refactor(security): centralize trusted sender checks for discord moderation

2026-05-09 10:37:41 +00:00 · 2026-02-19 15:39:21 +01:00
parent 81b19aaa1a
commit c9dee59266
11 changed files with 292 additions and 145 deletions
--- a/src/discord/send.permissions.authz.test.ts
+++ b/src/discord/send.permissions.authz.test.ts
@@ -3,7 +3,8 @@ import { PermissionFlagsBits, Routes } from "discord-api-types/v10";
 import { describe, expect, it, vi } from "vitest";
 import {
  fetchMemberGuildPermissionsDiscord,
-  hasGuildPermissionDiscord,
+  hasAllGuildPermissionsDiscord,
+  hasAnyGuildPermissionDiscord,
 } from "./send.permissions.js";

 const mockRest = vi.hoisted(() => ({
@@ -54,7 +55,7 @@ describe("discord guild permission authorization", () => {
    });
  });

-  describe("hasGuildPermissionDiscord", () => {
+  describe("hasAnyGuildPermissionDiscord", () => {
    it("returns true when user has required permission", async () => {
      mockRest.get.mockImplementation(async (route: string) => {
        if (route === Routes.guild("guild-1")) {
@@ -72,7 +73,7 @@ describe("discord guild permission authorization", () => {
        throw new Error(`Unexpected route: ${route}`);
      });

-      const result = await hasGuildPermissionDiscord("guild-1", "user-1", [
+      const result = await hasAnyGuildPermissionDiscord("guild-1", "user-1", [
        PermissionFlagsBits.KickMembers,
      ]);
      expect(result).toBe(true);
@@ -98,7 +99,7 @@ describe("discord guild permission authorization", () => {
        throw new Error(`Unexpected route: ${route}`);
      });

-      const result = await hasGuildPermissionDiscord("guild-1", "user-1", [
+      const result = await hasAnyGuildPermissionDiscord("guild-1", "user-1", [
        PermissionFlagsBits.KickMembers,
      ]);
      expect(result).toBe(true);
@@ -118,11 +119,37 @@ describe("discord guild permission authorization", () => {
        throw new Error(`Unexpected route: ${route}`);
      });

-      const result = await hasGuildPermissionDiscord("guild-1", "user-1", [
+      const result = await hasAnyGuildPermissionDiscord("guild-1", "user-1", [
        PermissionFlagsBits.BanMembers,
        PermissionFlagsBits.KickMembers,
      ]);
      expect(result).toBe(false);
    });
  });
+
+  describe("hasAllGuildPermissionsDiscord", () => {
+    it("returns false when user has only one of multiple required permissions", async () => {
+      mockRest.get.mockImplementation(async (route: string) => {
+        if (route === Routes.guild("guild-1")) {
+          return {
+            id: "guild-1",
+            roles: [
+              { id: "guild-1", permissions: "0" },
+              { id: "role-mod", permissions: PermissionFlagsBits.KickMembers.toString() },
+            ],
+          };
+        }
+        if (route === Routes.guildMember("guild-1", "user-1")) {
+          return { id: "user-1", roles: ["role-mod"] };
+        }
+        throw new Error(`Unexpected route: ${route}`);
+      });
+
+      const result = await hasAllGuildPermissionsDiscord("guild-1", "user-1", [
+        PermissionFlagsBits.KickMembers,
+        PermissionFlagsBits.BanMembers,
+      ]);
+      expect(result).toBe(false);
+    });
+  });
 });