From 98ef2ede438f229a77febc74406e3594f4e298f0 Mon Sep 17 00:00:00 2001
From: regalijan <r@regalijan.com>
Date: Thu, 19 Oct 2023 16:50:57 -0400
Subject: [PATCH] Allow data team to access user history

---
 functions/api/game-bans/[user]/revoke.ts | 3 +++
 functions/api/game-bans/_middleware.ts   | 3 ++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/functions/api/game-bans/[user]/revoke.ts b/functions/api/game-bans/[user]/revoke.ts
index 1b8453f..4f8f37d 100644
--- a/functions/api/game-bans/[user]/revoke.ts
+++ b/functions/api/game-bans/[user]/revoke.ts
@@ -3,6 +3,9 @@ import { insertLogs } from "../../../gcloud.js";
 import { jsonError } from "../../../common.js";
 
 export async function onRequestPost(context: RequestContext) {
+  if (!(context.data.current_user.permissions & (1 << 5)))
+    return jsonError("Forbidden", 403);
+
   const { ticket_link } = context.data.body;
 
   if (
diff --git a/functions/api/game-bans/_middleware.ts b/functions/api/game-bans/_middleware.ts
index 569715e..9d3ef1c 100644
--- a/functions/api/game-bans/_middleware.ts
+++ b/functions/api/game-bans/_middleware.ts
@@ -5,7 +5,8 @@ export async function onRequest(context: RequestContext) {
 
   if (!currentUser) return jsonError("Not logged in", 401);
 
-  if (!(currentUser.permissions & (1 << 5))) return jsonError("Forbidden", 403);
+  if (![1 << 5, 1 << 8].find((perm) => currentUser.permissions & perm))
+    return jsonError("Forbidden", 403);
 
   return await context.next();
 }