From f17232e0c142012cf236443b8f03cbcb3cea1e3d Mon Sep 17 00:00:00 2001
From: Tiago R <metal@i0.tf>
Date: Wed, 27 Dec 2023 18:35:16 +0000
Subject: [PATCH] dont allow self targeting for set-perms (#434)

Signed-off-by: GitHub <noreply@github.com>
---
 backend/src/api/guilds.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/src/api/guilds.ts b/backend/src/api/guilds.ts
index ba937093..4fef738f 100644
--- a/backend/src/api/guilds.ts
+++ b/backend/src/api/guilds.ts
@@ -126,7 +126,7 @@ export function initGuildsAPI(app: express.Express) {
         if (type !== ApiPermissionTypes.User) {
           return clientError(res, "Invalid type");
         }
-        if (!isSnowflake(targetId)) {
+        if (!isSnowflake(targetId) || targetId === req.user!.userId) {
           return clientError(res, "Invalid targetId");
         }
         const validPermissions = new Set(Object.values(ApiPermissions));