From 0573c394cfb42af33c7ed56ae1729a506cde2e62 Mon Sep 17 00:00:00 2001 From: Rory& Date: Fri, 5 Jun 2026 22:59:33 +0200 Subject: [PATCH] Use better permissions when handling webhook mentions --- .../Tests/Spacebar.Tests/Tests/WebhookTests.cs | 5 +---- src/api/util/handlers/Message.ts | 11 +++++++++-- src/util/entities/Message.ts | 4 ++++ 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/extra/admin-api/Tests/Spacebar.Tests/Tests/WebhookTests.cs b/extra/admin-api/Tests/Spacebar.Tests/Tests/WebhookTests.cs index a03ee6334..93a4d38a8 100644 --- a/extra/admin-api/Tests/Spacebar.Tests/Tests/WebhookTests.cs +++ b/extra/admin-api/Tests/Spacebar.Tests/Tests/WebhookTests.cs @@ -1,7 +1,4 @@ -using System.Net; -using System.Net.Http.Json; -using System.Text.Json.Nodes; -using Spacebar.Models.Generic; +using System.Text.Json.Nodes; using Spacebar.Sdk.Core; using Spacebar.Tests.Abstractions; using Spacebar.Tests.Extensions; diff --git a/src/api/util/handlers/Message.ts b/src/api/util/handlers/Message.ts index cfa682374..acfe7f311 100644 --- a/src/api/util/handlers/Message.ts +++ b/src/api/util/handlers/Message.ts @@ -559,7 +559,8 @@ export async function postHandleMessage(message: Message) { embed.type ||= EmbedType.rich; }); - if ((await getPermission(message.author_id, message.channel.guild_id, message.channel_id)).has(Permissions.FLAGS.EMBED_LINKS)) await fillMessageUrlEmbeds(message); + if (message.isWebhook || (await getPermission(message.author_id, message.channel.guild_id, message.channel_id)).has(Permissions.FLAGS.EMBED_LINKS)) + await fillMessageUrlEmbeds(message); } export async function sendMessage(opts: MessageOptions) { @@ -675,7 +676,13 @@ async function handleMessageMentionsAsync(message: Message) { }); trace.calls.push(`getChannel(${channel.id})`, { micros: sw.getElapsedAndReset().totalMicroseconds }); - const permission = await getPermission(message.author_id ?? message.author?.id, channel.guild_id, channel); + const permissionTargetId = message.isWebhook ? message.webhook?.application_id : (message.author_id ?? message.author?.id); + const permission = + permissionTargetId != null + ? await getPermission(permissionTargetId, channel.guild_id, channel) + : message.guild_id != null + ? new Permissions((await Role.findOneOrFail({ where: { id: message.guild_id ?? message.guild?.id } })).permissions) + : Permissions.DEFAULT_DM_PERMISSIONS; trace.calls.push(`getPermissions`, { micros: sw.getElapsedAndReset().totalMicroseconds }); let content = message.content; diff --git a/src/util/entities/Message.ts b/src/util/entities/Message.ts index 153e086d4..68e7cbbb4 100644 --- a/src/util/entities/Message.ts +++ b/src/util/entities/Message.ts @@ -242,6 +242,10 @@ export class Message extends BaseClass { @Column({ default: "[]", type: "jsonb" }) message_snapshots: MessageSnapshot[]; + get isWebhook() { + return this.webhook_id != null && this.webhook != null; + } + static async fillReplies(messages: Message[]) { const ms = messages .filter((msg) => msg.message_reference && !msg.referenced_message?.id && msg.message_reference.message_id)