use revolt_database::{AdminAuthorization, AdminUser, Database}; use revolt_models::v0::{self}; use revolt_result::{create_error, Result}; use rocket::{serde::json::Json, State}; use crate::routes::admin::util::{flatten_authorized_user, user_has_permission}; /// Edit an admin user. Requires ManageAdminUsers flag. #[openapi(tag = "Admin")] #[post("/users", data = "")] pub async fn admin_create_user( db: &State, auth: AdminAuthorization, body: Json, ) -> Result> { let user = flatten_authorized_user(&auth); if !user_has_permission(user, v0::AdminUserPermissionFlags::ManageAdminUsers) { return Err(create_error!(NotFound)); } // TODO: technically there's a privilege escalation here since anyone with the manageAdminUsers permission can assign whatever permissions they want. // But this is built with the assumption that people with ManageAdminUsers are already privileged. let user = AdminUser::new(&body.email, &body.platform_user_id, body.permissions); db.admin_user_insert(user.clone()).await?; Ok(Json(user.into())) }