientboundNotification::ServerMemberLeave { - id: target.id.clone(), - user: user.id - }.publish(target.id); - - Ok(()) + target.remove_member(&user.id).await } }