From cae9af53593dda767d14a56f58ce61665df709e9 Mon Sep 17 00:00:00 2001 From: Regalijan Date: Thu, 5 Dec 2024 21:28:31 -0500 Subject: [PATCH] Don't allow standard et to access strike api routes --- functions/api/events-team/strikes/_middleware.ts | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/functions/api/events-team/strikes/_middleware.ts b/functions/api/events-team/strikes/_middleware.ts index 8c62606..2754642 100644 --- a/functions/api/events-team/strikes/_middleware.ts +++ b/functions/api/events-team/strikes/_middleware.ts @@ -5,13 +5,7 @@ export async function onRequest(context: RequestContext) { if (!user) return jsonError("Not logged in", 401); - if (![1 << 3, 1 << 4, 1 << 12].find((p) => user.permissions & p)) - return jsonError("Not part of Events Team", 403); - - if ( - context.request.method !== "GET" && - ![1 << 4, 1 << 12].find((p) => user.permissions & p) - ) + if (![1 << 4, 1 << 12].find((p) => user.permissions & p)) return jsonError("Cannot manage strikes", 403); return await context.next();