From 01dc0334fd50ad7b5c8320ef37e65764f8445b25 Mon Sep 17 00:00:00 2001 From: jude Date: Sun, 23 Jul 2023 14:29:59 +0100 Subject: [PATCH] Fix arbitrary access to reminder list. --- web/src/routes/dashboard/guild.rs | 10 +++++++++- web/static/js/main.js | 10 +++++++++- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/web/src/routes/dashboard/guild.rs b/web/src/routes/dashboard/guild.rs index e695fc5..c31be7a 100644 --- a/web/src/routes/dashboard/guild.rs +++ b/web/src/routes/dashboard/guild.rs @@ -311,7 +311,15 @@ pub async fn create_guild_reminder( } #[get("/api/guild//reminders")] -pub async fn get_reminders(id: u64, ctx: &State, pool: &State>) -> JsonResult { +pub async fn get_reminders( + id: u64, + cookies: &CookieJar<'_>, + ctx: &State, + serenity_context: &State, + pool: &State>, +) -> JsonResult { + check_authorization!(cookies, serenity_context.inner(), id); + let channels_res = GuildId(id).channels(&ctx.inner()).await; match channels_res { diff --git a/web/static/js/main.js b/web/static/js/main.js index 9e20876..6c147fb 100644 --- a/web/static/js/main.js +++ b/web/static/js/main.js @@ -427,6 +427,14 @@ document.addEventListener("guildSwitched", async (e) => { `.switch-pane[data-guild="${e.detail.guild_id}"]` ); + let hasError = false; + + if ($anchor === null) { + switch_pane("user-error"); + hasError = true; + return; + } + switch_pane($anchor.dataset["pane"]); reset_guild_pane(); $anchor.classList.add("is-active"); @@ -437,7 +445,7 @@ document.addEventListener("guildSwitched", async (e) => { .forEach((el) => el.classList.remove("is-locked")); } - let hasError = await fetch_channels(e.detail.guild_id); + hasError = await fetch_channels(e.detail.guild_id); if (!hasError) { fetch_roles(e.detail.guild_id); fetch_templates(e.detail.guild_id);