From 012567c9d2a2f913589eecbb4271666fc79f3068 Mon Sep 17 00:00:00 2001 From: Luna Date: Mon, 18 Mar 2019 17:44:30 -0300 Subject: [PATCH] webhooks: add channel checks when user updates webhook --- litecord/blueprints/webhooks.py | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/litecord/blueprints/webhooks.py b/litecord/blueprints/webhooks.py index dc3eb40..a604014 100644 --- a/litecord/blueprints/webhooks.py +++ b/litecord/blueprints/webhooks.py @@ -33,7 +33,7 @@ from litecord.schemas import ( from litecord.enums import ChannelType from litecord.snowflake import get_snowflake from litecord.utils import async_map -from litecord.errors import WebhookNotFound, Unauthorized +from litecord.errors import WebhookNotFound, Unauthorized, ChannelNotFound from litecord.blueprints.channel.messages import ( msg_create_request, msg_create_check_content, msg_add_attachment, @@ -98,7 +98,7 @@ async def _webhook_check_fw(webhook_id): if guild_id is None: raise WebhookNotFound() - return await _webhook_check_guild(guild_id) + return (await _webhook_check_guild(guild_id)), guild_id async def _webhook_many(where_clause, arg: int): @@ -205,7 +205,7 @@ async def _update_webhook(webhook_id: int, j: dict): UPDATE webhooks SET channel_id = $1 WHERE id = $2 - """, j['name'], webhook_id) + """, j['channel_id'], webhook_id) if 'avatar' in j: new_icon = await app.icons.update( @@ -222,9 +222,18 @@ async def _update_webhook(webhook_id: int, j: dict): @bp.route('/webhooks/', methods=['PATCH']) async def modify_webhook(webhook_id: int): """Patch a webhook.""" - await _webhook_check_fw(webhook_id) + guild_id, _user_id = await _webhook_check_fw(webhook_id) j = validate(await request.get_json(), WEBHOOK_UPDATE) + if 'channel_id' in j: + # pre checks + chan = await app.storage.get_channel(j['channel_id']) + + # short-circuiting should ensure chan isn't none + # by the time we do chan['guild_id'] + if chan and chan['guild_id'] != str(guild_id): + raise ChannelNotFound('cant assign webhook to channel') + await _update_webhook(webhook_id, j) return jsonify(await get_webhook(webhook_id))