github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 14:34:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): enforce trusted sender auth for discord moderation

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-19 15:18:00 +01:00
parent baa335f258
commit 775816035e
15 changed files with 498 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

128
src/discord/send.permissions.authz.test.ts Normal file
View File

@@ -0,0 +1,128 @@
import type { RequestClient } from "@buape/carbon";
import { PermissionFlagsBits, Routes } from "discord-api-types/v10";
import { describe, expect, it, vi } from "vitest";
import {
fetchMemberGuildPermissionsDiscord,
hasGuildPermissionDiscord,
} from "./send.permissions.js";
const mockRest = vi.hoisted(() => ({
get: vi.fn(),
}));
vi.mock("./client.js", () => ({
resolveDiscordRest: () => mockRest as unknown as RequestClient,
}));
describe("discord guild permission authorization", () => {
describe("fetchMemberGuildPermissionsDiscord", () => {
it("returns null when user is not a guild member", async () => {
mockRest.get.mockRejectedValueOnce(new Error("404 Member not found"));
const result = await fetchMemberGuildPermissionsDiscord("guild-1", "user-1");
expect(result).toBeNull();
});
it("includes @everyone and member roles in computed permissions", async () => {
mockRest.get.mockImplementation(async (route: string) => {
if (route === Routes.guild("guild-1")) {
return {
id: "guild-1",
roles: [
{ id: "guild-1", permissions: PermissionFlagsBits.ViewChannel.toString() },
{ id: "role-mod", permissions: PermissionFlagsBits.KickMembers.toString() },
],
};
}
if (route === Routes.guildMember("guild-1", "user-1")) {
return {
id: "user-1",
roles: ["role-mod"],
};
}
throw new Error(`Unexpected route: ${route}`);
});
const result = await fetchMemberGuildPermissionsDiscord("guild-1", "user-1");
expect(result).not.toBeNull();
expect((result! & PermissionFlagsBits.ViewChannel) === PermissionFlagsBits.ViewChannel).toBe(
true,
);
expect((result! & PermissionFlagsBits.KickMembers) === PermissionFlagsBits.KickMembers).toBe(
true,
);
});
});
describe("hasGuildPermissionDiscord", () => {
it("returns true when user has required permission", async () => {
mockRest.get.mockImplementation(async (route: string) => {
if (route === Routes.guild("guild-1")) {
return {
id: "guild-1",
roles: [
{ id: "guild-1", permissions: "0" },
{ id: "role-mod", permissions: PermissionFlagsBits.KickMembers.toString() },
],
};
}
if (route === Routes.guildMember("guild-1", "user-1")) {
return { id: "user-1", roles: ["role-mod"] };
}
throw new Error(`Unexpected route: ${route}`);
});
const result = await hasGuildPermissionDiscord("guild-1", "user-1", [
PermissionFlagsBits.KickMembers,
]);
expect(result).toBe(true);
});
it("returns true when user has ADMINISTRATOR", async () => {
mockRest.get.mockImplementation(async (route: string) => {
if (route === Routes.guild("guild-1")) {
return {
id: "guild-1",
roles: [
{ id: "guild-1", permissions: "0" },
{
id: "role-admin",
permissions: PermissionFlagsBits.Administrator.toString(),
},
],
};
}
if (route === Routes.guildMember("guild-1", "user-1")) {
return { id: "user-1", roles: ["role-admin"] };
}
throw new Error(`Unexpected route: ${route}`);
});
const result = await hasGuildPermissionDiscord("guild-1", "user-1", [
PermissionFlagsBits.KickMembers,
]);
expect(result).toBe(true);
});
it("returns false when user lacks all required permissions", async () => {
mockRest.get.mockImplementation(async (route: string) => {
if (route === Routes.guild("guild-1")) {
return {
id: "guild-1",
roles: [{ id: "guild-1", permissions: PermissionFlagsBits.ViewChannel.toString() }],
};
}
if (route === Routes.guildMember("guild-1", "user-1")) {
return { id: "user-1", roles: [] };
}
throw new Error(`Unexpected route: ${route}`);
});
const result = await hasGuildPermissionDiscord("guild-1", "user-1", [
PermissionFlagsBits.BanMembers,
PermissionFlagsBits.KickMembers,
]);
expect(result).toBe(false);
});
});
});