fix: server owner can now update channel settings

Channel Update handler required MANAGE_CHANNELS role permission.
Server owner was getting 'forbidden' because their roles didn't
include that bit. Added owner bypass (same pattern as Delete).
This commit is contained in:
2026-07-02 09:15:18 -04:00
parent af961d805e
commit 10a702f732
+9
View File
@@ -348,6 +348,14 @@ func (h *Handler) Update(w http.ResponseWriter, r *http.Request) {
return return
} }
// Server owner bypasses permission check
var ownerID string
err = h.db.QueryRowContext(r.Context(), `SELECT owner_id FROM servers WHERE id = $1`, serverID).Scan(&ownerID)
if err != nil {
http.Error(w, `{"error":"server error"}`, http.StatusInternalServerError)
return
}
if ownerID != userID {
allowed, err := h.checker.CheckPermission(r.Context(), serverID, userID, permissions.MANAGE_CHANNELS) allowed, err := h.checker.CheckPermission(r.Context(), serverID, userID, permissions.MANAGE_CHANNELS)
if err != nil { if err != nil {
http.Error(w, `{"error":"server error"}`, http.StatusInternalServerError) http.Error(w, `{"error":"server error"}`, http.StatusInternalServerError)
@@ -357,6 +365,7 @@ func (h *Handler) Update(w http.ResponseWriter, r *http.Request) {
http.Error(w, `{"error":"forbidden"}`, http.StatusForbidden) http.Error(w, `{"error":"forbidden"}`, http.StatusForbidden)
return return
} }
}
var ch channelResponse var ch channelResponse
err = h.db.QueryRowContext(r.Context(), ` err = h.db.QueryRowContext(r.Context(), `