diff --git a/.vscode/settings.json b/.vscode/settings.json deleted file mode 100644 index 3b66410..0000000 --- a/.vscode/settings.json +++ /dev/null @@ -1,3 +0,0 @@ -{ - "git.ignoreLimitWarning": true -} \ No newline at end of file diff --git a/package.json b/package.json index 163d2da..4596a20 100644 --- a/package.json +++ b/package.json @@ -1,8 +1,8 @@ { "name": "knightrider", - "version": "4.8.420", + "version": "4.8.434", "description": "a bot for a private discord server", - "updatenote": "major update: now using a database, fixed exploit that allowed users to add the bot to their server give themself the Staff role and edit staff only options in CWH11's Hangout Crew, multiple server support, a better dashboard and now opensource.", + "updatenote": "small update (untested): fixed non staff from accessing dashboard by doing to domain/server/:server-id", "main": "./src/knightrider.js", "scripts": { "start": "node ./src/knightrider.js", diff --git a/src/express/get/dashboard/dashboard.js b/src/express/get/dashboard/dashboard.js index 02dfd86..fe5e8e9 100644 --- a/src/express/get/dashboard/dashboard.js +++ b/src/express/get/dashboard/dashboard.js @@ -81,7 +81,7 @@ module.exports = { if (userGuild.owner == true) { guilds.push({ id: userGuild.id, name: userGuild.name, icon: `https://cdn.discordapp.com/icons/${userGuild.id}/${userGuild.icon}.webp`, mutual: true, userPermission: 'owner' }); } else { - if (client.guilds.cache.get(currentServer.id).members.find(userInfo.id).roles.cache.find(r => currentServer.staffRoles.includes(r.name))) { + if (client.guilds.cache.get(currentServer.id).members.cache.get(userInfo.id).roles.cache.find(r => currentServer.staffRoles.includes(r.name))) { guilds.push({ id: userGuild.id, name: userGuild.name, icon: `https://cdn.discordapp.com/icons/${userGuild.id}/${userGuild.icon}.webp`, mutual: true, userPermission: 'staffrole' }); } else { currentServer.staff.forEach(userid => { diff --git a/src/express/get/dashboard/filter.js b/src/express/get/dashboard/filter.js index 6174b71..75e7a4a 100644 --- a/src/express/get/dashboard/filter.js +++ b/src/express/get/dashboard/filter.js @@ -15,13 +15,9 @@ module.exports = { let currentUser = await Userdashboard.findOne({ userId: res.locals.cookie.id }) let currentServer = await Server.findOne({ id: req.params.serverid }) if (currentServer == null) return res.render('404.ejs') - let hasAccess = false; - await currentUser.guilds.forEach(guild => { - if (guild.userPermission == 'owner' || guild.userPermission == 'MANAGE_GUILD' || currentServer.staff.includes(currentUser.userId)) { - hasAccess = true; - }; - }); - if (hasAccess == true) { + let guild = await currentUser.guilds[currentServer.id]; + if (guild.userPermission == 'owner' || guild.userPermission == 'MANAGE_GUILD' || currentServer.staff.includes(currentUser.userId)) { + let hasAccess = false; await currentUser.accessCodes.forEach(async(userCode) => { if (res.locals.cookie.accesscode == userCode.code) { @@ -33,7 +29,7 @@ module.exports = { if (hasAccess == false) return res.redirect('/login?ninvalidcode'); } else { - await res.status(401).render('error.ejs', { errorMessage: null, error: "you do not have access to the admin dashboard if you are a member of staff fill out http://knightrider.rf.gd/er/admin.php", userInfo: { id: req.query.userid, username: req.query.userame, avatar: req.query.userAvatar } }) + await res.status(401).render('error.ejs', { errorMessage: null, error: "you do not have access to the admin dashboard if you are a member of staff tell the bot owner", userInfo: { id: req.query.userid, username: req.query.userame, avatar: req.query.userAvatar } }) } } catch (error) { console.log(error) diff --git a/src/express/get/dashboard/reactionroles.js b/src/express/get/dashboard/reactionroles.js index 7bc0c2b..fd0b697 100644 --- a/src/express/get/dashboard/reactionroles.js +++ b/src/express/get/dashboard/reactionroles.js @@ -16,13 +16,9 @@ module.exports = { if (currentUser == null) return res.render('404.ejs') let currentServer = await Server.findOne({ id: req.params.serverid }) if (currentServer == null) return res.render('404.ejs') - let hasAccess = false; - await currentUser.guilds.forEach(guild => { - if (guild.userPermission == 'owner' || guild.userPermission == 'MANAGE_GUILD' || currentServer.staff.includes(currentUser.userId)) { - hasAccess = true; - }; - }); - if (hasAccess == true) { + let guild = await currentUser.guilds[currentServer.id]; + if (guild.userPermission == 'owner' || guild.userPermission == 'MANAGE_GUILD' || currentServer.staff.includes(currentUser.userId)) { + let hasAccess = false; let listedRoles = []; let listedChannels = []; let server = await client.guilds.cache.get(currentServer.id); @@ -41,7 +37,7 @@ module.exports = { }); if (hasAccess == false) return res.redirect('/login?ninvalidcode'); } else { - await res.status(401).render('error.ejs', { errorMessage: null, error: "you do not have access to the admin dashboard if you are a member of staff fill out http://knightrider.rf.gd/er/admin.php", userInfo: { id: req.query.userid, username: req.query.userame, avatar: req.query.userAvatar } }) + await res.status(401).render('error.ejs', { errorMessage: null, error: "you do not have access to the admin dashboard if you are a member of staff tell the bot owner", userInfo: { id: req.query.userid, username: req.query.userame, avatar: req.query.userAvatar } }) } } catch (error) { console.log(error) diff --git a/src/express/get/dashboard/server.js b/src/express/get/dashboard/server.js index c9fbf97..7da79fa 100644 --- a/src/express/get/dashboard/server.js +++ b/src/express/get/dashboard/server.js @@ -16,13 +16,9 @@ module.exports = { if (currentUser == null) return res.redirect('/login'); let currentServer = await Server.findOne({ id: req.params.serverid }) if (currentServer == null) return res.render('404.ejs'); - let hasAccess = false; - await currentUser.guilds.forEach(guild => { - if (guild.userPermission == 'owner' || guild.userPermission == 'MANAGE_GUILD' || currentServer.staff.includes(currentUser.userId)) { - hasAccess = true; - }; - }); - if (hasAccess == true) { + let guild = await currentUser.guilds[currentServer.id]; + if (guild.userPermission == 'owner' || guild.userPermission == 'MANAGE_GUILD' || currentServer.staff.includes(currentUser.userId)) { + let hasAccess = false; await currentUser.accessCodes.forEach(async(userCode) => { if (res.locals.cookie.accesscode == userCode.code) { hasAccess = true; @@ -32,8 +28,8 @@ module.exports = { }); if (hasAccess == false) return res.redirect('/login?ninvalidcode'); } else { - await res.status(401).render('error.ejs', { errorMessage: null, error: "you do not have access to the admin dashboard if you are a member of staff fill out http://knightrider.rf.gd/er/admin.php", userInfo: { id: req.query.userid, username: req.query.userame, avatar: req.query.userAvatar } }) - }; + await res.status(401).render('error.ejs', { errorMessage: null, error: "you do not have access to the admin dashboard if you are a member of staff tell the bot owner", userInfo: { id: req.query.userid, username: req.query.userame, avatar: req.query.userAvatar } }) + } } catch (error) { console.log(error) diff --git a/src/express/post/api/updatefilter.js b/src/express/post/api/updatefilter.js index 482c436..95c4943 100644 --- a/src/express/post/api/updatefilter.js +++ b/src/express/post/api/updatefilter.js @@ -13,17 +13,22 @@ module.exports = { if (currentUser == null) return res.status(404).json({ error: "404 - cant find you in the db" }); let currentServer = await Server.findOne({ id: req.body.server.id }); if (currentServer == null) return res.status(404).json({ error: "404 - cant find that server in the db" }); + let guild = await currentUser.guilds[currentServer.id]; + if (guild.userPermission == 'owner' || guild.userPermission == 'MANAGE_GUILD' || currentServer.staff.includes(currentUser.userId)) { - let hasAccess = false; - await currentUser.accessCodes.forEach(async(userCode) => { - if (req.body.user.accesscode == userCode.code) { - hasAccess = true; - currentServer.filter.normal = await req.body.normalFilter; - currentServer.filter.safe = await req.body.safeFilter; - currentServer.save(); - return res.status(200).json({ error: "no", message: "filters have been updates" }); - }; - }); + let hasAccess = false; + await currentUser.accessCodes.forEach(async(userCode) => { + if (req.body.user.accesscode == userCode.code) { + hasAccess = true; + currentServer.filter.normal = await req.body.normalFilter; + currentServer.filter.safe = await req.body.safeFilter; + currentServer.save(); + return res.status(200).json({ error: "no", message: "filters have been updates" }); + }; + }); + } else { + return res.status(401).json({ error: "401 - unauthorised", info: "your user does not own the server or have a staff role or pi is listed as a staff member" }); + }; if (hasAccess == false) return res.status(401).json({ error: "401 - unauthorised", info: "please include your accesscode and user id to use this api more info in the docs " + conf.domain + '/docs' }); diff --git a/src/express/post/api/updateoverview.js b/src/express/post/api/updateoverview.js index 1c8d021..3d14865 100644 --- a/src/express/post/api/updateoverview.js +++ b/src/express/post/api/updateoverview.js @@ -13,23 +13,28 @@ module.exports = { if (currentUser == null) return res.status(404).json({ error: "404 - cant find you in the db", message: "that user id cant be found" }); let currentServer = await Server.findOne({ id: req.body.server.id }); if (currentServer == null) return res.status(404).json({ error: "404 - cant find that server in the db", message: "that server id cant be found" }); + let guild = await currentUser.guilds[currentServer.id]; + if (guild.userPermission == 'owner' || guild.userPermission == 'MANAGE_GUILD' || currentServer.staff.includes(currentUser.userId)) { - let hasAccess = false; - await currentUser.accessCodes.forEach(async(userCode) => { - if (req.body.user.accesscode == userCode.code) { - hasAccess = true; - //apply all data from the req to the db (probabbly a better way to do this) - currentServer.prefix = req.body.prefix || prefix; - currentServer.staff = req.body.staffids || []; - currentServer.staffRoles = req.body.staffRoles || []; - currentServer.channels.modLogs = req.body.channels.modlogs || ' '; - currentServer.channels.announcments = req.body.channels.announcments || ' '; - currentServer.channels.townhall = req.body.channels.townhall || ' '; - currentServer.channels.townhallLogs = req.body.channels.townhallLogs || ' '; - currentServer.save(); - return res.status(200); - }; - }); + let hasAccess = false; + await currentUser.accessCodes.forEach(async(userCode) => { + if (req.body.user.accesscode == userCode.code) { + hasAccess = true; + //apply all data from the req to the db (probabbly a better way to do this) + currentServer.prefix = req.body.prefix || prefix; + currentServer.staff = req.body.staffids || []; + currentServer.staffRoles = req.body.staffRoles || []; + currentServer.channels.modLogs = req.body.channels.modlogs || ' '; + currentServer.channels.announcments = req.body.channels.announcments || ' '; + currentServer.channels.townhall = req.body.channels.townhall || ' '; + currentServer.channels.townhallLogs = req.body.channels.townhallLogs || ' '; + currentServer.save(); + return res.status(200); + }; + }); + } else { + return res.status(401).json({ error: "401 - unauthorised", info: "your user does not own the server or have a staff role or pi is listed as a staff member" }); + }; if (hasAccess == false) return res.status(401).JSON({ error: "401 - unauthorised", info: "please include your accesscode and user id to use this api more info in the docs " + conf.domain + '/docs' }); diff --git a/src/express/post/api/updatereactionroles.js b/src/express/post/api/updatereactionroles.js index 9567e91..0221832 100644 --- a/src/express/post/api/updatereactionroles.js +++ b/src/express/post/api/updatereactionroles.js @@ -12,63 +12,67 @@ module.exports = { if (currentUser == null) return res.status(404).json({ error: "404 - cant find you in the db" }); let currentServer = await Server.findOne({ id: req.body.server.id }); if (currentServer == null) return res.status(404).json({ error: "404 - cant find that server in the db" }); - - let hasAccess = false; - await currentUser.accessCodes.forEach(async(userCode) => { - if (req.body.user.accesscode == userCode.code) { - hasAccess = true; - currentServer.reactionRoles = await req.body.reactionRoles; - currentServer.save(); - let eachChannelRoles = {}; - await currentServer.reactionRoles.forEach(role => { - if (!eachChannelRoles[role.channelID]) { - eachChannelRoles[role.channelID] = [{ - roleID: role.roleID, - emoji: role.emoji - }]; - } else { - eachChannelRoles[role.channelID].push({ - roleID: role.roleID, - emoji: role.emoji - }); - }; - }); - for (let i in eachChannelRoles) { - let rolesEmbed = { - color: conf.colour.ok, - title: 'ReactionRoles', - url: conf.domain, - author: { - name: conf.bot.name, - icon_url: conf.bot.logo, - url: conf.bot.url, - }, - description: 'react with the appropriate emoji to get your role', - fields: [], - timestamp: new Date(), - footer: { - text: currentServer.name, - }, - }; - - - await eachChannelRoles[i].forEach(role => { - rolesEmbed.fields.push({ - name: '\u200B', - value: '<@&' + role.roleID + '> - ' + role.emoji, - }); + let guild = await currentUser.guilds[currentServer.id]; + if (guild.userPermission == 'owner' || guild.userPermission == 'MANAGE_GUILD' || currentServer.staff.includes(currentUser.userId)) { + let hasAccess = false; + await currentUser.accessCodes.forEach(async(userCode) => { + if (req.body.user.accesscode == userCode.code) { + hasAccess = true; + currentServer.reactionRoles = await req.body.reactionRoles; + currentServer.save(); + let eachChannelRoles = {}; + await currentServer.reactionRoles.forEach(role => { + if (!eachChannelRoles[role.channelID]) { + eachChannelRoles[role.channelID] = [{ + roleID: role.roleID, + emoji: role.emoji + }]; + } else { + eachChannelRoles[role.channelID].push({ + roleID: role.roleID, + emoji: role.emoji + }); + }; }); - const channel = client.guilds.cache.get(currentServer.id).channels.cache.get(i) - if (channel !== undefined) { - const msg = await channel.send({ embed: rolesEmbed }); - eachChannelRoles[i].forEach(role => { - msg.react(role.emoji); + for (let i in eachChannelRoles) { + let rolesEmbed = { + color: conf.colour.ok, + title: 'ReactionRoles', + url: conf.domain, + author: { + name: conf.bot.name, + icon_url: conf.bot.logo, + url: conf.bot.url, + }, + description: 'react with the appropriate emoji to get your role', + fields: [], + timestamp: new Date(), + footer: { + text: currentServer.name, + }, + }; + + + await eachChannelRoles[i].forEach(role => { + rolesEmbed.fields.push({ + name: '\u200B', + value: '<@&' + role.roleID + '> - ' + role.emoji, + }); }); + const channel = client.guilds.cache.get(currentServer.id).channels.cache.get(i) + if (channel !== undefined) { + const msg = await channel.send({ embed: rolesEmbed }); + eachChannelRoles[i].forEach(role => { + msg.react(role.emoji); + }); + }; }; + return res.status(200).json({ error: "no", message: "reactionroles have been updates" }); }; - return res.status(200).json({ error: "no", message: "reactionroles have been updates" }); - }; - }); + }); + } else { + return res.status(401).json({ error: "401 - unauthorised", info: "your user does not own the server or have a staff role or pi is listed as a staff member" }); + } if (hasAccess == false) return res.status(401).json({ error: "401 - unauthorised", info: "please include your accesscode and user id to use this api more info in the docs " + conf.domain + '/docs' }); } catch (error) { console.log(error); diff --git a/src/express/www/static/js/reactionroles.js b/src/express/www/static/js/reactionroles.js index 9b23864..c8cfcda 100644 --- a/src/express/www/static/js/reactionroles.js +++ b/src/express/www/static/js/reactionroles.js @@ -16,18 +16,13 @@ function loadroles() { document.getElementById("ReactionRoles").innerHTML = rrstr; } - async function addReactionRole() { document.getElementById("info").innerHTML = '' var channel = document.getElementById('ReactionRoleChannel').value.toLowerCase().replace(' ', '') var role = document.getElementById('ReactionRole').value.toLowerCase().replace(' ', ''); var emoji = document.getElementById('ReactionRoleEmoji').value; - await reactionRoles.push({ channelID: channel, roleID: role, emoji: emoji }); - loadroles() - - document.getElementById('ReactionRoleChannel').value = ''; document.getElementById('ReactionRole').value = ''; document.getElementById('ReactionRoleEmoji').value = ''; } @@ -35,18 +30,17 @@ async function addReactionRole() { async function removeReactionRole() { document.getElementById("info").innerHTML = '' var role = document.getElementById('ReactionRole').value.toLowerCase().replace(' ', ''); - var channel = document.getElementById('ReactionRoleChannel').value.toLowerCase().replace(' ', '') - + var channel = document.getElementById('ReactionRoleChannel').value.toLowerCase().replace(' ', ''); + var emoji = document.getElementById('ReactionRoleEmoji').value; for (let i = 0; i < reactionRoles.length; i++) { - if (reactionRoles[i].channelID == channel) { if (reactionRoles[i].roleID == role) { - reactionRoles.splice(i, 1); - loadroles() - document.getElementById('ReactionRoleChannel').value = ''; - document.getElementById('ReactionRole').value = ''; - document.getElementById('ReactionRoleEmoji').value = ''; - + if (reactionRoles[i].emoji == emoji) { + reactionRoles.splice(i, 1); + loadroles() + document.getElementById('ReactionRole').value = ''; + document.getElementById('ReactionRoleEmoji').value = ''; + }; }; }; }; diff --git a/src/funcs/otr.js b/src/funcs/otr.js index b64b5b3..bff58e5 100644 --- a/src/funcs/otr.js +++ b/src/funcs/otr.js @@ -2,8 +2,9 @@ * licence https://github.com/404invalid-user/knightrider/blob/main/LICENCE */ const getServer = require('../funcs/getserver'); +const conf = require('../conf/conf.json') module.exports = { - otrCommand: async function(message, args, Discord, client) { + otrCommand: async function(message, args, Discord, server, messageUser, client) { if (message.author.id == conf.cwh11) { let server = getServer(message); if (server == null) return message.channel.send("this server isnt in the db");