Fix arbitrary access to reminder list.

This commit is contained in:
jude 2023-07-23 14:29:59 +01:00
parent 4a17aac15c
commit 01dc0334fd
2 changed files with 18 additions and 2 deletions

View File

@ -311,7 +311,15 @@ pub async fn create_guild_reminder(
} }
#[get("/api/guild/<id>/reminders")] #[get("/api/guild/<id>/reminders")]
pub async fn get_reminders(id: u64, ctx: &State<Context>, pool: &State<Pool<MySql>>) -> JsonResult { pub async fn get_reminders(
id: u64,
cookies: &CookieJar<'_>,
ctx: &State<Context>,
serenity_context: &State<Context>,
pool: &State<Pool<MySql>>,
) -> JsonResult {
check_authorization!(cookies, serenity_context.inner(), id);
let channels_res = GuildId(id).channels(&ctx.inner()).await; let channels_res = GuildId(id).channels(&ctx.inner()).await;
match channels_res { match channels_res {

View File

@ -427,6 +427,14 @@ document.addEventListener("guildSwitched", async (e) => {
`.switch-pane[data-guild="${e.detail.guild_id}"]` `.switch-pane[data-guild="${e.detail.guild_id}"]`
); );
let hasError = false;
if ($anchor === null) {
switch_pane("user-error");
hasError = true;
return;
}
switch_pane($anchor.dataset["pane"]); switch_pane($anchor.dataset["pane"]);
reset_guild_pane(); reset_guild_pane();
$anchor.classList.add("is-active"); $anchor.classList.add("is-active");
@ -437,7 +445,7 @@ document.addEventListener("guildSwitched", async (e) => {
.forEach((el) => el.classList.remove("is-locked")); .forEach((el) => el.classList.remove("is-locked"));
} }
let hasError = await fetch_channels(e.detail.guild_id); hasError = await fetch_channels(e.detail.guild_id);
if (!hasError) { if (!hasError) {
fetch_roles(e.detail.guild_id); fetch_roles(e.detail.guild_id);
fetch_templates(e.detail.guild_id); fetch_templates(e.detail.guild_id);