dont allow self targeting for set-perms (#434)

Signed-off-by: GitHub <[email protected]>
ZeppelinBot · Dec 27, 2023 · f17232e · f17232e
1 parent e5e5746
commit f17232e
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/backend/src/api/guilds.ts b/backend/src/api/guilds.ts
@@ -126,7 +126,7 @@ export function initGuildsAPI(app: express.Express) {
         if (type !== ApiPermissionTypes.User) {
           return clientError(res, "Invalid type");
         }
-        if (!isSnowflake(targetId)) {
+        if (!isSnowflake(targetId) || targetId === req.user!.userId) {
           return clientError(res, "Invalid targetId");
         }
         const validPermissions = new Set(Object.values(ApiPermissions));