mirror of
https://github.com/stoatchat/stoatchat.git
synced 2026-07-14 13:36:59 +00:00
fix: allow true server owner to bypass rank check on channel role-permission overrides The set_role_permissions route blocks editing a role's channel permission overrides whenever role.rank <= the acting member's rank (NotElevated), to prevent privilege-escalation loops. However this check has no exemption for the server's true owner (server.owner == user.id). If an owner has assigned themselves their own top-level role (e.g. "Admin"/"Server Admin" - extremely common since most server setups have the owner hold their highest role for visible status/cosmetics), that role's rank is necessarily equal to their own computed member rank, so the check incorrectly throws NotElevated for the owner too - even though server owners by definition outrank every role and every member, owner-held roles included. This produces a confusing experience: the owner cannot edit channel-level overrides for their own top role via the UI, with no clear explanation, and may reasonably believe something is broken or their permissions are miscconfigured (they aren't). This adds a short-circuit: if the acting user is the server's owner, skip the rank comparison entirely, matching how Stoat already treats true ownership as an absolute bypass elsewhere in the permission system (e.g. channel-visibility lockout cascades). Signed-off-by: bluecords <133072610+bluecords@users.noreply.github.com>