github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 12:51:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor(security): centralize trusted sender checks for discord moderation

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-19 15:39:21 +01:00
parent 81b19aaa1a
commit c9dee59266
11 changed files with 292 additions and 145 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
src/agents/tools/discord-actions-moderation-shared.ts Normal file
View File

@@ -0,0 +1,48 @@
import { PermissionFlagsBits } from "discord-api-types/v10";
import { readNumberParam, readStringParam } from "./common.js";
export type DiscordModerationAction = "timeout" | "kick" | "ban";
export type DiscordModerationCommand = {
action: DiscordModerationAction;
guildId: string;
userId: string;
durationMinutes?: number;
until?: string;
reason?: string;
deleteMessageDays?: number;
};
const moderationPermissions: Record<DiscordModerationAction, bigint> = {
timeout: PermissionFlagsBits.ModerateMembers,
kick: PermissionFlagsBits.KickMembers,
ban: PermissionFlagsBits.BanMembers,
};
export function isDiscordModerationAction(action: string): action is DiscordModerationAction {
return action === "timeout" || action === "kick" || action === "ban";
}
export function requiredGuildPermissionForModerationAction(
action: DiscordModerationAction,
): bigint {
return moderationPermissions[action];
}
export function readDiscordModerationCommand(
action: string,
params: Record<string, unknown>,
): DiscordModerationCommand {
if (!isDiscordModerationAction(action)) {
throw new Error(`Unsupported Discord moderation action: ${action}`);
}
return {
action,
guildId: readStringParam(params, "guildId", { required: true }),
userId: readStringParam(params, "userId", { required: true }),
durationMinutes: readNumberParam(params, "durationMinutes", { integer: true }),
until: readStringParam(params, "until"),
reason: readStringParam(params, "reason"),
deleteMessageDays: readNumberParam(params, "deleteMessageDays", { integer: true }),
};
}

24
src/agents/tools/discord-actions-moderation.authz.test.ts
View File

@@ -7,10 +7,10 @@ const discordSendMocks = vi.hoisted(() => ({
banMemberDiscord: vi.fn(async () => ({ ok: true })),
kickMemberDiscord: vi.fn(async () => ({ ok: true })),
timeoutMemberDiscord: vi.fn(async () => ({ id: "user-1" })),
hasGuildPermissionDiscord: vi.fn(async () => false),
hasAnyGuildPermissionDiscord: vi.fn(async () => false),
}));
const { banMemberDiscord, kickMemberDiscord, timeoutMemberDiscord, hasGuildPermissionDiscord } =
const { banMemberDiscord, kickMemberDiscord, timeoutMemberDiscord, hasAnyGuildPermissionDiscord } =
discordSendMocks;
vi.mock("../../discord/send.js", () => ({
@@ -21,7 +21,7 @@ const enableAllActions = (_key: keyof DiscordActionConfig, _defaultValue = true)
describe("discord moderation sender authorization", () => {
it("rejects ban when sender lacks BAN_MEMBERS", async () => {
hasGuildPermissionDiscord.mockResolvedValueOnce(false);
hasAnyGuildPermissionDiscord.mockResolvedValueOnce(false);
await expect(
handleDiscordModerationAction(
@@ -35,7 +35,7 @@ describe("discord moderation sender authorization", () => {
),
).rejects.toThrow("required permissions");
expect(hasGuildPermissionDiscord).toHaveBeenCalledWith(
expect(hasAnyGuildPermissionDiscord).toHaveBeenCalledWith(
"guild-1",
"sender-1",
[PermissionFlagsBits.BanMembers],
@@ -45,7 +45,7 @@ describe("discord moderation sender authorization", () => {
});
it("rejects kick when sender lacks KICK_MEMBERS", async () => {
hasGuildPermissionDiscord.mockResolvedValueOnce(false);
hasAnyGuildPermissionDiscord.mockResolvedValueOnce(false);
await expect(
handleDiscordModerationAction(
@@ -59,7 +59,7 @@ describe("discord moderation sender authorization", () => {
),
).rejects.toThrow("required permissions");
expect(hasGuildPermissionDiscord).toHaveBeenCalledWith(
expect(hasAnyGuildPermissionDiscord).toHaveBeenCalledWith(
"guild-1",
"sender-1",
[PermissionFlagsBits.KickMembers],
@@ -69,7 +69,7 @@ describe("discord moderation sender authorization", () => {
});
it("rejects timeout when sender lacks MODERATE_MEMBERS", async () => {
hasGuildPermissionDiscord.mockResolvedValueOnce(false);
hasAnyGuildPermissionDiscord.mockResolvedValueOnce(false);
await expect(
handleDiscordModerationAction(
@@ -84,7 +84,7 @@ describe("discord moderation sender authorization", () => {
),
).rejects.toThrow("required permissions");
expect(hasGuildPermissionDiscord).toHaveBeenCalledWith(
expect(hasAnyGuildPermissionDiscord).toHaveBeenCalledWith(
"guild-1",
"sender-1",
[PermissionFlagsBits.ModerateMembers],
@@ -94,7 +94,7 @@ describe("discord moderation sender authorization", () => {
});
it("executes moderation action when sender has required permission", async () => {
hasGuildPermissionDiscord.mockResolvedValueOnce(true);
hasAnyGuildPermissionDiscord.mockResolvedValueOnce(true);
kickMemberDiscord.mockResolvedValueOnce({ ok: true });
await handleDiscordModerationAction(
@@ -108,7 +108,7 @@ describe("discord moderation sender authorization", () => {
enableAllActions,
);
expect(hasGuildPermissionDiscord).toHaveBeenCalledWith(
expect(hasAnyGuildPermissionDiscord).toHaveBeenCalledWith(
"guild-1",
"sender-1",
[PermissionFlagsBits.KickMembers],
@@ -122,7 +122,7 @@ describe("discord moderation sender authorization", () => {
});
it("forwards accountId into permission check and moderation execution", async () => {
hasGuildPermissionDiscord.mockResolvedValueOnce(true);
hasAnyGuildPermissionDiscord.mockResolvedValueOnce(true);
timeoutMemberDiscord.mockResolvedValueOnce({ id: "user-1" });
await handleDiscordModerationAction(
@@ -137,7 +137,7 @@ describe("discord moderation sender authorization", () => {
enableAllActions,
);
expect(hasGuildPermissionDiscord).toHaveBeenCalledWith(
expect(hasAnyGuildPermissionDiscord).toHaveBeenCalledWith(
"guild-1",
"sender-1",
[PermissionFlagsBits.ModerateMembers],

139
src/agents/tools/discord-actions-moderation.ts
View File

@@ -1,28 +1,32 @@
import type { AgentToolResult } from "@mariozechner/pi-agent-core";
import { PermissionFlagsBits } from "discord-api-types/v10";
import type { DiscordActionConfig } from "../../config/config.js";
import {
banMemberDiscord,
hasGuildPermissionDiscord,
hasAnyGuildPermissionDiscord,
kickMemberDiscord,
timeoutMemberDiscord,
} from "../../discord/send.js";
import { type ActionGate, jsonResult, readStringParam } from "./common.js";
import {
isDiscordModerationAction,
readDiscordModerationCommand,
requiredGuildPermissionForModerationAction,
} from "./discord-actions-moderation-shared.js";
async function verifySenderModerationPermission(params: {
guildId: string;
senderUserId?: string;
requiredPermissions: bigint[];
requiredPermission: bigint;
accountId?: string;
}) {
// CLI/manual flows may not have sender context; enforce only when present.
if (!params.senderUserId) {
return;
}
const hasPermission = await hasGuildPermissionDiscord(
const hasPermission = await hasAnyGuildPermissionDiscord(
params.guildId,
params.senderUserId,
params.requiredPermissions,
[params.requiredPermission],
params.accountId ? { accountId: params.accountId } : undefined,
);
if (!hasPermission) {
@@ -35,117 +39,82 @@ export async function handleDiscordModerationAction(
params: Record<string, unknown>,
isActionEnabled: ActionGate<DiscordActionConfig>,
): Promise<AgentToolResult<unknown>> {
if (!isDiscordModerationAction(action)) {
throw new Error(`Unknown action: ${action}`);
}
if (!isActionEnabled("moderation", false)) {
throw new Error("Discord moderation is disabled.");
}
const command = readDiscordModerationCommand(action, params);
const accountId = readStringParam(params, "accountId");
const senderUserId = readStringParam(params, "senderUserId");
switch (action) {
await verifySenderModerationPermission({
guildId: command.guildId,
senderUserId,
requiredPermission: requiredGuildPermissionForModerationAction(command.action),
accountId,
});
switch (command.action) {
case "timeout": {
if (!isActionEnabled("moderation", false)) {
throw new Error("Discord moderation is disabled.");
}
const guildId = readStringParam(params, "guildId", {
required: true,
});
const userId = readStringParam(params, "userId", {
required: true,
});
const durationMinutes =
typeof params.durationMinutes === "number" && Number.isFinite(params.durationMinutes)
? params.durationMinutes
: undefined;
const until = readStringParam(params, "until");
const reason = readStringParam(params, "reason");
await verifySenderModerationPermission({
guildId,
senderUserId,
requiredPermissions: [PermissionFlagsBits.ModerateMembers],
accountId,
});
const member = accountId
? await timeoutMemberDiscord(
{
guildId,
userId,
durationMinutes,
until,
reason,
guildId: command.guildId,
userId: command.userId,
durationMinutes: command.durationMinutes,
until: command.until,
reason: command.reason,
},
{ accountId },
)
: await timeoutMemberDiscord({
guildId,
userId,
durationMinutes,
until,
reason,
guildId: command.guildId,
userId: command.userId,
durationMinutes: command.durationMinutes,
until: command.until,
reason: command.reason,
});
return jsonResult({ ok: true, member });
}
case "kick": {
if (!isActionEnabled("moderation", false)) {
throw new Error("Discord moderation is disabled.");
}
const guildId = readStringParam(params, "guildId", {
required: true,
});
const userId = readStringParam(params, "userId", {
required: true,
});
const reason = readStringParam(params, "reason");
await verifySenderModerationPermission({
guildId,
senderUserId,
requiredPermissions: [PermissionFlagsBits.KickMembers],
accountId,
});
if (accountId) {
await kickMemberDiscord({ guildId, userId, reason }, { accountId });
await kickMemberDiscord(
{
guildId: command.guildId,
userId: command.userId,
reason: command.reason,
},
{ accountId },
);
} else {
await kickMemberDiscord({ guildId, userId, reason });
await kickMemberDiscord({
guildId: command.guildId,
userId: command.userId,
reason: command.reason,
});
}
return jsonResult({ ok: true });
}
case "ban": {
if (!isActionEnabled("moderation", false)) {
throw new Error("Discord moderation is disabled.");
}
const guildId = readStringParam(params, "guildId", {
required: true,
});
const userId = readStringParam(params, "userId", {
required: true,
});
const reason = readStringParam(params, "reason");
const deleteMessageDays =
typeof params.deleteMessageDays === "number" && Number.isFinite(params.deleteMessageDays)
? params.deleteMessageDays
: undefined;
await verifySenderModerationPermission({
guildId,
senderUserId,
requiredPermissions: [PermissionFlagsBits.BanMembers],
accountId,
});
if (accountId) {
await banMemberDiscord(
{
guildId,
userId,
reason,
deleteMessageDays,
guildId: command.guildId,
userId: command.userId,
reason: command.reason,
deleteMessageDays: command.deleteMessageDays,
},
{ accountId },
);
} else {
await banMemberDiscord({
guildId,
userId,
reason,
deleteMessageDays,
guildId: command.guildId,
userId: command.userId,
reason: command.reason,
deleteMessageDays: command.deleteMessageDays,
});
}
return jsonResult({ ok: true });
}
default:
throw new Error(`Unknown action: ${action}`);
}
}