fix: server owner can now update channel settings
Channel Update handler required MANAGE_CHANNELS role permission. Server owner was getting 'forbidden' because their roles didn't include that bit. Added owner bypass (same pattern as Delete).
This commit is contained in:
@@ -348,6 +348,14 @@ func (h *Handler) Update(w http.ResponseWriter, r *http.Request) {
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Server owner bypasses permission check
|
||||||
|
var ownerID string
|
||||||
|
err = h.db.QueryRowContext(r.Context(), `SELECT owner_id FROM servers WHERE id = $1`, serverID).Scan(&ownerID)
|
||||||
|
if err != nil {
|
||||||
|
http.Error(w, `{"error":"server error"}`, http.StatusInternalServerError)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if ownerID != userID {
|
||||||
allowed, err := h.checker.CheckPermission(r.Context(), serverID, userID, permissions.MANAGE_CHANNELS)
|
allowed, err := h.checker.CheckPermission(r.Context(), serverID, userID, permissions.MANAGE_CHANNELS)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
http.Error(w, `{"error":"server error"}`, http.StatusInternalServerError)
|
http.Error(w, `{"error":"server error"}`, http.StatusInternalServerError)
|
||||||
@@ -357,6 +365,7 @@ func (h *Handler) Update(w http.ResponseWriter, r *http.Request) {
|
|||||||
http.Error(w, `{"error":"forbidden"}`, http.StatusForbidden)
|
http.Error(w, `{"error":"forbidden"}`, http.StatusForbidden)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
var ch channelResponse
|
var ch channelResponse
|
||||||
err = h.db.QueryRowContext(r.Context(), `
|
err = h.db.QueryRowContext(r.Context(), `
|
||||||
|
|||||||
Reference in New Issue
Block a user