From 846da9c955cdc00c27d71ed5cf7f2bdaf3406021 Mon Sep 17 00:00:00 2001
From: zijiren233 <pyh1670605849@gmail.com>
Date: Mon, 15 Apr 2024 23:30:55 +0800
Subject: [PATCH] Fix: admin operation permission verification

---
 internal/op/room.go |  9 ++++++++-
 internal/op/user.go | 26 ++++++++++++++++++++++----
 2 files changed, 30 insertions(+), 5 deletions(-)

diff --git a/internal/op/room.go b/internal/op/room.go
index 324d9b4..e77115c 100644
--- a/internal/op/room.go
+++ b/internal/op/room.go
@@ -102,12 +102,19 @@ func (r *Room) UserRole(userID string) (model.RoomMemberRole, error) {
 
 // do not use this value for permission determination
 func (r *Room) IsAdmin(userID string) bool {
+	if r.IsCreator(userID) {
+		return true
+	}
 	role, err := r.UserRole(userID)
 	if err != nil {
 		log.Errorf("get user role failed: %s", err.Error())
 		return false
 	}
-	return role == model.RoomMemberRoleCreator
+	return role.IsAdmin()
+}
+
+func (r *Room) IsCreator(userID string) bool {
+	return r.CreatorID == userID
 }
 
 func (r *Room) HasAdminPermission(userID string, permission model.RoomAdminPermission) bool {
diff --git a/internal/op/user.go b/internal/op/user.go
index a0a850b..f426f0c 100644
--- a/internal/op/user.go
+++ b/internal/op/user.go
@@ -208,14 +208,11 @@ func (u *User) HasRoomAdminPermission(room *Room, permission model.RoomAdminPerm
 }
 
 func (u *User) IsRoomAdmin(room *Room) bool {
-	if u.IsAdmin() {
-		return true
-	}
 	return room.IsAdmin(u.ID)
 }
 
 func (u *User) IsRoomCreator(room *Room) bool {
-	return room.CreatorID == u.ID
+	return room.IsCreator(u.ID)
 }
 
 func (u *User) DeleteRoom(room *RoomEntry) error {
@@ -454,6 +451,12 @@ func (u *User) BanRoomMember(room *Room, userID string) error {
 	if !u.HasRoomAdminPermission(room, model.PermissionBanRoomMember) {
 		return model.ErrNoPermission
 	}
+	if u.ID == userID {
+		return errors.New("cannot ban yourself")
+	}
+	if room.IsAdmin(userID) && !u.IsRoomCreator(room) {
+		return errors.New("cannot ban admin")
+	}
 	return room.BanMember(userID)
 }
 
@@ -461,6 +464,9 @@ func (u *User) UnbanRoomMember(room *Room, userID string) error {
 	if !u.HasRoomAdminPermission(room, model.PermissionBanRoomMember) {
 		return model.ErrNoPermission
 	}
+	if u.ID == userID {
+		return errors.New("cannot unban yourself")
+	}
 	return room.UnbanMember(userID)
 }
 
@@ -468,6 +474,9 @@ func (u *User) SetMemberPermissions(room *Room, userID string, permissions model
 	if !u.HasRoomAdminPermission(room, model.PermissionSetUserPermission) {
 		return model.ErrNoPermission
 	}
+	if room.IsAdmin(userID) && !u.IsRoomCreator(room) {
+		return errors.New("cannot set admin permissions")
+	}
 	return room.SetMemberPermissions(userID, permissions)
 }
 
@@ -475,6 +484,9 @@ func (u *User) AddMemberPermissions(room *Room, userID string, permissions model
 	if !u.HasRoomAdminPermission(room, model.PermissionSetUserPermission) {
 		return model.ErrNoPermission
 	}
+	if room.IsAdmin(userID) && !u.IsRoomCreator(room) {
+		return errors.New("cannot add admin permissions")
+	}
 	return room.AddMemberPermissions(userID, permissions)
 }
 
@@ -482,6 +494,9 @@ func (u *User) RemoveMemberPermissions(room *Room, userID string, permissions mo
 	if !u.HasRoomAdminPermission(room, model.PermissionSetUserPermission) {
 		return model.ErrNoPermission
 	}
+	if room.IsAdmin(userID) && !u.IsRoomCreator(room) {
+		return errors.New("cannot remove admin permissions")
+	}
 	return room.RemoveMemberPermissions(userID, permissions)
 }
 
@@ -489,6 +504,9 @@ func (u *User) ResetMemberPermissions(room *Room, userID string) error {
 	if !u.HasRoomAdminPermission(room, model.PermissionSetUserPermission) {
 		return model.ErrNoPermission
 	}
+	if room.IsAdmin(userID) && !u.IsRoomCreator(room) {
+		return errors.New("cannot reset admin permissions")
+	}
 	return room.ResetMemberPermissions(userID)
 }