fix: wire permission checks into message/channel handlers

- Add CheckChannelPermission to permissions.Checker (layers channel overrides on top of role permissions)
- Refactor requireChannelAccess to accept required permission bitmap
- Message Create checks SEND_MESSAGES; List/Search check VIEW_CHANNEL
- BulkDelete uses Checker.CheckPermission for MANAGE_MESSAGES
- Channel handler List filters out channels user cannot view
- Remove dead checkPermission method from message handler
- Fix frontend avatar upload: parse response URL, call updateProfile
This commit is contained in:
2026-06-30 13:47:08 -04:00
parent cc8ebc1f8a
commit 215f931311
7 changed files with 112 additions and 57 deletions
+13 -1
View File
@@ -211,8 +211,20 @@ func (h *Handler) List(w http.ResponseWriter, r *http.Request) {
return
}
// Filter out channels the user doesn't have VIEW_CHANNEL permission for.
filtered := make([]channelResponse, 0, len(channels))
for _, ch := range channels {
allowed, checkErr := h.checker.CheckChannelPermission(r.Context(), serverID, userID, ch.ID, permissions.VIEW_CHANNEL)
if checkErr != nil {
continue
}
if allowed {
filtered = append(filtered, ch)
}
}
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(channels)
json.NewEncoder(w).Encode(filtered)
}
// @Summary Get a channel