From ef4894e40955771e400fc2a9eb19c6ef437ede66 Mon Sep 17 00:00:00 2001 From: rainbownapkin Date: Mon, 2 Dec 2024 19:50:26 -0500 Subject: [PATCH] Added rankfighting to ban. --- src/controllers/api/admin/banController.js | 10 ++++++++ .../api/admin/changeRankController.js | 14 +++++------ src/controllers/api/channel/banController.js | 23 +++++++++++++++++-- src/schemas/channel/channelSchema.js | 2 +- src/schemas/permissionSchema.js | 2 +- src/schemas/userSchema.js | 2 +- 6 files changed, 41 insertions(+), 12 deletions(-) diff --git a/src/controllers/api/admin/banController.js b/src/controllers/api/admin/banController.js index 3960fa0..f0880e2 100644 --- a/src/controllers/api/admin/banController.js +++ b/src/controllers/api/admin/banController.js @@ -19,6 +19,7 @@ const {validationResult, matchedData} = require('express-validator'); //local imports const banModel = require('../../../schemas/userBanSchema'); +const permissionModel = require('../../../schemas/permissionSchema'); const {userModel} = require('../../../schemas/userSchema'); const {exceptionHandler} = require('../../../utils/loggerUtils'); @@ -43,8 +44,17 @@ module.exports.post = async function(req, res){ const userDB = await userModel.findOne({user}); if(userDB == null){ + //If the user is null, scream and shout res.status(400); return res.send({errors:[{type: "Bad Query", msg: "User not found.", date: new Date()}]}); + }else if(userDB.user == req.session.user.user){ + //If some smart-ass is trying self-privelege escalation + res.status(401); + return res.send({errors:[{type: "Unauthorized", msg: "Keep it up, maybe I will ban you!", date: new Date()}]}); + }else if(permissionModel.rankToNum(userDB.rank) >= permissionModel.rankToNum(req.session.user.rank)){ + //If the user is below the original rank of the user they're setting, scream and shout + res.status(401); + return res.send({errors:[{type: "Unauthorized", msg: "You cannot ban peer/outranking users.", date: new Date()}]}); } await banModel.banByUserDoc(userDB, permanent, expirationDays); diff --git a/src/controllers/api/admin/changeRankController.js b/src/controllers/api/admin/changeRankController.js index d509be1..cf51d84 100644 --- a/src/controllers/api/admin/changeRankController.js +++ b/src/controllers/api/admin/changeRankController.js @@ -32,13 +32,13 @@ module.exports.post = async function(req, res){ if(validResult.isEmpty()){ //get validated/sanatized data and use it to find our user from the Database. const data = matchedData(req); - const user = await userModel.findOne({user: data.user}); + const userDB = await userModel.findOne({user: data.user}); - if(user == null){ + if(userDB == null){ //If the user is null, scream and shout res.status(400); res.send({errors:[{type: "Bad Query", msg: "User not found.", date: new Date()}]}); - }else if(user.user == req.session.user.user){ + }else if(userDB.user == req.session.user.user){ //If some smart-ass is trying self-privelege escalation res.status(401); return res.send({errors:[{type: "Unauthorized", msg: "No, you can't change your own rank. Fuck off.", date: new Date()}]}); @@ -46,17 +46,17 @@ module.exports.post = async function(req, res){ //If the user is below the new rank of the user they're setting, scream and shout res.status(401); return res.send({errors:[{type: "Unauthorized", msg: "New rank must be below that of the user changing it.", date: new Date()}]}); - }else if(permissionModel.rankToNum(user.rank) >= permissionModel.rankToNum(req.session.user.rank)){ + }else if(permissionModel.rankToNum(userDB.rank) >= permissionModel.rankToNum(req.session.user.rank)){ //If the user is below the original rank of the user they're setting, scream and shout res.status(401); return res.send({errors:[{type: "Unauthorized", msg: "You cannot promote/demote peer/outranking users.", date: new Date()}]}); } - user.rank = data.rank; - await user.save(); + userDB.rank = data.rank; + await userDB.save(); res.status(200); - return res.send({user: user.user, id: user.id, rank: user.rank}); + return res.send({user: userDB.user, id: userDB.id, rank: userDB.rank}); }else{ res.status(400); res.send({errors: validResult.array()}) diff --git a/src/controllers/api/channel/banController.js b/src/controllers/api/channel/banController.js index 106c58e..49a2245 100644 --- a/src/controllers/api/channel/banController.js +++ b/src/controllers/api/channel/banController.js @@ -21,6 +21,7 @@ const {validationResult, matchedData} = require('express-validator'); const {exceptionHandler} = require('../../../utils/loggerUtils.js'); const {userModel} = require('../../../schemas/userSchema.js'); const channelModel = require('../../../schemas/channel/channelSchema'); +const permissionModel = require('../../../schemas/permissionSchema.js') //api account functions module.exports.get = async function(req, res){ @@ -55,10 +56,28 @@ module.exports.post = async function(req, res){ if(validResult.isEmpty()){ //Set channel object from sanatized/validated data, and get user document from session data const {chanName, user, expirationDays, banAlts} = matchedData(req); - const userDB = await userModel.findOne({user}); + const initiatorDB = await userModel.findOne({user: req.session.user.user}); + const targetDB = await userModel.findOne({user}); const chanDB = await channelModel.findOne({name: chanName}); - await chanDB.banByUserDoc(userDB, expirationDays, banAlts); + const initiatorRank = await chanDB.getChannelRankByUserDoc(initiatorDB); + const targetRank = await chanDB.getChannelRankByUserDoc(targetDB); + + if(targetDB == null){ + //If the user is null, scream and shout + res.status(400); + return res.send({errors:[{type: "Bad Query", msg: "User not found.", date: new Date()}]}); + }else if(targetDB.user == req.session.user.user){ + //If some smart-ass is trying to self-ban + res.status(401); + return res.send({errors:[{type: "Unauthorized", msg: "Keep it up, maybe I will ban you!", date: new Date()}]}); + }else if(permissionModel.rankToNum(targetRank) >= permissionModel.rankToNum(initiatorRank)){ + //If the user is trying to ban a peer/outranking user + res.status(401); + return res.send({errors:[{type: "Unauthorized", msg: "You cannot ban peer/outranking users.", date: new Date()}]}); + } + + await chanDB.banByUserDoc(targetDB, expirationDays, banAlts); res.status(200); return res.send(await chanDB.getChanBans()); diff --git a/src/schemas/channel/channelSchema.js b/src/schemas/channel/channelSchema.js index 4b21de3..244189b 100644 --- a/src/schemas/channel/channelSchema.js +++ b/src/schemas/channel/channelSchema.js @@ -220,7 +220,7 @@ channelSchema.statics.reqPermCheck = function(perm, chanField = "chanName"){ }else{ //If not, prevent the request from going through and tell them why res.status(401); - return res.send({error:`You do not have a high enough rank to access this resource.`}); + return res.send({errors:[{type: "Unauthorized", msg: "You do not have a high enough rank to access this resource.", date: new Date()}]}); } }); }); diff --git a/src/schemas/permissionSchema.js b/src/schemas/permissionSchema.js index 7cc25da..95958ba 100644 --- a/src/schemas/permissionSchema.js +++ b/src/schemas/permissionSchema.js @@ -113,7 +113,7 @@ permissionSchema.statics.reqPermCheck = function(perm){ next(); }else{ res.status(401); - res.send({error:`You do not have a high enough rank to access this resource.`}); + return res.send({errors:[{type: "Unauthorized", msg: "You do not have a high enough rank to access this resource.", date: new Date()}]}); } } } diff --git a/src/schemas/userSchema.js b/src/schemas/userSchema.js index a602f55..28760af 100644 --- a/src/schemas/userSchema.js +++ b/src/schemas/userSchema.js @@ -280,7 +280,7 @@ userSchema.methods.nuke = async function(pass){ var oldUser = await module.exports.userModel.deleteOne(this); if(oldUser){ - await this.killAllSessions("This account has been deleted. So long, and thanks for all the fish! <3"); + await this.killAllSessions("If you're seeing this, your account has been deleted. So long, and thanks for all the fish! <3"); }else{ throw new Error("Server Error: Unable to delete account! Please report this error to your server administrator, and with timestamp."); }