aboutsummaryrefslogtreecommitdiff
path: root/src/routes/api/badges
diff options
context:
space:
mode:
Diffstat (limited to 'src/routes/api/badges')
-rw-r--r--src/routes/api/badges/+server.ts14
1 files changed, 9 insertions, 5 deletions
diff --git a/src/routes/api/badges/+server.ts b/src/routes/api/badges/+server.ts
index 2673273c..10b63125 100644
--- a/src/routes/api/badges/+server.ts
+++ b/src/routes/api/badges/+server.ts
@@ -16,6 +16,7 @@ import {
import { decodeAuthCookieOrNull } from "$lib/Effect/authCookie";
import { decodeRequestJsonOrThrow } from "$lib/Effect/requestBody";
import { appOrigin, appOriginHeaders } from "$lib/Utility/appOrigin";
+import { isOwnerOrPrivileged } from "$lib/Utility/authorisation";
import privilegedUser from "$lib/Utility/privilegedUser";
const unauthorised = () => new Response("Unauthorised", { status: 401 });
@@ -76,11 +77,14 @@ export const PUT = async ({ cookies, url, request }) => {
if (!identity) return unauthorised();
const authorised = privilegedUser(identity.id);
- if (url.searchParams.get("shadowHide"))
- await setShadowHidden(
- Number(url.searchParams.get("shadowHide")),
- authorised,
- );
+ if (url.searchParams.get("shadowHide")) {
+ const targetUserId = Number(url.searchParams.get("shadowHide"));
+
+ if (!isOwnerOrPrivileged(identity.id, targetUserId, authorised))
+ return unauthorised();
+
+ await setShadowHidden(targetUserId, authorised);
+ }
if (url.searchParams.get("import") || undefined) {
const importedBadges = await decodeRequestJsonOrThrow(
generated by cgit v1.2.3 (git 2.25.1) at 2026-06-02 18:26:12 +0000