fix: #8971, disallow flags of privileged users (mods, gmods, admins)

2025-11-03 04:25:55 +01:00 · 2020-11-27 11:54:27 -05:00
parent dadb2527da
commit 1e7cf1cbc4
5 changed files with 39 additions and 2 deletions
--- a/src/flags.js
+++ b/src/flags.js
@@ -251,6 +251,15 @@ Flags.validate = async function (payload) {
 		throw new Error('[[error:user-banned]]');
 	}

+	// Disallow flagging of profiles/content of privileged users
+	const [targetPrivileged, reporterPrivileged] = await Promise.all([
+		user.isPrivileged(target.uid),
+		user.isPrivileged(reporter.uid),
+	]);
+	if (targetPrivileged && !reporterPrivileged) {
+		throw new Error('[[error:cant-flag-privileged]]');
+	}
+
 	if (payload.type === 'post') {
 		const editable = await privileges.posts.canEdit(payload.id, payload.uid);
 		if (!editable.flag && !meta.config['reputation:disabled'] && reporter.reputation < meta.config['min:rep:flag']) {