From 10a702f732611c7f29099e91631ef5bf256e9768 Mon Sep 17 00:00:00 2001 From: hobokenchicken Date: Thu, 2 Jul 2026 09:15:18 -0400 Subject: [PATCH] fix: server owner can now update channel settings Channel Update handler required MANAGE_CHANNELS role permission. Server owner was getting 'forbidden' because their roles didn't include that bit. Added owner bypass (same pattern as Delete). --- internal/channel/handlers.go | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/internal/channel/handlers.go b/internal/channel/handlers.go index d8d5644..b870056 100644 --- a/internal/channel/handlers.go +++ b/internal/channel/handlers.go @@ -348,14 +348,23 @@ func (h *Handler) Update(w http.ResponseWriter, r *http.Request) { return } - allowed, err := h.checker.CheckPermission(r.Context(), serverID, userID, permissions.MANAGE_CHANNELS) + // Server owner bypasses permission check + var ownerID string + err = h.db.QueryRowContext(r.Context(), `SELECT owner_id FROM servers WHERE id = $1`, serverID).Scan(&ownerID) if err != nil { http.Error(w, `{"error":"server error"}`, http.StatusInternalServerError) return } - if !allowed { - http.Error(w, `{"error":"forbidden"}`, http.StatusForbidden) - return + if ownerID != userID { + allowed, err := h.checker.CheckPermission(r.Context(), serverID, userID, permissions.MANAGE_CHANNELS) + if err != nil { + http.Error(w, `{"error":"server error"}`, http.StatusInternalServerError) + return + } + if !allowed { + http.Error(w, `{"error":"forbidden"}`, http.StatusForbidden) + return + } } var ch channelResponse