diff options
| author |  Numerlor <[email protected]> | 2020-08-20 13:53:54 +0200 |
|---|---|---|
| committer | Numerlor <[email protected]> | 2020-08-20 15:07:49 +0200 |
| commit | 574bcac2b3fb43fc74a6c840667cfed408bc4077 (patch) | |
| tree | 259f88a899d88c0287b09098b5a100f378794d39 | |
| parent | Merge pull request #1106 from AtieP/master (diff) | |
Restrict reminder methods to authors and admins.
Before, any user could modify the reminders of others by the id.
This restricts the behaviour to only admins and users can only modify
the reminders they authored.
| -rw-r--r-- | bot/cogs/reminders.py | 26 |
1 files changed, 24 insertions, 2 deletions
diff --git a/bot/cogs/reminders.py b/bot/cogs/reminders.py index 670493bcf..08bce2153 100644 --- a/bot/cogs/reminders.py +++ b/bot/cogs/reminders.py @@ -12,10 +12,10 @@ from dateutil.relativedelta import relativedelta from discord.ext.commands import Cog, Context, Greedy, group from bot.bot import Bot -from bot.constants import Guild, Icons, MODERATION_ROLES, POSITIVE_REPLIES, STAFF_ROLES +from bot.constants import Guild, Icons, MODERATION_ROLES, POSITIVE_REPLIES, Roles, STAFF_ROLES from bot.converters import Duration from bot.pagination import LinePaginator -from bot.utils.checks import without_role_check +from bot.utils.checks import with_role_check, without_role_check from bot.utils.messages import send_denial from bot.utils.scheduling import Scheduler from bot.utils.time import humanize_delta @@ -396,6 +396,8 @@ class Reminders(Cog): async def edit_reminder(self, ctx: Context, id_: int, payload: dict) -> None: """Edits a reminder with the given payload, then sends a confirmation message.""" + if not await self._can_modify(ctx, id_): + return reminder = await self._edit_reminder(id_, payload) # Parse the reminder expiration back into a datetime @@ -413,6 +415,8 @@ class Reminders(Cog): @remind_group.command("delete", aliases=("remove", "cancel")) async def delete_reminder(self, ctx: Context, id_: int) -> None: """Delete one of your active reminders.""" + if not await self._can_modify(ctx, id_): + return await self._delete_reminder(id_) await self._send_confirmation( ctx, @@ -421,6 +425,24 @@ class Reminders(Cog): delivery_dt=None, ) + async def _can_modify(self, ctx: Context, reminder_id: t.Union[str, int]) -> bool: + """ + Check whether the reminder can be modified by the ctx author. + + The check passes when the user is an admin, or if they created the reminder. + """ + if with_role_check(ctx, Roles.admins): + return True + + api_response = await self.bot.api_client.get(f"bot/reminders/{reminder_id}") + if not api_response["author"] == ctx.author.id: + log.debug(f"{ctx.author} is not the reminder author and does not pass the check.") + await send_denial(ctx, "You can't modify reminders of other users!") + return False + + log.debug(f"{ctx.author} is the reminder author and passes the check.") + return True + def setup(bot: Bot) -> None: """Load the Reminders cog.""" |