Enforce that a given applications emoji set can only be modified by the application itself, or its owner

This commit is contained in:
Rory&
2026-07-01 18:35:25 +02:00
parent d4d710ce3c
commit e45a3cd680
4 changed files with 14 additions and 1 deletions
Binary file not shown.
Binary file not shown.
@@ -18,7 +18,7 @@
import { Request, Response, Router } from "express";
import { route } from "@spacebar/api/util/handlers/route";
import { Emoji } from "@spacebar/database";
import { Emoji, Application } from "@spacebar/database";
import { Config, DiscordApiErrors, Snowflake, handleFile } from "@spacebar/util";
import { ApplicationEmojiModifySchema, EmojiCreateSchema } from "@spacebar/schemas";
@@ -97,6 +97,9 @@ router.post(
const { application_id } = req.params as { [key: string]: string };
const body = req.body as EmojiCreateSchema;
const app = await Application.findOne({ where: { id: application_id } });
if (req.user_id != app?.id && req.user_id != app?.owner_id) throw DiscordApiErrors.ACTION_NOT_AUTHORIZED_ON_APPLICATION;
const id = Snowflake.generate();
const emoji_count = await Emoji.count({
where: { application_id: application_id },
@@ -144,6 +147,9 @@ router.patch(
const { emoji_id, application_id } = req.params as { [key: string]: string };
const body = req.body as ApplicationEmojiModifySchema;
const app = await Application.findOne({ where: { id: application_id } });
if (req.user_id != app?.id && req.user_id != app?.owner_id) throw DiscordApiErrors.ACTION_NOT_AUTHORIZED_ON_APPLICATION;
if (body.name?.includes("-")) body.name = body.name?.replaceAll("-", ""); // Dashes are invalid apparently
await Emoji.findOneOrFail({
@@ -173,6 +179,9 @@ router.delete(
async (req: Request, res: Response) => {
const { emoji_id, application_id } = req.params as { [key: string]: string };
const app = await Application.findOne({ where: { id: application_id } });
if (req.user_id != app?.id && req.user_id != app?.owner_id) throw DiscordApiErrors.ACTION_NOT_AUTHORIZED_ON_APPLICATION;
await Emoji.delete({
id: emoji_id,
application_id: application_id,
+4
View File
@@ -58,6 +58,10 @@ export class Application extends BaseClass {
@ManyToOne(() => User, { onDelete: "CASCADE" })
owner: User;
@Column({ type: "int8" })
@RelationId((application: Application) => application.owner)
owner_id: string;
// TODO: enum this? https://discord.com/developers/docs/resources/application#application-object-application-flags
@Column()
flags: number = 0;