Add actual permission check to appeal toggle endpoint

regalijan · Oct 19, 2023 · 9e44a7e · 9e44a7e
1 parent 894baed
commit 9e44a7e
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/functions/api/appeals/toggle.ts b/functions/api/appeals/toggle.ts
@@ -1,5 +1,14 @@
 export async function onRequestPost(context: RequestContext) {
   const { active } = context.data.body;
+  const { permissions } = context.data.current_user;
+
+  if (!(permissions & (1 << 0)) || !(permissions & (1 << 11)))
+    return new Response('{"error":"Forbidden"}', {
+      headers: {
+        "content-type": "application/json",
+      },
+      status: 403,
+    });
 
   if (typeof active !== "boolean")
     return new Response('{"error":"Active property must be a boolean"}', {