Fix arbitrary access to reminder list.

web/src/routes/dashboard/guild.rs

@@ -311,7 +311,15 @@ pub async fn create_guild_reminder(
 }
 
 #[get("/api/guild/<id>/reminders")]
-pub async fn get_reminders(id: u64, ctx: &State<Context>, pool: &State<Pool<MySql>>) -> JsonResult {
+pub async fn get_reminders(
+    id: u64,
+    cookies: &CookieJar<'_>,
+    ctx: &State<Context>,
+    serenity_context: &State<Context>,
+    pool: &State<Pool<MySql>>,
+) -> JsonResult {
+    check_authorization!(cookies, serenity_context.inner(), id);
+
     let channels_res = GuildId(id).channels(&ctx.inner()).await;
 
     match channels_res {

web/static/js/main.js

@@ -427,6 +427,14 @@ document.addEventListener("guildSwitched", async (e) => {
         `.switch-pane[data-guild="${e.detail.guild_id}"]`
     );
 
+    let hasError = false;
+
+    if ($anchor === null) {
+        switch_pane("user-error");
+        hasError = true;
+        return;
+    }
+
     switch_pane($anchor.dataset["pane"]);
     reset_guild_pane();
     $anchor.classList.add("is-active");
@@ -437,7 +445,7 @@ document.addEventListener("guildSwitched", async (e) => {
             .forEach((el) => el.classList.remove("is-locked"));
     }
 
-    let hasError = await fetch_channels(e.detail.guild_id);
+    hasError = await fetch_channels(e.detail.guild_id);
     if (!hasError) {
         fetch_roles(e.detail.guild_id);
         fetch_templates(e.detail.guild_id);