refactor(security): centralize trusted sender checks for discord moderation

2026-05-08 09:01:22 +00:00 · 2026-02-19 15:39:21 +01:00
parent 81b19aaa1a
commit c9dee59266
11 changed files with 292 additions and 145 deletions
--- a/src/discord/send.permissions.authz.test.ts
+++ b/src/discord/send.permissions.authz.test.ts
@@ -3,7 +3,8 @@ import { PermissionFlagsBits, Routes } from "discord-api-types/v10";
 import { describe, expect, it, vi } from "vitest";
 import {
  fetchMemberGuildPermissionsDiscord,
-  hasGuildPermissionDiscord,
+  hasAllGuildPermissionsDiscord,
+  hasAnyGuildPermissionDiscord,
 } from "./send.permissions.js";

 const mockRest = vi.hoisted(() => ({
@@ -54,7 +55,7 @@ describe("discord guild permission authorization", () => {
    });
  });

-  describe("hasGuildPermissionDiscord", () => {
+  describe("hasAnyGuildPermissionDiscord", () => {
    it("returns true when user has required permission", async () => {
      mockRest.get.mockImplementation(async (route: string) => {
        if (route === Routes.guild("guild-1")) {
@@ -72,7 +73,7 @@ describe("discord guild permission authorization", () => {
        throw new Error(`Unexpected route: ${route}`);
      });

-      const result = await hasGuildPermissionDiscord("guild-1", "user-1", [
+      const result = await hasAnyGuildPermissionDiscord("guild-1", "user-1", [
        PermissionFlagsBits.KickMembers,
      ]);
      expect(result).toBe(true);
@@ -98,7 +99,7 @@ describe("discord guild permission authorization", () => {
        throw new Error(`Unexpected route: ${route}`);
      });

-      const result = await hasGuildPermissionDiscord("guild-1", "user-1", [
+      const result = await hasAnyGuildPermissionDiscord("guild-1", "user-1", [
        PermissionFlagsBits.KickMembers,
      ]);
      expect(result).toBe(true);
@@ -118,11 +119,37 @@ describe("discord guild permission authorization", () => {
        throw new Error(`Unexpected route: ${route}`);
      });

-      const result = await hasGuildPermissionDiscord("guild-1", "user-1", [
+      const result = await hasAnyGuildPermissionDiscord("guild-1", "user-1", [
        PermissionFlagsBits.BanMembers,
        PermissionFlagsBits.KickMembers,
      ]);
      expect(result).toBe(false);
    });
  });
+
+  describe("hasAllGuildPermissionsDiscord", () => {
+    it("returns false when user has only one of multiple required permissions", async () => {
+      mockRest.get.mockImplementation(async (route: string) => {
+        if (route === Routes.guild("guild-1")) {
+          return {
+            id: "guild-1",
+            roles: [
+              { id: "guild-1", permissions: "0" },
+              { id: "role-mod", permissions: PermissionFlagsBits.KickMembers.toString() },
+            ],
+          };
+        }
+        if (route === Routes.guildMember("guild-1", "user-1")) {
+          return { id: "user-1", roles: ["role-mod"] };
+        }
+        throw new Error(`Unexpected route: ${route}`);
+      });
+
+      const result = await hasAllGuildPermissionsDiscord("guild-1", "user-1", [
+        PermissionFlagsBits.KickMembers,
+        PermissionFlagsBits.BanMembers,
+      ]);
+      expect(result).toBe(false);
+    });
+  });
 });
--- a/src/discord/send.permissions.ts
+++ b/src/discord/send.permissions.ts
@@ -90,7 +90,7 @@ export async function fetchMemberGuildPermissionsDiscord(
 /**
 * Returns true when the user has ADMINISTRATOR or any required permission bit.
 */
-export async function hasGuildPermissionDiscord(
+export async function hasAnyGuildPermissionDiscord(
  guildId: string,
  userId: string,
  requiredPermissions: bigint[],
@@ -106,6 +106,30 @@ export async function hasGuildPermissionDiscord(
  return requiredPermissions.some((permission) => hasPermissionBit(permissions, permission));
 }

+/**
+ * Returns true when the user has ADMINISTRATOR or all required permission bits.
+ */
+export async function hasAllGuildPermissionsDiscord(
+  guildId: string,
+  userId: string,
+  requiredPermissions: bigint[],
+  opts: DiscordReactOpts = {},
+): Promise<boolean> {
+  const permissions = await fetchMemberGuildPermissionsDiscord(guildId, userId, opts);
+  if (permissions === null) {
+    return false;
+  }
+  if (hasAdministrator(permissions)) {
+    return true;
+  }
+  return requiredPermissions.every((permission) => hasPermissionBit(permissions, permission));
+}
+
+/**
+ * @deprecated Prefer hasAnyGuildPermissionDiscord or hasAllGuildPermissionsDiscord for clarity.
+ */
+export const hasGuildPermissionDiscord = hasAnyGuildPermissionDiscord;
+
 export async function fetchChannelPermissionsDiscord(
  channelId: string,
  opts: DiscordReactOpts = {},
--- a/src/discord/send.ts
+++ b/src/discord/send.ts
@@ -46,8 +46,9 @@ export {
 export { sendDiscordComponentMessage } from "./send.components.js";
 export {
  fetchChannelPermissionsDiscord,
+  hasAllGuildPermissionsDiscord,
+  hasAnyGuildPermissionDiscord,
  fetchMemberGuildPermissionsDiscord,
-  hasGuildPermissionDiscord,
 } from "./send.permissions.js";
 export {
  fetchReactionsDiscord,