From 986fc8a5e41287ae30d164bb101353dedb3b5111 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Erkin=20Alp=20G=C3=BCney?= Date: Wed, 2 Feb 2022 22:07:27 +0300 Subject: [PATCH 01/12] Allow self-ban of non-owners --- api/src/routes/guilds/#guild_id/bans.ts | 35 ++++++++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) diff --git a/api/src/routes/guilds/#guild_id/bans.ts b/api/src/routes/guilds/#guild_id/bans.ts index 1e09a38d..298acd5c 100644 --- a/api/src/routes/guilds/#guild_id/bans.ts +++ b/api/src/routes/guilds/#guild_id/bans.ts @@ -54,7 +54,8 @@ router.put("/:user_id", route({ body: "BanCreateSchema", permission: "BAN_MEMBER const banned_user = await User.getPublicUser(banned_user_id); - if (req.user_id === banned_user_id) throw new HTTPError("You can't ban yourself", 400); + if ( (req.user_id === banned_user_id) && (banned_user_id === req.permission!.cache.guild?.owner_id)) + throw new HTTPError("You are the guild owner, hence can't ban yourself", 403); if (req.permission!.cache.guild?.owner_id === banned_user_id) throw new HTTPError("You can't ban the owner", 400); const ban = new Ban({ @@ -81,6 +82,38 @@ router.put("/:user_id", route({ body: "BanCreateSchema", permission: "BAN_MEMBER return res.json(ban); }); +router.put("/@me", route({ body: "BanCreateSchema"}), async (req: Request, res: Response) => { + // TODO: make self-bans irreversible + const { guild_id } = req.params; + + const banned_user = await User.getPublicUser(req.params.user_id); + + if (req.permission!.cache.guild?.owner_id === req.params.user_id) + throw new HTTPError("You are the guild owner, hence can't ban yourself", 403); + const ban = new Ban({ + user_id: req.params.user_id, + guild_id: guild_id, + ip: getIpAdress(req), + executor_id: req.params.user_id, + reason: req.body.reason // || otherwise empty + }); + + await Promise.all([ + Member.removeFromGuild(req.user_id, guild_id), + ban.save(), + emitEvent({ + event: "GUILD_BAN_ADD", + data: { + guild_id: guild_id, + user: banned_user + }, + guild_id: guild_id + } as GuildBanAddEvent) + ]); + + return res.json(ban); +}); + router.delete("/:user_id", route({ permission: "BAN_MEMBERS" }), async (req: Request, res: Response) => { const { guild_id, user_id } = req.params; From cca854b943d3e5a5a949eb7430db1eed23627b94 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Erkin=20Alp=20G=C3=BCney?= Date: Wed, 2 Feb 2022 23:14:35 +0300 Subject: [PATCH 02/12] Make self-bans irreversible --- api/src/routes/guilds/#guild_id/bans.ts | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/api/src/routes/guilds/#guild_id/bans.ts b/api/src/routes/guilds/#guild_id/bans.ts index 298acd5c..d9f62961 100644 --- a/api/src/routes/guilds/#guild_id/bans.ts +++ b/api/src/routes/guilds/#guild_id/bans.ts @@ -56,6 +56,7 @@ router.put("/:user_id", route({ body: "BanCreateSchema", permission: "BAN_MEMBER if ( (req.user_id === banned_user_id) && (banned_user_id === req.permission!.cache.guild?.owner_id)) throw new HTTPError("You are the guild owner, hence can't ban yourself", 403); + if (req.permission!.cache.guild?.owner_id === banned_user_id) throw new HTTPError("You can't ban the owner", 400); const ban = new Ban({ @@ -83,13 +84,13 @@ router.put("/:user_id", route({ body: "BanCreateSchema", permission: "BAN_MEMBER }); router.put("/@me", route({ body: "BanCreateSchema"}), async (req: Request, res: Response) => { - // TODO: make self-bans irreversible const { guild_id } = req.params; const banned_user = await User.getPublicUser(req.params.user_id); if (req.permission!.cache.guild?.owner_id === req.params.user_id) throw new HTTPError("You are the guild owner, hence can't ban yourself", 403); + const ban = new Ban({ user_id: req.params.user_id, guild_id: guild_id, @@ -118,6 +119,8 @@ router.delete("/:user_id", route({ permission: "BAN_MEMBERS" }), async (req: Req const { guild_id, user_id } = req.params; const banned_user = await User.getPublicUser(user_id); + + if (banned_user.user_id === banned_user.executor_id) throw new HTTPError("Self-bans are irreversible", 400); await Promise.all([ Ban.delete({ From 8b641d099a516fc8d87b8c8ebcb725d230e12636 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Erkin=20Alp=20G=C3=BCney?= Date: Wed, 2 Feb 2022 23:21:38 +0300 Subject: [PATCH 03/12] Better protection against self-bans --- api/src/routes/guilds/#guild_id/bans.ts | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/api/src/routes/guilds/#guild_id/bans.ts b/api/src/routes/guilds/#guild_id/bans.ts index d9f62961..c73cc3e6 100644 --- a/api/src/routes/guilds/#guild_id/bans.ts +++ b/api/src/routes/guilds/#guild_id/bans.ts @@ -120,8 +120,9 @@ router.delete("/:user_id", route({ permission: "BAN_MEMBERS" }), async (req: Req const banned_user = await User.getPublicUser(user_id); - if (banned_user.user_id === banned_user.executor_id) throw new HTTPError("Self-bans are irreversible", 400); - + if (banned_user.user_id === banned_user.executor_id) throw DiscordApiErrors.UNKNOWN_BAN; + // make self-bans irreversible and hide them from view to avoid victim chasing + await Promise.all([ Ban.delete({ user_id: user_id, From 3e0f568ba480fd963f91405e15359383ea3bf3e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Erkin=20Alp=20G=C3=BCney?= Date: Wed, 2 Feb 2022 23:27:54 +0300 Subject: [PATCH 04/12] Extend the pretense of non-existence of self-bans to API view route too --- api/src/routes/guilds/#guild_id/bans.ts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/api/src/routes/guilds/#guild_id/bans.ts b/api/src/routes/guilds/#guild_id/bans.ts index c73cc3e6..5a425680 100644 --- a/api/src/routes/guilds/#guild_id/bans.ts +++ b/api/src/routes/guilds/#guild_id/bans.ts @@ -27,6 +27,8 @@ router.get("/", route({ permission: "BAN_MEMBERS" }), async (req: Request, res: let bans = await Ban.find({ guild_id: guild_id }); /* Filter secret from database registry.*/ + if (banned_user.user_id === banned_user.executor_id) throw DiscordApiErrors.UNKNOWN_BAN; + // hide self-bans from view to prevent victim chasing bans.forEach((registry: BanRegistrySchema) => { delete registry.ip; From 57057c8711422beb904b8edbc5fdaa88f703932b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Erkin=20Alp=20G=C3=BCney?= Date: Fri, 4 Feb 2022 08:49:28 +0300 Subject: [PATCH 05/12] remove pretense of nonexistence from main view route for now to make it compile while thinking of a fix --- api/src/routes/guilds/#guild_id/bans.ts | 2 -- 1 file changed, 2 deletions(-) diff --git a/api/src/routes/guilds/#guild_id/bans.ts b/api/src/routes/guilds/#guild_id/bans.ts index 5a425680..c73cc3e6 100644 --- a/api/src/routes/guilds/#guild_id/bans.ts +++ b/api/src/routes/guilds/#guild_id/bans.ts @@ -27,8 +27,6 @@ router.get("/", route({ permission: "BAN_MEMBERS" }), async (req: Request, res: let bans = await Ban.find({ guild_id: guild_id }); /* Filter secret from database registry.*/ - if (banned_user.user_id === banned_user.executor_id) throw DiscordApiErrors.UNKNOWN_BAN; - // hide self-bans from view to prevent victim chasing bans.forEach((registry: BanRegistrySchema) => { delete registry.ip; From 62b7c334b131702afd291a7a5cfd123fc0b86680 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Erkin=20Alp=20G=C3=BCney?= Date: Fri, 4 Feb 2022 10:04:41 +0300 Subject: [PATCH 06/12] Try to commit this one again, this time over the web --- api/src/routes/guilds/#guild_id/bans.ts | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/api/src/routes/guilds/#guild_id/bans.ts b/api/src/routes/guilds/#guild_id/bans.ts index c73cc3e6..cc1dbda3 100644 --- a/api/src/routes/guilds/#guild_id/bans.ts +++ b/api/src/routes/guilds/#guild_id/bans.ts @@ -1,5 +1,5 @@ import { Request, Response, Router } from "express"; -import { emitEvent, getPermission, GuildBanAddEvent, GuildBanRemoveEvent, Guild, Ban, User, Member } from "@fosscord/util"; +import { DiscordApiErrors, emitEvent, getPermission, GuildBanAddEvent, GuildBanRemoveEvent, Guild, Ban, User, Member } from "@fosscord/util"; import { HTTPError } from "lambert-server"; import { getIpAdress, route } from "@fosscord/api"; @@ -39,7 +39,10 @@ router.get("/:user", route({ permission: "BAN_MEMBERS" }), async (req: Request, const { guild_id } = req.params; const user_id = req.params.ban; - let ban = await Ban.findOneOrFail({ guild_id: guild_id, user_id: user_id }) as BanRegistrySchema; + let ban = await Ban.findOneOrFail({ guild_id: guild_id, user_id: user_id }) as BanCreateSchema; + + if (ban.user_id === ban.executor_id) throw DiscordApiErrors.UNKNOWN_BAN; + // pretend self-bans don't exist to prevent victim chasing /* Filter secret from registry. */ @@ -118,11 +121,12 @@ router.put("/@me", route({ body: "BanCreateSchema"}), async (req: Request, res: router.delete("/:user_id", route({ permission: "BAN_MEMBERS" }), async (req: Request, res: Response) => { const { guild_id, user_id } = req.params; - const banned_user = await User.getPublicUser(user_id); + let ban = await Ban.findOneOrFail({ guild_id: guild_id, user_id: user_id }) as BanCreateSchema; - if (banned_user.user_id === banned_user.executor_id) throw DiscordApiErrors.UNKNOWN_BAN; + if (ban.user_id === ban.executor_id) throw DiscordApiErrors.UNKNOWN_BAN; // make self-bans irreversible and hide them from view to avoid victim chasing + await Promise.all([ Ban.delete({ user_id: user_id, From 9b3942dcfdeb6f43974ebe10ccef5541bc1e7d4e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Erkin=20Alp=20G=C3=BCney?= Date: Fri, 4 Feb 2022 09:36:52 +0300 Subject: [PATCH 07/12] attempt to fix self-bans --- bundle/package-lock.json | Bin 607272 -> 595547 bytes bundle/package.json | 6 +++--- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/bundle/package-lock.json b/bundle/package-lock.json index 573d40598c29a2dafcaf115e83fc172a85d6973d..5e358801897305541ac8b6c89ecdb7c57b160171 100644 GIT binary patch delta 13801 zcmaJ{XLwb`)_!KU*(dd+_mI#_fKUaIB4VQ@UKCJ)1QkRni3Kl;KokW(0wk~{3rI*p zC$t2D4%Gw;CA5f$AT2gPYA9Ys+P7wApAz-nKY4QYp0et@*37$Cebng0+Juru5f8j?#VrW6ayOdgLl+VP7rSY(kTIAvu{Pu{6tAj}J6LRyew{%2I4#CX z|2YT(XR1$G=L(NNz$I~y$w{j44i6Sk58cI-}VI;!i%k|;bqUK>%?REe1^UEG1;zwqI2}KW+=8*gh zX#mfz)H{@)TG5qQv*vNB1FVWAA>cft$3sP1qm?zR;x)^8g~HuW^kj%{XEcD)5?!~7 zw??ujwQS zk|gV!byq!Vr&dy^cgTpeqSpsN&ezIvp*udc&M!-VeoSv`eOETz%Mc^Em`>OqLqe^Z zt?`!c#^GF(^4yKDk~*dt*N6mLi#FLZN_(MpiEzM_Q=xCUKD^G9gP-U@aBDje*0i2v zb>9{?!g(p1EiMd{H9;pFS{n#0j_XkjjTKKUTA6Ass)*rITefw%>qc6&+lsAsK8&$) zm$Zgc`}G)bZov_@qg17n)z9=*u&p5m8Q&^!81aD~D|H9#tI+3op5s1CUEb%`Yyz_n7=h&pyW7ZsNmxQ5 z=YSDlCG4JOCG0JRQG4|T@cnSrzkJ=-ouzG@_Y%R`6BjCW<^0}}7jGDFuP5<`%me5d?qCeswpL*6AWYZs z_&N+K4|>IWdF`q zDEI~reWS<1XFiHyW&N0I4L!3_I0m&6i`M&AZ)tV^IS*RbGvZ;!w^BCCeqEmO8*U4qSU&rHl=MD= z@EpiFf=KCeMfXg_Cq7W~1o5$ae+{v6{u2*RUPaXAB?NVcqBD9Nw668Y=%r}tlOz}_ zbRxlpN501hXC6X(b$c2SD)&r0Ot>x!0k_*u*k+RDZZqzL$9#y#Wh}v$>~VX1Cpa4+ zxSmGGa9!o}cX}g?gpaaoOou;gY5!h27FD#x($TU``Do4_4I+bO6xtFmh6}xk69%2o z!=WUEOmam$*Jd&FxPvKzQNaT(j8~ecp)vqnJ@c-<%u9*%#zr(xh_ z%=cv9PS_qpT*2Ybu`Ud*5Tm19vMVoDshE0R>t^;PaWFgQ) zL?~qIMl#gwG!5vUPhw$85E&0*XjXkv=n5u(mfC<^5>d<28<8Z%{Q}YxNpHvuB?Yk1 z$Jpq3jtSDtO1d->D{TX)Y(awHbU*a%;O5dN3|;!7$DRWFu>6F>!YEPnGU| zmi*15*6g!$Avqdj!pwA79%B?q>tUnA5ak{Sa!c&oZ}`E)mPQGy9zci(JkV-= zpe)Srg+*P6A53m-1i*9Sv_u5^5zKEO*)DCtVG|oSCvR#(Ahn&5Y$Y%651B)V35A16 zo@?7kJ|GyTd_|pbXTOd^ouotFMm-p^8j*ObcuQMIX=jWDXMItboAMRHng1Cwkk>WJ ze=c`7e(+WYLt-J%u-d)xtmQD`OJMm?B^-vOkqwaDN{NLo>7-ih&yt6e5C!cQ3TgYP zAN=~bkp(R~YKeIlF_hc9giBwv)EMzAeIhZS;Rv!wWOr`7+7N0URhvR`A619$y^U0; zK1vO6zMw=wGEv(?nSz^&SvNR_gP;SMatYjJ0@|yg|I*yoZHj zRd3ZF?oYzJa>*jp;=9#@v}w4qa~lbSC#T_`V}p!%)?*3@msp85FyLSTMXXLUp7)mO zJ+fRF7qxEyxgFIA4ix^ZINg{@+@^9F_B~vA><47cUnLv!AsRdG3lalYhT=ivR3K$2 z&uh`Rawyy^CdWBKvTKV;lnPNbcy~7~ER45$$z-Yy0l#n)d-qoxoCxuyR){wh0&J&gd!>=D2!FiiWD0^@n z$?y|6UD-_yf|^oN|I@9cM22bJHiVo*|4|-39OYfl z{rPwY+rNW+t-zzlTvAq5l2#6>laRVm6=|u;-^Kfg$+8X*Y>M0qWqm^qdX1iVguJbZ z)mZd#GD;D>BNUw=cc5P`ZgGVN`|gwEq{t9<@Dv&8BTRgJGvY?+X2dVVcAh#EYA35N zz@77ii9Q;7CCMLU=Tzyf1&Br7233h&szY$px`bRV7WL8Da!f zt4ect>nRe+{!dq&61wc?4cHY!!D`O)5&fJe1^wPvnG?jg|cleu#l7EwwmU{e&6^Ro9IvGIGVUV{Mcb@I*C6 zL&8k82RqYN*{(=q3S`BJ%8LL=)7v(IGyEgBtERrU>+*O%iz_as75S!LZ z`GD}y4QI)ZDVu%8nS=TLOR2*8IZX{?x1UyCAl#dYP}WOzK-Kq3I9oSR=}lzpWIn6- zLes&@JP{iA_o{)ccCgZpK)@dunZLGlVAP*i45%&9{8`3xO1>Ra$-__@ali?Tq$b=N zrreNX1g9%g3HTct_76{~e$YLd_JWF^5WNs9SIAx2$rlxifcml$%@&MMVik8*?}6E; zF=zIVQZ{LBFlKwkaxMGrMXarEsc7(ahO!ea?1j8+O{UUbxD52B6k+Dy&>xr1lr$cDe-s*f(3`60FRnNDpn4PAw%!fLgkpjy~2(!R%#t^&Z)#fY={!Z zeAg;Nv8zJx#=~nO6mL>Awz*unr0}R?hdxz$7<}DMY|swnTR)Mesa4AF(m!MODZ|2L zm|Xoq2`13&fEveI{iIasVq})T<_ArGRW6BN4^5>Ztj`7InCgybHu{RPR3J|Tbhu{Q z(3AKtT~~%cNN**4<(2D-bgU?-#dj2cXpv2eaNRJg=4=q$$);nhQ!8Zk6|WK4^5O0= zHJs)Ct~@K!7Ot*Pec{qbJPHKPAlZQ9BB5e7ohKl-`$lXybK2pNGwqWb(gJCrr|;W<0-}_c z70`%J)~nHqNETj$q0c78Rby2^I`xuR&#{i=>jH{v%tlFW@Q-rFb0YCv#2|MGjVx!D~3QMP-CPhsMRkOsE zLk!y&rp9^N1jrbRWl!`i70c)|vI1v4g2MVlV}1sja3V{P3`;?d+m=?h35fVsa!DE z&~xl^J=MN!7(BmD_F=VNCg8Z)tdax-jA4uv5?Iwm-RK2Gyj1c)X~|!NfupNh><*bda^2jW*yX3MpcFbc#bmkCO%0Sa zuKIW|8~YViu+<#Pvw%0IsK9>MQKA(U{B*1wX59 zQEWteUd7T?b5jk6FHh12vUIh+gn5e3+JH4w9RgeKsvTieI)?t}Q`EAu=Y_Ki!_;XG zI}CWuzW0i1vdU5FP?g_NcVZ*Ps2@oWM_#0n;8Wi|GUQ~c28e4%VsWCUkw)jLhL4W6bJWi?C>TvB~X_8fbD7| z^mv^nuqj`vb7c9ECxF!5s>X)zQr}TU&B0FKPgORA^$x0WXb65X+O7D&p8i@m6jr0= zv%W_7nmsy{^*gM7tHQeX(d?BkVKM4^RGniAjBMExuQ{=SNCeEUSD^R|`d)Mm<|8Iv zhrXpq^#8O*o$o3z@sRpEB1sYo30>~0P1vO$)C~?#Ee5Q`qglcwb%|*;iwWnRjj zH)QzF*r+;>_`7zHtZ7k@AAwv$`Yt1uT@BDar`*}Gd2eFnz7?)vjAG#wRcdmi2GTQK zqO_%cFf36Eh3c7_4j;X3#zXEFEGt=Ov6&jtSj!h^HToS?1mm|G9BQUH;Ny49x$ujn z%Af4{rdpQaL5{*Kb1<(K!=Y0v%^!Yht*sS?>MirVZb(t0q z37s^`BHL+K9MU80yJ{osexc$~ZJ+F_5&XYLCsYi?V@pndZG%Jw-XHfXFcYBq zc`cAFOw};MII!bYh68YzAN;b&{7$+F?;GQw;{a`*Y&x$E(D;QzD17p?RtMY@lZCHltz8bnP2Y(PuM1(q7SE;(oI= z^Pi<%P$ibc%+VSUSDeJL>2tMtn!vIipnb2oU%-@njE+$STtbc&sf)B<0)@#C^FmQ-&BlyD}V;QRfX__N2hX?WV;7a1(%Gi`x= zr*XJKdzttB0vF=gdzD&saNV-rtn4~yd)tEthDDC6t{E4r!Gx6jFCJMau}={IdNv0B80!k*u?EA|dI zwYMPUPjuDb7)N8ce@ANrt8Qs&ytD4aUwkUe-t4wEO87%+FK5h)am4c(xpMH3uduIk z-o-yfagJwM<~=PP0h-^A;qD>OZ5ke#qIA6%Pxx3!>4;*lF!b~CtOOI9I3l5c6Nf+C ztwD^d_R%%C?$9?2Kk%O`WQZ>G)jxwS-(m%ukg>{Y&1uhQZl5B^3T0pfeev zPY3FPon#SCJ>3+V=|_9ONhI0Whnl1K8{&y&@BQ$I)P@ z{6sgcp$nrRcadHKPZlDF<$6x@Hqv00RHWx&E!=3Ffb_jOwH6lm!Sgz6-boD z3^VQNiykIPZrbz?OdN{q)}Ge8{ST`2fZQENHF9&Ir^QTGy+%KR&8$leNZE?Ic+s40 zHQN7;<4lu#;|l&(;l`JQ#Q0AbL~THU>*|Xak4yjZ=x@Ad+Fu3$(g1a+&%X`8>uSz^ z&Jm_&=(2c4%H+1QRsCzAb$?qne7y|K>EbzUa|)|*g46Q-tR)wJii3b2Wv_0qbHrEyQ_+R&}-5X&geVGl5EA&s~=D5*f&-xyY6B*4uaA>E##>>Z? z`xMVnC}i-y&G;%ueW`^Y+}Xo6-4 zo|2&r8xn76jx|I|vZH5?i3)a2@nOAKno7uI6PA~xY2A;IrM&Z(jiwycYya}74mY{atrZ1KvS}V-65?0r zVUYT>j@RNghr1e1zKiKE#R6hDYO(nU?6+&Hx(YTDr*)E$IoNF2Z z$v^02u=XRoy2tGjE$0mfwEhV}Ci(gTw?6L2U$~8zXpOsxT>H-mmjWcvHV;FB%}y?M z%bDO_(2J;?ahfu#xnX-lv5ykOxy(6#wb$Q>%rv(~eK?b8 zLmS$o4`(u^LxBS$$1ssk_(eb?yjeNC_VxAZ;I8>#p7zIEBni7;y(+Eu(jYO~mlN+MBRL3am{XVzWBESInQKple9Mq{BR zGMuA00wjKHEc6PjB-((H{3(|LaJ)4a~t!5lo&M)%lib4S5~C!(0rdB zg)m-^a~5_P<*TtW!*~-f3VHeCzg^VU5lEv(Gq};1fZRrGEr`wJn|fnTY?irScoeP= zYk$MHE?U#uA>aBL#qPl702#(VL<)!V{>C1+=zX9Lr)k$l;ZP(ri{$+3MWzF8JB=DI z&$uW}I}n9akk4G`UYW!0qY{Az#FNOKOeeT1fvAG+WdUjy09*2XLkG>VR@4xx$6-&S06Z5yLNf&j*Zd({7AH5sy+ z__dO!qe1G@hDnh@NM6Fwj>ci={(!NG|Eb5ja~ZYlOef=H0K{B2g4wCZjrIf*pEOoW zs}=1-Volt?)L|!om&T}AfS(n)_{YmC6!_3k>#a4x(B*yX{MV%zkEzl&HQSNiL3VK* z1U_Q~LUT?+UVg{0Nyy%>6Fb|pvhWa$wBvj}Znf9kI^5$ILNqfYZeBJn=pq?8={XLHYN>-| zzGNhZ3-55gu>o9p8^5eN^Nvv{P=FOrG`1;_IE8<1#97BrCgFdAa1_rt*T`mN8SA`6 zf&(Am{V!6C6QFFSL1BIgo?Wnu4}phPlS!U9$1moP#GYzwlV;?>$fusGJAxq-`L&M_ z232Te>CR{tJI9zz3?GMMQj!l`n~e9vE)FschWud!!~Ge!uZx6qN-=Iv#_NKs+c7FR zyt&LF=}162G6>4%8NQ5tY)n&FKQO>_$Q>Mx`Ve15N+ENZL0NgRF+gGAOO0u|XCb5` z6XY(JRv8OfUWxIY$|kKd>MKxMYLrL?FC9gu2}#Jdu&K-d_WTB;F_ngQv5;TEvT`Gg z?GP{bUTyxn-$VB0@8dK+>P3}MPz?={w=!7-!YewA@h#%t|9W4sLuA~3Ms?c(hf zM3oRgKJht7J7jn@<=|!&VMev_rQ9a-Yva0%JieCI>TCeS9nfP~im7BMFzy_(6{TMr z{t)Y{%$GBeYJ86MJ8GazBGt#AH;^P=)($_N>UF^Y`S33OM`77@qX-7vz>hWjZW@}x z68>Xs(BX&M#tH^^jLAA{q|gB3WqsrZi`gZW;w>lE&0q+mjzGxhr%<-qpAJy?+98nO zq-Vu`EGdX~CGd7IUCBKZ%zB1U9|9-O;9cG`L0H+czBMD*qEI?ofyfBDOs;u4g6`(& z9m@7aQtU9ZcjDQQQ-BO9z!Jj#h@meMHad=;a!20IPIz}#-A@a$au3E@ndfwPVw5rr z3Qpot7yV+emI<_r$|f|Rz1?$OTS7zOQbU@}rZ=KPq?bA8_k$GOuNnPPhniNjkj-vQ zSK_q}DgZ7vuLc$kLM3wJv;cOf18q-y-4QzC4XE6Y%wAEp63YfXKx^GQlF2w_Mz&H0 z$(!+NzQu#o?j{8Ic5aOqW_77OSkZ;lGaPn-@(gR-i(a-14bptE z?5W3Sy2yrLK(eos1eVagbQy*G57j`Z{v7G^ngR4r-L)2Jf;hUXT$#ago}*=ir3|5= zI(uU{{mvoJ0AoheoviB^`l3_1=ks?duvaG0gPM%{*k2VqO}$UCknqBSMBiA2ZTXP4 zSK#h+T7;cF9l@IYA3aH+a5fE}mxBnN`kP`mxFV>NSNbv}@nS^M1hdYwXe@yPBaI{| z9K}Bfn2Y>c*=)Lm$9E{?gy08Yb-23QydEBat6!KVOqqjL<iTyb4V02 z&c4lCuRg$Qj{|B;v9`VXF`pZXxZa3Zt^2OK5^;%dk{V@cxa=ny=z=>w6EVp>QltwL3j`d1nQyDW0X>_bqH# zq8g6h4D`c*6qY!<9xWjNt)!G*mWYDV*~A~G%D{I6-S1i9(~WeMy`Xy+Kw>OXuIIN2 zV*qo<59&QkeSjq4#r@<@sEx!P6_Exz3pu@A4jI|ch_H%>>-eFVI#Ws^#wJfCO`t_5 zRPNvs8Um{}qbEe|N0Z7>^~eof;44O0f^BsX{iGS3HJqpTmzWc#z^e z`?!w}|3-s#JxD`kCGiM@Tv$)pWklEDwfE#bx-Y!a54r7$FQY+nPn&qAsHW+VG{#JX z>Yp%Ie*ZVcrl}h7^@FeR4>uRaN{x!Vk0ln;~Jz~qoW||6-4~w z*Jvk&CElc0R95c~`b0GQcd%I+;0n{Mx6LScCeiH6HYA!K`+87xTm~fmfp@2zVgjU? z(qtJ}TdF!CvX!}v?QdlcRJl2WS+BNcw93YHFw+${{eW2_!xy=vw^+T-=5uy_o{2^K zBB2z_504JEy^EP*i1~or(iVwrNG5G$Rgaiwo3YBVra|E7IJ4L#YhrgA%8E10oetPO z9uJsP-!^wi%tPwthA!=jLE4mnHr5Pdhu$+E!NlO8h&0SG)6ZQZGRKdF#9Mg9Ta$*` zjp?d=2x)E5DR*X?PZ?~eWsWqU!2+y$Tl;A%VEcNk>d2{kbyyw3ZfnW5Lt}z#| z!E4RKcCAB_WfOC5G{+dyIE9oc(dF4fD(-~`0`Zc1#X+@7_ zFIAc?3@F-Viku0?%RBRmEb1TZF{j!qA~VulhBE#a0a=HzujhRVYhP{N6U{_0d-@x5 zjS7L^nI&w`cjj?lsowWLqIHlGX#|yih+Nvw=6tsHXLFkaVv-#ZoEQ07=Bhap*;~$p z05T!8bLI_4hL)~!_OFQ9imQ%--HeB#XDxE)aJdr<}<$Rtm(LKhXeI> z4EBYLa7VdBsH{9J7?*$3s`3gEXj?`)GT`=LtaP78I(AB!D2Z}xhS#DUJ7hei#yDCM zm=){T!Uo1UPUtSY66cC|KxU#Jl#a(cRM$ZSLrup{v1AwCeBRUbXQf~T4ITeh_zgxd z)N|rT0F#?If;n$dEo)t`rVhI$^J(Uo2FHIunqQIyf3Btl|O3N+0%CPsc{`|CvJe AQUCw| delta 16619 zcmb7LcX(7q*MH{rO|r?RCxlc25h)3%^b&kk1Vv({NC^T0iV#I?wD6)LQWCk4BQ>Fu z&=!LXA|({1Ll97;V*#Z`1w~@QcV=dH@6CeW^L_ti@4Yi~&Y9ECFDF-~F8`>m`+Rh% z5tH>_IQ@zi3|SjUw3&ZYhrtuo*qP;|A(TB$;$it6H5dvfs*}y(b2OMUTysI6wNjj! zKWDqO4)UKNF{R_?J|M%Y=jC9?{hUO>v>noN^V}BQ)C$A!G0B4^&&w_-AE!B>@7E;Q zET65x$SLYPIQa_h%FlOgk2F`$bCjwJ(+JEP?j_5$eWD~}9v%MBu+J5O9M3BO^h3r5w)ZD!;*^JtfW#(+q;p}f}RB74r zT-zb+qq?Q2BVFq3aAa#td9D&!4xVMNTtsagupujcJL= zL_VgkU1Sl)c!8=}YGmn&wHX6`f0uDc3sq_8W<3RbBB=CnP3F?~yg z>}tgYy>7^PX3_2h*mqN2DE4BXn?d`R!VjDDSfSsUyFyI&?qKM0TkZ|9#e`c<3%+hk z8#%@N^1ygYrOd2@e~F7e@ulJ{eeO_8yS%dQB!O$4S__IkQ*+Qb`$Y&ISIZj>kf%9H{Z6q zBk$7EyvmT8I`#>;9wxD7@2cs-$>X_Z(!~h#_8~#giRylqj7qcabnxfHCxaJtbfO!- zMK5FdHFmD=gHsYI@*ct;FMyf2#;iIVVOCsDfC7csZkWlOtz7_zbS)AZxwTLzPbJB4 z>3d|BM@Q~DJ)RcEolu9PolOOIFbRN=lODHeZG(>jpuL04@}psO0GVg8NYTx{FIm5> z^^MQr9pA;;0;qOrA<*W04Zib_a#cKOW}VR(L4j~7lq{;LP=dL64y_i92`BcD!dP0h zs1fZOL587jkMzc7k3<&2m`6#7=~^qq_Sete%V+)-U2`NI6HQ*NdCeYCZiyvsKlaN4 zaQi=hLGrEKfDv$gZY)izP5hi1dmaawN#qgp+7=g#zN}`#$s|$;Ed#Yc$V@~&cv|AU z8WvhJ*cys!j@W7PoB_Gl)MnPb1$QKg(5jA~IJhuVp!~Y3;-~#!Y$`eG$3{XB-a_+w zxX?J3UTnzl+;FX(A);3`#p4j z0jzFBO8gGxYJ2W+;(+GqNDj6iqNI7!9>^^BOYt?SU^1sP2Tm7jGd7 zTw$a(=+!ln6;y7De)c{4ZF-{u#oVwe#H@Ti*~~ujGOT!lc!D-p2zJVv61JaQ%IeB>>F{iFLlOFvdo7eUCUP%XY<77tdP<+_iycn}%0pnx?@}PlH{^ceyQM=g z-N<{zZYQ?m=QqVrE>j-gM!M(T+0P6JwM;dp#~DVDllXBTRT z=iEqgAGk)MCmuSQL_ozlRKBtiWQ-t@Th*s+weDv6uvl=_mme3z;eyX=ZnDSD6H0*5 zkO=eEp+e_hK*n5SNeHd~HhEBxBv@(ON=|_EB0UA%X>u~G375nD#nAg*^jX|4QI3Fe z41==Yv3wazWDUwX6CGOLB!Tp)hqdtp%6btymAKXc&y6N4YLZ$X{xgQmW}7yEqEcKD z_cjTpiDSt-wb;W{C_IBgaDR%f%V)cE)+`bu!!cHsd8@S$NS}}FeLI&-gO}gcc!ukF z_FlF&?H(V`ftjpW^llJAFU}`!PYUMRu0g^gk`7xlWWziYqCxH|O^5mev>@2oU+ZS( z=LADVAs&d2=GwfFYkL@68i3*1_raFdZ%zrwe;crp^v>mCr zyp(D5_&Tyuf{5`#SP^FTs1WL=B+=n_5WP}H8p$;uM#85Pv?6oPThWkNOq$Z9ugDd} zc4pdMa5G~wiv4S;`Q#_M|R1+lbv+IAu?DJQe?#ilszio+6?x*Q`8nst=44&VwyQDI&bB^j)4E4PG<|B@zj+&S_e*=9!38B!Si z}UQ-L4@XryYHnu$T_h_t7jUknu0qN6Fq(~?%@D;C5A1pRYpW>w3~$ zn~&hnLeiwABIOvgMv0{d)1(^```rLm50w&V<^9r11-?73O`}~iqzlCV#3!0c^ZcIC z>ZZ~=8obvMt7VKZp>$$P>3veuO*mQkoD4-fND|cg0qu6qNh#WN?svkhAG9E|{%6TF ztc|oQKo~C*488i8wAZ5^Q?8-Hx;M(91yd!1CUlmtnBl6+RlNNK@&Fz7gw&Z>b^r&T zL@9Fx;Zh#+oAv?>CwR{pKcVZuw}DXmDQUTN-ppQ(NEUoCU9MD|>$^&G{Or^TYo9^h zd8dl+dGV$e2gAopu>~!qBv}8fw9JoZI^sEL0#}bz8t{TtWuuSAcb81!YalqGsHddT zeLbW&$#!8F#8RM6FT613zv<~-(mKUvvn-O+J^h%lEkhpMU)tf*0}(aolmXI%c9R{d z>i02CYXOOaq#(!~ES1`J;M+DBBGu7tZs*WPQZNk6k!IV-<33?rzT~9YuS>U8o4AL) zE%k>TC#4uD{$75S=DZ_?dV+Icp%e)f6(qLctdvTRyesV{K5A=II!Yq4uYVE;uI;h{ z6(7h6^yXM;ZjEe&Wh~{<`c8^B5N;O$Qq`WG`mdxJ0SyBj4oAv>fp2w%r!(bLdh26J zv&n&mO_Ppm7TL6VhE(AYl1O`3iKj^H8@k0XHbRr>7fYoI$wzV=-B~PUTFufHw2fOj z79_k{-ObWp{wmRQi_|B|rbL&!>kmTyADE3XwS&t?rF|Cv^zbohzbZCcQ7H$(us(Vq z>^>=-7YecYlyq6PXyHar&z+MNS+NKW?8h2TAnPaTD}TYj(2FDvst4$gK$kwUlfuu^ z40|%gQ^vEupa;&mDB04Mse|;PEY$|@2g_~3ob#)M!NW4aq6IoS(vMXIhCi+uH1V?3 z!c)$0Ys#9AdH=~*bZ(|CfS(q86&2IkfpwXEFJke9f1lZDdpqnp8f%SwFonH!z=cw* z@Nz1oF}7QXAEtMJOqpfgEIZEq4fULbBbM~)aIgw>w()SiIm=8@Ut&<>>)(+Yqlj*y z`Q#4QXIMp?mCRDOAz?#}hYjx0lJ1ua31r;F?EPp1*-o7=x`Hc?W#a6Uo43$|amVcb zTiWR%hh@PzZ|iNq-BN2p6DuXtUYam!DN@@?=AWCM6unZmvAQ)%j)t3~^}di1Ef0l6 zO`dPPo%yC73P;zu~mm@J7vx6J**b6Q)p$J zoMbsS&gWCmyf)5E^5f-cej=qPQcNY#6Fd!>x*P{zB+9m`-X@ibIw+OgbS()EhRYGO zJV|!e5OH0(6H}48G&@CpLbkd$6t&|?rKUPQZI3p7O1QOw90{&QvZaLg!5{3WcUF^D z(2wYJYh$^tJ)vSc7my*x@+vWvHh)mY@s6-1Z;?syVn4L4;mlDiKQ~)y5ocwb!Y1Bs zi5BDAhhmAf*V;mmlG;XY%g;*14!aYU#3&6ZGUc$vT{zGVx3NreYJ5$6|C=!{=HwuS&fxCb~-3u^^4n( z@vR&}#~hMxIe6woF>`V{VBNb)0!;e{9m1@>SPS7t=m^u4pCR#xT$}d%Nlu9I|Hge2 zzrLzs?S<)fZMe|RNTfMc@*-WR5RY(WnxfJyRlyK!)ePP@;CGwAzJ|Jw8U4&n^_=va zu4Dw+n8DIRh58Z7-$E*3)8Wyr4AGgF&?I89#CGss~Syjt2m&4Yo*vConm8k zqvb`Sv5v$#=4m~c%Iy?vn)%Ed@WV*hG{X3f_vcW3E6cAawdjENl{Cd#2-hcKwYKLY#nZdy-A!KOvKMsOB;{-fzXui# z=(1S~A-;Z=lWv)<92IR2Hs@90`gWs@Xue{GJOo}}sw@!f@x9Ox zqRjH^Cplrq3T2Q_YAxtXE0u72D&+1r z`Y?uF0%mdI681kDbyn_!?9)mDb(Shv`f*3bh@{v9ewo0*lNiEc*DId~Sm8>vfigFt zezn=Atgz_?_I;9Ro$bmeR-MxV%Dz<;TCqoIE5YdVQW|uA#|VaqAxa8+qtj9QmBHa+ z53bi0XO$GIHjAf?&MO;;h!TJQpj;DSfNLs#`4(jVtQcTiHQYXBYr&qaXG7FfdjADw zu+R=}W&Go>t{cm3AJ6|qPJ*JDQWCxOi}HmgR0}1*`*X4I-k-)ZP&gT*Hzv*syilPW zw>ddh|ITs`GD>h)^`~+~=;P(T zl%19}fYt=v#qnDT^*6RDv#~S0yV@8hgu*MI9(Rl^$O9}saOXs5@RSs@zEVNt3d+7N zVEgHVnHg#@&6ZV6*J|KuoOG9}=HK=3HA8*WX=9n&#M~$xXe8~!bix&-wtJnOUk55m zRSp8$?nV3ruqJK*Jou41-}i+ET_dzGg#7$K;OxihIv91-s0Z#R^->sd)Chw^N3d_z z`vkW2ug}8mHa3C1}$c&+r_5m&ZD>(9LS7Xc?)v)8Bu^0 z>iqwe_h35=$YQ+_Bg}>4QWJU~H^hk?31psF+m(?P&3-Lq24#~%O-zvOg%=cLI{=YB zK2(tXu?-fKTyPmN5;-T-5C#dlO?;x`GT+5=rdkkZqP)+36DNkI>K3yT=03l!DA4-XS{0M#+V?DK6r z%xg)SfvXh5_3$>>i&)bJ;V0eoQJHnlFqx8r~i zVR^5e>sOPS2C#XHy3e3mJai%FwjoApemevr^sWjw%Zd}t zSAVi}^#NdzA9nm+-}Sd*n%Hpq#SVhA;XBkt;?#Rc_utSz!hF%)91ypVq~Oda_iJ=w zyf!@eDoz}5yKzw7fmqldu9exl)pO!J{Hx>LP#?Z^GK|=(9u$Jj{#JclAbYs$%i6DA z7rfy56xg#3fo%MgS8p!xNi-R9%F){Hh3P?m#;D_mdyzfd8u^-IzO6fg9l+zEitk$Z zjk-j*DZYshxWgR;dvq`4PO><$@R+*V!~M7FWgml`;IxF3P`*R?@9GoxM&u*|fA=py zoI1?6QS@z{Jf_Y+w%|6_=3c0c?-rX-^vxQ9eI+>MDgOndL~AE07SiOqaL^48GyJE8 zwPDXF-gEeUM2&4f7(zIs!5)HW>aU^}#fv2^K#2GkZYY+-@QGF6z0XR^s z0jcrEJAtVI#ME%h_w3O*hVaInM>HH*V=-C-RKw&`kCy$aiVj7c^_Nu~D*Ixm4(E#R)Ng_tRad$K=jDSf)%=h{`RPr9L3(I zz=}_inBgy?3(M+-88KIXgpu4w>-W}h9O1>11j4Sq+8kDK$FaYhPy;-|-#Q_w9|B6e z;1L(y(odUbW9Q$1BNTxnSj<~Gjs->#1B-kqgvsmxwhYuR`hS98kTA%fsOj{_m$eN6 zjQ09)CPzyIgoSKm@i7bv-_Z8^6x{`*Mrcdfu3Reh`C|6W0qJAWlUI}?xByKwjmbfR`gn3{jK+>SgByF}u07a~a2jM|? zP1R!U7=T~%&}NXf6hKJFVV@iwbmS*mye@9*#HR?faeu0PC4sz9F#aR+XFx~T3DACL_8$u|8FdEt} z5nUjnpZ>;l?#ycK3y;TlYZ(k|@uN7T+^zlQ+f=&?Mu8(?&Lo3MP=rc68zvlz9)pwd zt$$!?)-4(JYuIk>tRIumZ;u9C4m4mdx((49E;+0f_|((^oxVXSu1S-udc#3~|3<5{ zb#>^UN44duB_UXL0zHFQZykULhz0c8N$sctIW2J`#6oa)=z#q#rCyMBUMsc^q~D*{ z>IE>>Oo8eEJ%lD*(Rxbawh-xX(T@i@@w$c;0S6axR0FD862+#qryQYke%A`@J%Cm> z(d_u{h)~$&zuWddwMRX7iNlVkVe3rIK}X!u5Hin>pvV8#dJ13yZC$AyC2;OVWC-Q& zVJN0bTP!4cuuAJ7TSA~QMDJk7i#(^wp)k9@^a<1&uZ2@x)}Iyn28cg6?@w1hP2XuB zH#82?XIe6YX|JP%UvuhJGSi?GIyzLx78-UU!r<`}qz?TdOn=bBL1Kj7K;k0<`fQXw z(BmhVB8#Y!7>~X0tI>K7;zt9tjn`2{CP*`2-)m|Z)oba4G{4?+G<`csf8Jv^XHxXh z+B4Pl*eGC`=vPlo8lY8i2DZ(CBR?2}4BJjD`0?`5C zP&v?W(5L(A*gE1Ggy?`0?&s*Bmvn4#^M_~q>jjYhQ;mBbJ3#Ms7w8cwP2maowx<*6E39mFV z8pG%^Edq*0lRo}YckpZaA|VbO-T%P&<*rJF{Z*JZ;H+M>C%F4!x87O!iNaaBXyMTI zuj|{b`*%X{2z-DA;(OT$z0kHlCI@vP1INo0C(EO_9*C1Eo}9(AE59UUvxLA? zoTNQCTIV@SO2H{Dn&Jc=69aCguCcnO0l;yJkoXmJpX=bke zjxAZC<>U20E9N>Na{?aq>jYioEk6EvE~Qf(rdQcqGi)irob+EN<{8++{Tit#d<%E{ z>mz-E(5jM2`c-~`oDD<@8}~YGVZ-0E3@M>bo_rqw*Bd;C}dQZ z+E5X%2S9`i;jkaqmWAgKJhjc!=dg1{NCK2nW15(+BPhsv$dksJ^KroWI3j!G(k5 z)--v)o@awp(=QI`?Q4m6L@wz|gT)c45lR$nTqr*y+<4sI`s6?nf!8Pow*4-!p*2HP z( z!Q8n9y;oI82hB4k@bgpPpGC&c{_?oF*r=A6j-^t4xlwG@H4gY<1!|u!J;wQ`Q64A+ z`zl3`v}%@8cV<2gkw4gAe9C9CwB8rSXP(rjNOJIT>`%hEvC%8w=rx_T*l8#>i=&Tz zZD7`FO~gueVV|9O0~)d0FhtQn8}Bnzf8~RY`wif?L@V|iuL@;h4bV`hern zeXI);1NxMFPcJFDQTu|XK#wyVZEUwb(Wa6*~`YkKRBg6sI)Vt?l~9LrT) zRPu!(zg1y;!xc)@^AyLTvcDkcCx01ldrA-QAk@i#=sWy~f#^zOvCvK&gnr09AmI2j z89w~SD6|pLxC*^E_b}cWXfUYN#$21SmQ))Y` Date: Fri, 4 Feb 2022 09:36:52 +0300 Subject: [PATCH 08/12] attempt to fix self-bans From 7271ca57831677ed4eed7e4fb200f27e876ee59f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Erkin=20Alp=20G=C3=BCney?= Date: Fri, 4 Feb 2022 22:45:53 +0300 Subject: [PATCH 09/12] some important changes --- api/src/routes/guilds/#guild_id/bans.ts | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/api/src/routes/guilds/#guild_id/bans.ts b/api/src/routes/guilds/#guild_id/bans.ts index cc1dbda3..3b943476 100644 --- a/api/src/routes/guilds/#guild_id/bans.ts +++ b/api/src/routes/guilds/#guild_id/bans.ts @@ -39,7 +39,7 @@ router.get("/:user", route({ permission: "BAN_MEMBERS" }), async (req: Request, const { guild_id } = req.params; const user_id = req.params.ban; - let ban = await Ban.findOneOrFail({ guild_id: guild_id, user_id: user_id }) as BanCreateSchema; + let ban = await Ban.findOneOrFail({ guild_id: guild_id, user_id: user_id }); if (ban.user_id === ban.executor_id) throw DiscordApiErrors.UNKNOWN_BAN; // pretend self-bans don't exist to prevent victim chasing @@ -55,12 +55,12 @@ router.put("/:user_id", route({ body: "BanCreateSchema", permission: "BAN_MEMBER const { guild_id } = req.params; const banned_user_id = req.params.user_id; - const banned_user = await User.getPublicUser(banned_user_id); - if ( (req.user_id === banned_user_id) && (banned_user_id === req.permission!.cache.guild?.owner_id)) throw new HTTPError("You are the guild owner, hence can't ban yourself", 403); if (req.permission!.cache.guild?.owner_id === banned_user_id) throw new HTTPError("You can't ban the owner", 400); + + const banned_user = await User.getPublicUser(banned_user_id); const ban = new Ban({ user_id: banned_user_id, @@ -121,7 +121,7 @@ router.put("/@me", route({ body: "BanCreateSchema"}), async (req: Request, res: router.delete("/:user_id", route({ permission: "BAN_MEMBERS" }), async (req: Request, res: Response) => { const { guild_id, user_id } = req.params; - let ban = await Ban.findOneOrFail({ guild_id: guild_id, user_id: user_id }) as BanCreateSchema; + let ban = await Ban.findOneOrFail({ guild_id: guild_id, user_id: user_id }); if (ban.user_id === ban.executor_id) throw DiscordApiErrors.UNKNOWN_BAN; // make self-bans irreversible and hide them from view to avoid victim chasing From add6b822a5c7e770db32ccde48aea88ef3144c59 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Erkin=20Alp=20G=C3=BCney?= Date: Fri, 4 Feb 2022 23:07:43 +0300 Subject: [PATCH 10/12] ban moderator schema change --- api/src/routes/guilds/#guild_id/bans.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/api/src/routes/guilds/#guild_id/bans.ts b/api/src/routes/guilds/#guild_id/bans.ts index 3b943476..8c0bdee6 100644 --- a/api/src/routes/guilds/#guild_id/bans.ts +++ b/api/src/routes/guilds/#guild_id/bans.ts @@ -126,6 +126,7 @@ router.delete("/:user_id", route({ permission: "BAN_MEMBERS" }), async (req: Req if (ban.user_id === ban.executor_id) throw DiscordApiErrors.UNKNOWN_BAN; // make self-bans irreversible and hide them from view to avoid victim chasing + const banned_user = await User.getPublicUser(banned_user_id); await Promise.all([ Ban.delete({ From 2f30f5b100ef82872d1d7c4b59d5fbf8fe202d4a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Erkin=20Alp=20G=C3=BCney?= Date: Fri, 4 Feb 2022 23:08:34 +0300 Subject: [PATCH 11/12] ban moderator schema actually change --- api/src/routes/guilds/#guild_id/bans.ts | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/api/src/routes/guilds/#guild_id/bans.ts b/api/src/routes/guilds/#guild_id/bans.ts index 8c0bdee6..4c5ba48f 100644 --- a/api/src/routes/guilds/#guild_id/bans.ts +++ b/api/src/routes/guilds/#guild_id/bans.ts @@ -17,6 +17,14 @@ export interface BanRegistrySchema { reason?: string | undefined; }; +export interface BanModeratorSchema { + id: string; + user_id: string; + guild_id: string; + executor_id: string; + reason?: string | undefined; +}; + const router: Router = Router(); /* TODO: Deleting the secrets is just a temporary go-around. Views should be implemented for both safety and better handling. */ @@ -39,12 +47,14 @@ router.get("/:user", route({ permission: "BAN_MEMBERS" }), async (req: Request, const { guild_id } = req.params; const user_id = req.params.ban; - let ban = await Ban.findOneOrFail({ guild_id: guild_id, user_id: user_id }); + let ban = await Ban.findOneOrFail({ guild_id: guild_id, user_id: user_id }) as BanRegistrySchema; if (ban.user_id === ban.executor_id) throw DiscordApiErrors.UNKNOWN_BAN; // pretend self-bans don't exist to prevent victim chasing /* Filter secret from registry. */ + + ban = ban as BanModeratorSchema; delete ban.ip @@ -126,7 +136,7 @@ router.delete("/:user_id", route({ permission: "BAN_MEMBERS" }), async (req: Req if (ban.user_id === ban.executor_id) throw DiscordApiErrors.UNKNOWN_BAN; // make self-bans irreversible and hide them from view to avoid victim chasing - const banned_user = await User.getPublicUser(banned_user_id); + const banned_user = await User.getPublicUser(user_id); await Promise.all([ Ban.delete({ From e73d1954b8badaaa412adf5ac89800f9687d483c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Erkin=20Alp=20G=C3=BCney?= Date: Fri, 4 Feb 2022 23:36:42 +0300 Subject: [PATCH 12/12] pretend self-bans don't exist in the views too --- api/src/routes/guilds/#guild_id/bans.ts | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/api/src/routes/guilds/#guild_id/bans.ts b/api/src/routes/guilds/#guild_id/bans.ts index 4c5ba48f..7ccf34d7 100644 --- a/api/src/routes/guilds/#guild_id/bans.ts +++ b/api/src/routes/guilds/#guild_id/bans.ts @@ -35,11 +35,14 @@ router.get("/", route({ permission: "BAN_MEMBERS" }), async (req: Request, res: let bans = await Ban.find({ guild_id: guild_id }); /* Filter secret from database registry.*/ + + bans.filter(ban => ban.user_id !== ban.executor_id); + // pretend self-bans don't exist to prevent victim chasing bans.forEach((registry: BanRegistrySchema) => { delete registry.ip; }); - + return res.json(bans); });