diff --git a/keyserver/src/creators/role-creator.js b/keyserver/src/creators/role-creator.js --- a/keyserver/src/creators/role-creator.js +++ b/keyserver/src/creators/role-creator.js @@ -4,12 +4,16 @@ getRolePermissionBlobs, getUniversalCommunityRootPermissionsBlob, } from 'lib/permissions/thread-permissions.js'; +import { threadHasPermission } from 'lib/shared/thread-utils.js'; import { userSurfacedPermissionsSet, configurableCommunityPermissions, threadPermissions, } from 'lib/types/thread-permission-types.js'; -import type { ThreadType } from 'lib/types/thread-types-enum.js'; +import { + threadTypeIsCommunityRoot, + type ThreadType, +} from 'lib/types/thread-types-enum.js'; import type { RoleInfo, RoleModificationRequest, @@ -26,7 +30,6 @@ fetchServerThreadInfos, rawThreadInfosFromServerThreadInfos, } from '../fetchers/thread-fetchers.js'; -import { checkThreadPermission } from '../fetchers/thread-permission-fetchers.js'; import type { Viewer } from '../session/viewer.js'; import { updateRole } from '../updaters/thread-updaters.js'; @@ -86,16 +89,25 @@ viewer: Viewer, request: RoleModificationRequest, ): Promise { - const hasPermission = await checkThreadPermission( - viewer, - request.community, + const { community, name, permissions } = request; + + const { threadInfos } = await fetchThreadInfos(viewer, { + threadID: community, + }); + const threadInfo = threadInfos[community]; + + const hasPermission = threadHasPermission( + threadInfo, threadPermissions.CHANGE_ROLE, ); + if (!hasPermission) { throw new ServerError('invalid_credentials'); } - const { community, name, permissions } = request; + if (!threadTypeIsCommunityRoot(threadInfo.type)) { + throw new ServerError('invalid_parameters'); + } for (const permission of permissions) { if (!userSurfacedPermissionsSet.has(permission)) { @@ -110,11 +122,6 @@ .map(permission => [...configurableCommunityPermissions[permission]]) .flat(); - const { threadInfos } = await fetchThreadInfos(viewer, { - threadID: community, - }); - const threadInfo = threadInfos[community]; - const universalCommunityPermissions = getUniversalCommunityRootPermissionsBlob(threadInfo.type);