chore: add note about admin permission when managing permissions

quirky-bluejay · quirky-bluejay · commit 66905501afea · 2022-05-29T12:21:22.000+12:00
closes #17
diff --git a/src/interactions/commands/chatInput/config.ts b/src/interactions/commands/chatInput/config.ts
@@ -18,6 +18,7 @@ import {
 import { FastifyInstance } from "fastify";
 
 import { discordAPIBaseURL, embedPink } from "../../../constants";
+import { DiscordPermissions } from "../../../consts";
 import {
   ExpectedFailure,
   ExpectedPermissionFailure,
@@ -26,6 +27,7 @@ import {
 } from "../../../errors";
 import { checkIfRoleIsBelowUsersHighestRole } from "../../../lib/permissions/checks";
 import { InternalPermissions } from "../../../lib/permissions/consts";
+import { checkDiscordPermissionValue } from "../../../lib/permissions/utils";
 import { GuildSession } from "../../../lib/session";
 import { addTipToEmbed } from "../../../lib/tips";
 import { InternalInteractionType } from "../../interaction";
@@ -226,13 +228,13 @@ async function handlePermissionsManageSubcommand({
 
   const resolvedData = interaction.data.resolved;
   let targetType: "role" | "user";
+  let targetPermissions: Snowflake | undefined;
 
   if (resolvedData?.roles && resolvedData.roles[targetId] !== undefined) {
     targetType = "role";
+    targetPermissions = resolvedData.roles[targetId].permissions;
   } else if (
-    resolvedData?.members &&
-    resolvedData.members[targetId] !== undefined &&
-    resolvedData.users &&
+    resolvedData?.users &&
     resolvedData.users[targetId] !== undefined
   ) {
     targetType = "user";
@@ -243,6 +245,13 @@ async function handlePermissionsManageSubcommand({
         "The target cannot be a bot"
       );
     }
+    // If the user is in the guild, then it will be in the members resolved data
+    // Otherwise not
+    // If the user is in the guild, set the permissions value to it's permissions
+    if (resolvedData?.members && resolvedData.members[targetId] !== undefined) {
+      targetPermissions =
+        resolvedData.members[targetId].permissions ?? undefined;
+    }
   } else {
     throw new UnexpectedFailure(
       InteractionOrRequestFinalStatus.APPLICATION_COMMAND_RESOLVED_MISSING_EXPECTED_VALUE,
@@ -279,13 +288,21 @@ async function handlePermissionsManageSubcommand({
 
   // Not deferred as no logic is 'heavy'
 
+  const hasAdminPermission =
+    targetPermissions !== undefined &&
+    checkDiscordPermissionValue(
+      BigInt(targetPermissions),
+      DiscordPermissions.ADMINISTRATOR
+    );
+
   const permissionReturnData = await createPermissionsEmbed({
     targetType,
     targetId,
     channelId: channel?.id ?? null,
     guildId: session.guildId,
     instance,
     first: true,
+    hasAdminPermission,
   });
 
   // Void function that waits a bit then fetches the original interaction message
@@ -348,14 +365,14 @@ async function handlePermissionsQuickstartSubcommand({
     );
   }
   let targetType: "role" | "user";
+  let targetPermissions: Snowflake | undefined;
   const resolvedData = interaction.data.resolved;
 
   if (resolvedData?.roles && resolvedData.roles[targetId] !== undefined) {
     targetType = "role";
+    targetPermissions = resolvedData.roles[targetId].permissions;
   } else if (
-    resolvedData?.members &&
-    resolvedData.members[targetId] !== undefined &&
-    resolvedData.users &&
+    resolvedData?.users &&
     resolvedData.users[targetId] !== undefined
   ) {
     targetType = "user";
@@ -366,6 +383,13 @@ async function handlePermissionsQuickstartSubcommand({
         "The target cannot be a bot"
       );
     }
+    // If the user is in the guild, then it will be in the members resolved data
+    // Otherwise not
+    // If the user is in the guild, set the permissions value to it's permissions
+    if (resolvedData?.members && resolvedData.members[targetId] !== undefined) {
+      targetPermissions =
+        resolvedData.members[targetId].permissions ?? undefined;
+    }
   } else {
     throw new UnexpectedFailure(
       InteractionOrRequestFinalStatus.APPLICATION_COMMAND_RESOLVED_MISSING_EXPECTED_VALUE,
@@ -430,6 +454,7 @@ async function handlePermissionsQuickstartSubcommand({
       channelId: channel?.id,
     });
   }
+
   return {
     type: InteractionResponseType.ChannelMessageWithSource,
     data: {
@@ -451,7 +476,15 @@ async function handlePermissionsQuickstartSubcommand({
               targetType === "user" ? `<@${targetId}>` : `<@&${targetId}>`
             }${
               channel !== undefined ? ` on the channel <#${channel.id}>` : ""
-            }.`,
+            }.` + // Add note if the target has admin perms about how they bypass permissions
+            (targetPermissions !== undefined
+              ? checkDiscordPermissionValue(
+                  BigInt(targetPermissions),
+                  DiscordPermissions.ADMINISTRATOR
+                )
+                ? "\n\nNote: The target has the discord `ADMINISTRATOR` permission. Any user with this permission will bypass bot permission checks (all will be allowed)"
+                : ""
+              : ""),
           color: embedPink,
           timestamp: new Date().toISOString(),
         }),
diff --git a/src/interactions/selects/manage-permissions-select.ts b/src/interactions/selects/manage-permissions-select.ts
@@ -25,6 +25,7 @@ export default async function handleManagePermissionsSelect(
   const targetType = customIdData[2] as "role" | "user";
   const targetId = customIdData[3];
   const channelId = JSON.parse(customIdData[4]) as Snowflake | null;
+  const hasAdminPermission = JSON.parse(customIdData[5]) as boolean;
 
   // No permission checks are required here as they are either checked when the /config ... command is ran
   // or when the permissions are updated
@@ -167,6 +168,7 @@ export default async function handleManagePermissionsSelect(
     guildId: session.guildId,
     instance,
     first: false,
+    hasAdminPermission,
   });
   // register interaction with permission interaction cache
   instance.permissionManager.interactionCacheManager.registerInteraction({
diff --git a/src/interactions/shared/permissions-config.ts b/src/interactions/shared/permissions-config.ts
@@ -22,20 +22,27 @@ interface CreatePermissionsEmbedOptions {
   guildId: Snowflake;
   instance: FastifyInstance;
   first: boolean;
+  hasAdminPermission: boolean;
 }
 
 interface CreatePermissionsEmbedResult {
   embed: APIEmbed;
   components: APIActionRowComponent<APIMessageActionRowComponent>[];
 }
 
+/*
+  Custom Id Format:
+  <name: manage-permissions-select>:<action: allow | deny>:<targetType: role | user>:<targetId: snowflake>:<channelId: snowflake | null>:<hasAdminPermissions: true | false>
+*/
+
 const createPermissionsEmbed = async ({
   targetType,
   targetId,
   channelId,
   guildId,
   instance,
   first,
+  hasAdminPermission,
 }: CreatePermissionsEmbedOptions): Promise<CreatePermissionsEmbedResult> => {
   // No permission checks are required here as they are either checked when the /config ... command is ran
   // or when the permissions are updated
@@ -85,7 +92,7 @@ const createPermissionsEmbed = async ({
           components: [
             {
               type: ComponentType.SelectMenu,
-              custom_id: `manage-permissions-select:null:${targetType}:${targetId}:null`,
+              custom_id: `manage-permissions-select:null:${targetType}:${targetId}:null:${hasAdminPermission.toString()}`,
               options,
               max_values: options.length,
               min_values: 0,
@@ -169,6 +176,11 @@ const createPermissionsEmbed = async ({
         })
         .join("\n");
 
+    // Add note about admin permissions
+    if (hasAdminPermission) {
+      description +=
+        "\n\nNote: The target has the discord `ADMINISTRATOR` permission. Any user with this permission will bypass bot permission checks (all will be allowed)";
+    }
     return {
       embed: addTipToEmbed({
         title: "Managing permissions",
@@ -199,7 +211,7 @@ const createPermissionsEmbed = async ({
               type: ComponentType.SelectMenu,
               custom_id: `manage-permissions-select:allow:${targetType}:${targetId}:${JSON.stringify(
                 channelId
-              )}`,
+              )}:${hasAdminPermission.toString()}`,
               options: allowOptions,
               placeholder: "Select permissions to allow",
               max_values: allowOptions.length,
@@ -229,7 +241,7 @@ const createPermissionsEmbed = async ({
               type: ComponentType.SelectMenu,
               custom_id: `manage-permissions-select:deny:${targetType}:${targetId}:${JSON.stringify(
                 channelId
-              )}`,
+              )}:${hasAdminPermission.toString()}`,
               options: denyOptions,
               placeholder: "Select permissions to deny",
               max_values: denyOptions.length,
diff --git a/src/lib/permissions/interactionCache.ts b/src/lib/permissions/interactionCache.ts
@@ -184,6 +184,7 @@ class PermissionInteractionCache {
         guildId,
         instance: this._instance,
         first: false,
+        hasAdminPermission: false, // It's just a hint, doesn't matter if it goes away. Too hard / inaccurate to track this
       });
       for (const messageCacheId of messageCacheIds.messageIds) {
         const interactionCache = this._interactionCache[messageCacheId];
