From 6e04c92f0792f893bbe12b778751432bdfd76580 Mon Sep 17 00:00:00 2001 From: Madeline <46743919+MaddyUnderStars@users.noreply.github.com> Date: Thu, 2 Feb 2023 22:26:22 +1100 Subject: [PATCH] Merge pull request from GHSA-9qvc-84ch-5p2x * Check permissions and rights * Prevent editing message type unless MANAGE_MESSAGES right. Also don't send sensitive data in patch response. --- .../#channel_id/messages/#message_id/index.ts | 27 ++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/src/api/routes/channels/#channel_id/messages/#message_id/index.ts b/src/api/routes/channels/#channel_id/messages/#message_id/index.ts index 9ea33340..95230478 100644 --- a/src/api/routes/channels/#channel_id/messages/#message_id/index.ts +++ b/src/api/routes/channels/#channel_id/messages/#message_id/index.ts @@ -81,6 +81,10 @@ router.patch( } } else rights.hasThrow("SELF_EDIT_MESSAGES"); + // The permision should obviously not allow editing the message type + // But for people with the right, does this make sense? + if (body.type) rights.hasThrow("MANAGE_MESSAGES"); + const new_message = await handleMessage({ ...message, // TODO: should message_reference be overridable? @@ -105,7 +109,28 @@ router.patch( postHandleMessage(new_message); - return res.json(new_message); + // TODO: a DTO? + return res.json({ + id: new_message.id, + type: new_message.type, + content: new_message.content, + channel_id: new_message.channel_id, + author: new_message.author?.toPublicUser(), + attachments: new_message.attachments, + embeds: new_message.embeds, + mentions: new_message.embeds, + mention_roles: new_message.mention_roles, + mention_everyone: new_message.mention_everyone, + pinned: new_message.pinned, + tts: new_message.tts, + timestamp: new_message.timestamp, + edited_timestamp: new_message.edited_timestamp, + flags: new_message.flags, + components: new_message.components, + + // these are not in the Discord.com response + mention_channels: new_message.mention_channels, + }); }, );