mirror of
				https://github.com/Hessenuk/DiscordTickets.git
				synced 2025-10-21 21:08:36 +03:00 
			
		
		
		
	fix(🚨 security): anyone with the channel ID could read transcripts
This commit is contained in:
		| @@ -6,6 +6,8 @@ const Mustache = require('mustache'); | ||||
| const { AttachmentBuilder } = require('discord.js'); | ||||
| const Cryptr = require('cryptr'); | ||||
| const { decrypt } = new Cryptr(process.env.ENCRYPTION_KEY); | ||||
| const { isStaff } = require('../../lib/users'); | ||||
| const ExtendedEmbedBuilder = require('../../lib/embed'); | ||||
|  | ||||
| module.exports = class TranscriptSlashCommand extends SlashCommand { | ||||
| 	constructor(client, options) { | ||||
| @@ -44,29 +46,9 @@ module.exports = class TranscriptSlashCommand extends SlashCommand { | ||||
| 		); | ||||
| 	} | ||||
|  | ||||
| 	async fillTemplate(ticketId) { | ||||
| 	async fillTemplate(ticket) { | ||||
| 		/** @type {import("client")} */ | ||||
| 		const client = this.client; | ||||
| 		const ticket = await client.prisma.ticket.findUnique({ | ||||
| 			include: { | ||||
| 				archivedChannels: true, | ||||
| 				archivedMessages: { | ||||
| 					orderBy: { createdAt: 'asc' }, | ||||
| 					where: { external: false }, | ||||
| 				}, | ||||
| 				archivedRoles: true, | ||||
| 				archivedUsers: true, | ||||
| 				category: true, | ||||
| 				claimedBy: true, | ||||
| 				closedBy: true, | ||||
| 				createdBy: true, | ||||
| 				feedback: true, | ||||
| 				guild: true, | ||||
| 				questionAnswers: true, | ||||
| 			}, | ||||
| 			where: { id: ticketId }, | ||||
| 		}); | ||||
| 		if (!ticket) throw new Error(`Ticket ${ticketId} does not exist`); | ||||
|  | ||||
| 		ticket.claimedBy = ticket.archivedUsers.find(u => u.userId === ticket.claimedById); | ||||
| 		ticket.closedBy = ticket.archivedUsers.find(u => u.userId === ticket.closedById); | ||||
| @@ -137,14 +119,60 @@ module.exports = class TranscriptSlashCommand extends SlashCommand { | ||||
| 	 * @param {import("discord.js").ChatInputCommandInteraction} interaction | ||||
| 	 */ | ||||
| 	async run(interaction) { | ||||
| 		/** @type {import("client")} */ | ||||
| 		const client = this.client; | ||||
|  | ||||
| 		await interaction.deferReply({ ephemeral: true }); | ||||
| 		const ticketId = interaction.options.getString('ticket', true); | ||||
| 		const ticket = await client.prisma.ticket.findUnique({ | ||||
| 			include: { | ||||
| 				archivedChannels: true, | ||||
| 				archivedMessages: { | ||||
| 					orderBy: { createdAt: 'asc' }, | ||||
| 					where: { external: false }, | ||||
| 				}, | ||||
| 				archivedRoles: true, | ||||
| 				archivedUsers: true, | ||||
| 				category: true, | ||||
| 				claimedBy: true, | ||||
| 				closedBy: true, | ||||
| 				createdBy: true, | ||||
| 				feedback: true, | ||||
| 				guild: true, | ||||
| 				questionAnswers: true, | ||||
| 			}, | ||||
| 			where: { id: ticketId }, | ||||
| 		}); | ||||
|  | ||||
| 		if (!ticket) throw new Error(`Ticket ${ticketId} does not exist`); | ||||
|  | ||||
| 		if ( | ||||
| 			ticket.createdById !== interaction.member.id && | ||||
| 			!(await isStaff(interaction.guild, interaction.member.id)) | ||||
| 		) { | ||||
| 			const settings = await client.prisma.guild.findUnique({ where: { id: interaction.guild.id } }); | ||||
| 			const getMessage = client.i18n.getLocale(settings.locale); | ||||
| 			return await interaction.editReply({ | ||||
| 				embeds: [ | ||||
| 					new ExtendedEmbedBuilder({ | ||||
| 						iconURL: interaction.guild.iconURL(), | ||||
| 						text: ticket.guild.footer, | ||||
| 					}) | ||||
| 						.setColor(ticket.guild.errorColour) | ||||
| 						.setTitle(getMessage('commands.slash.transcript.not_staff.title')) | ||||
| 						.setDescription(getMessage('commands.slash.transcript.not_staff.description')), | ||||
| 				], | ||||
| 			}); | ||||
| 		} | ||||
|  | ||||
| 		const { | ||||
| 			fileName, | ||||
| 			transcript, | ||||
| 		} = await this.fillTemplate(interaction.options.getString('ticket', true)); | ||||
| 		} = await this.fillTemplate(ticket); | ||||
| 		const attachment = new AttachmentBuilder() | ||||
| 			.setFile(Buffer.from(transcript)) | ||||
| 			.setName(fileName); | ||||
|  | ||||
| 		await interaction.editReply({ files: [attachment] }); | ||||
| 		// TODO: add portal link | ||||
| 	} | ||||
|   | ||||
| @@ -228,6 +228,9 @@ commands: | ||||
|     transcript: | ||||
|       description: Get the transcript of a ticket | ||||
|       name: transcript | ||||
|       not_staff: | ||||
|         description: Only staff members can read the transcripts of others' tickets. | ||||
|         title: ❌ Error | ||||
|       options: | ||||
|         member: | ||||
|           description: The member to search for tickets of | ||||
|   | ||||
		Reference in New Issue
	
	Block a user