From 9e44a7e0a15682ad295ffd247f27a86709253ab4 Mon Sep 17 00:00:00 2001
From: regalijan <r@regalijan.com>
Date: Thu, 19 Oct 2023 16:49:11 -0400
Subject: [PATCH] Add actual permission check to appeal toggle endpoint

---
 functions/api/appeals/toggle.ts | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/functions/api/appeals/toggle.ts b/functions/api/appeals/toggle.ts
index d6b08b0..4e0db6e 100644
--- a/functions/api/appeals/toggle.ts
+++ b/functions/api/appeals/toggle.ts
@@ -1,5 +1,14 @@
 export async function onRequestPost(context: RequestContext) {
   const { active } = context.data.body;
+  const { permissions } = context.data.current_user;
+
+  if (!(permissions & (1 << 0)) || !(permissions & (1 << 11)))
+    return new Response('{"error":"Forbidden"}', {
+      headers: {
+        "content-type": "application/json",
+      },
+      status: 403,
+    });
 
   if (typeof active !== "boolean")
     return new Response('{"error":"Active property must be a boolean"}', {