From 99cb2e01d317b852871ae46fce7bb2b051865407 Mon Sep 17 00:00:00 2001
From: Tiago R <metal@i0.tf>
Date: Sun, 26 Nov 2023 12:55:06 +0000
Subject: [PATCH] dont allow self targeting for set-perms

Signed-off-by: GitHub <noreply@github.com>
---
 backend/src/api/guilds.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/src/api/guilds.ts b/backend/src/api/guilds.ts
index ba937093..4fef738f 100644
--- a/backend/src/api/guilds.ts
+++ b/backend/src/api/guilds.ts
@@ -126,7 +126,7 @@ export function initGuildsAPI(app: express.Express) {
         if (type !== ApiPermissionTypes.User) {
           return clientError(res, "Invalid type");
         }
-        if (!isSnowflake(targetId)) {
+        if (!isSnowflake(targetId) || targetId === req.user!.userId) {
           return clientError(res, "Invalid targetId");
         }
         const validPermissions = new Set(Object.values(ApiPermissions));