src/services/PermissionManager.ts

/**
 * This file is part of SudoBot.
 *
 * Copyright (C) 2021-2023 OSN Developers.
 *
 * SudoBot is free software; you can redistribute it and/or modify it
 * under the terms of the GNU Affero General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * SudoBot is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with SudoBot. If not, see <https://www.gnu.org/licenses/>.
 */

import { PermissionOverwrite } from "@prisma/client";
import { log } from "console";
import { GuildMember, PermissionFlagsBits, PermissionResolvable, PermissionsBitField, Role, Snowflake } from "discord.js";
import Service from "../core/Service";
import AbstractPermissionManager from "../utils/AbstractPermissionManager";
import DiscordBasedPermissionManager from "../utils/DiscordBasedPermissionManager";
import LayerBasedPermissionManager from "../utils/LayerBasedPermissionManager";
import LevelBasedPermissionManager from "../utils/LevelBasedPermissionManager";
import { logInfo } from "../utils/logger";
import { GuildConfig } from "./ConfigManager";

export const name = "permissionManager";

export type GetMemberPermissionInGuildResult = {
    permissions: PermissionsBitField;
} & (
    | {
          type: "levels";
          level: number;
      }
    | {
          type: "discord";
      }
    | {
          type: "layered";
          highestOverwrite?: PermissionOverwrite;
          highestRoleHavingOverwrite?: Role;
          overwriteIds: number[];
      }
);

export default class PermissionManager<M extends AbstractPermissionManager = AbstractPermissionManager> extends Service {
    protected readonly cache: Record<`${Snowflake}_${Snowflake}`, object> = {};
    protected readonly managers: Record<NonNullable<GuildConfig["permissions"]["mode"]>, AbstractPermissionManager | undefined> =
        {
            layered: new LayerBasedPermissionManager(this.client),
            discord: new DiscordBasedPermissionManager(this.client),
            levels: new LevelBasedPermissionManager(this.client)
        };

    boot() {
        if (!this.client.configManager.systemConfig.sync_permission_managers_on_boot) {
            return;
        }

        for (const managerName in this.managers) {
            this.managers[managerName as keyof typeof this.managers]?.sync?.();
            logInfo(`[${this.constructor.name}] Synchronizing ${managerName} permission manager`);
        }
    }

    async isImmuneToAutoMod(member: GuildMember, permission?: PermissionResolvable[] | PermissionResolvable) {
        if (this.client.configManager.systemConfig.system_admins.includes(member.user.id)) return true;

        const config = this.client.configManager.config[member.guild.id];

        if (!config) return true;

        const { admin_role, mod_role, staff_role, check_discord_permissions, invincible_roles } = config.permissions ?? {};

        if (member.roles.cache.hasAny(admin_role ?? "_", mod_role ?? "_", staff_role ?? "_")) {
            log("Member has roles that are immune to automod");
            return true;
        }

        for (const roleId of invincible_roles) {
            if (member.roles.cache.has(roleId)) {
                log("Member has roles that are immune to this action");
                return false;
            }
        }

        if (check_discord_permissions === "automod" || check_discord_permissions === "both") {
            const hasDiscordPerms =
                member.permissions.has(PermissionFlagsBits.ManageGuild, true) ||
                (permission && member.permissions.has(permission, true));

            if (hasDiscordPerms) {
                log("Member has discord permissions that are immune to automod");
                return true;
            }
        }

        const manager = await this.getManager(member.guild.id);
        const { permissions } = manager.getMemberPermissions(member);
        const hasPermissions = permissions.has("Administrator") || permissions.has("ManageGuild");

        if (hasPermissions) {
            log("Member has permissions that are immune to automod");
            return true;
        }

        return manager.isImmuneToAutoMod(member, permission);
    }

    // FIXME: Move these permission checks to DiscordBasedPermissionManager
    async shouldModerate(member: GuildMember, moderator: GuildMember) {
        if (this.client.configManager.systemConfig.system_admins.includes(moderator.user.id)) return true;

        const config = this.client.configManager.config[member.guild.id];

        if (!config) return false;

        if (member.guild.ownerId === member.user.id) return false;
        if (member.guild.ownerId === moderator.user.id) return true;

        const { admin_role, mod_role, staff_role, invincible_roles, check_discord_permissions } = config.permissions ?? {};

        if (member.roles.cache.hasAny(admin_role ?? "_", mod_role ?? "_", staff_role ?? "_")) {
            log("Member has roles that are immune to this action");
            return false;
        }

        for (const roleId of invincible_roles) {
            if (member.roles.cache.has(roleId)) {
                log("Member has roles that are immune to this action");
                return false;
            }
        }

        if (
            (check_discord_permissions === "manual_actions" || check_discord_permissions === "both") &&
            member.roles.highest.position >= moderator.roles.highest.position
        ) {
            log("Member has higher/equal roles than moderator");
            return false;
        }

        const manager = await this.getManager(member.guild.id);
        return await manager.shouldModerate(member, moderator);
    }

    protected getMode(guildId: string) {
        return this.client.configManager.config[guildId]?.permissions.mode ?? "discord";
    }

    async getManager(guildId: string): Promise<M> {
        const manager = this.managers[this.getMode(guildId)];

        if (!manager) {
            throw new Error("Unknown/Unsupported permission mode: " + this.getMode(guildId));
        }

        await manager.triggerSyncIfNeeded();
        return manager as M;
    }

    async getMemberPermissions(member: GuildMember, mergeWithDiscordPermissions?: boolean) {
        console.log("before Getting member permissions");
        const manager = await this.getManager(member.guild.id);
        console.log("Getting member permissions");
        return manager.getMemberPermissions(member, mergeWithDiscordPermissions);
    }

    usesLayeredMode(guildId: string) {
        return this.getMode(guildId) === "layered";
    }

    usesLevelBasedMode(guildId: string): this is PermissionManager<LevelBasedPermissionManager> {
        return this.getMode(guildId) === "levels";
    }

    usesDiscordMode(guildId: string) {
        return this.getMode(guildId) === "discord";
    }
}
1	rakinar2	577	/**
2			* This file is part of SudoBot.
3			*
4			* Copyright (C) 2021-2023 OSN Developers.
5			*
6			* SudoBot is free software; you can redistribute it and/or modify it
7			* under the terms of the GNU Affero General Public License as published by
8			* the Free Software Foundation, either version 3 of the License, or
9			* (at your option) any later version.
10			*
11			* SudoBot is distributed in the hope that it will be useful, but
12			* WITHOUT ANY WARRANTY; without even the implied warranty of
13			* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14			* GNU Affero General Public License for more details.
15			*
16			* You should have received a copy of the GNU Affero General Public License
17			* along with SudoBot. If not, see <https://www.gnu.org/licenses/>.
18			*/
19
20			import { PermissionOverwrite } from "@prisma/client";
21			import { log } from "console";
22			import { GuildMember, PermissionFlagsBits, PermissionResolvable, PermissionsBitField, Role, Snowflake } from "discord.js";
23			import Service from "../core/Service";
24			import AbstractPermissionManager from "../utils/AbstractPermissionManager";
25			import DiscordBasedPermissionManager from "../utils/DiscordBasedPermissionManager";
26			import LayerBasedPermissionManager from "../utils/LayerBasedPermissionManager";
27			import LevelBasedPermissionManager from "../utils/LevelBasedPermissionManager";
28			import { logInfo } from "../utils/logger";
29			import { GuildConfig } from "./ConfigManager";
30
31			export const name = "permissionManager";
32
33			export type GetMemberPermissionInGuildResult = {
34			permissions: PermissionsBitField;
35			} & (
36			\| {
37			type: "levels";
38			level: number;
39			}
40			\| {
41			type: "discord";
42			}
43			\| {
44			type: "layered";
45			highestOverwrite?: PermissionOverwrite;
46			highestRoleHavingOverwrite?: Role;
47			overwriteIds: number[];
48			}
49			);
50
51			export default class PermissionManager<M extends AbstractPermissionManager = AbstractPermissionManager> extends Service {
52			protected readonly cache: Record<`${Snowflake}_${Snowflake}`, object> = {};
53			protected readonly managers: Record<NonNullable<GuildConfig["permissions"]["mode"]>, AbstractPermissionManager \| undefined> =
54			{
55			layered: new LayerBasedPermissionManager(this.client),
56			discord: new DiscordBasedPermissionManager(this.client),
57			levels: new LevelBasedPermissionManager(this.client)
58			};
59
60			boot() {
61			if (!this.client.configManager.systemConfig.sync_permission_managers_on_boot) {
62			return;
63			}
64
65			for (const managerName in this.managers) {
66			this.managers[managerName as keyof typeof this.managers]?.sync?.();
67			logInfo(`[${this.constructor.name}] Synchronizing ${managerName} permission manager`);
68			}
69			}
70
71			async isImmuneToAutoMod(member: GuildMember, permission?: PermissionResolvable[] \| PermissionResolvable) {
72			if (this.client.configManager.systemConfig.system_admins.includes(member.user.id)) return true;
73
74			const config = this.client.configManager.config[member.guild.id];
75
76			if (!config) return true;
77
78			const { admin_role, mod_role, staff_role, check_discord_permissions, invincible_roles } = config.permissions ?? {};
79
80			if (member.roles.cache.hasAny(admin_role ?? "_", mod_role ?? "_", staff_role ?? "_")) {
81			log("Member has roles that are immune to automod");
82			return true;
83			}
84
85			for (const roleId of invincible_roles) {
86			if (member.roles.cache.has(roleId)) {
87			log("Member has roles that are immune to this action");
88			return false;
89			}
90			}
91
92			if (check_discord_permissions === "automod" \|\| check_discord_permissions === "both") {
93			const hasDiscordPerms =
94			member.permissions.has(PermissionFlagsBits.ManageGuild, true) \|\|
95			(permission && member.permissions.has(permission, true));
96
97			if (hasDiscordPerms) {
98			log("Member has discord permissions that are immune to automod");
99			return true;
100			}
101			}
102
103			const manager = await this.getManager(member.guild.id);
104			const { permissions } = manager.getMemberPermissions(member);
105			const hasPermissions = permissions.has("Administrator") \|\| permissions.has("ManageGuild");
106
107			if (hasPermissions) {
108			log("Member has permissions that are immune to automod");
109			return true;
110			}
111
112			return manager.isImmuneToAutoMod(member, permission);
113			}
114
115			// FIXME: Move these permission checks to DiscordBasedPermissionManager
116			async shouldModerate(member: GuildMember, moderator: GuildMember) {
117			if (this.client.configManager.systemConfig.system_admins.includes(moderator.user.id)) return true;
118
119			const config = this.client.configManager.config[member.guild.id];
120
121			if (!config) return false;
122
123			if (member.guild.ownerId === member.user.id) return false;
124			if (member.guild.ownerId === moderator.user.id) return true;
125
126			const { admin_role, mod_role, staff_role, invincible_roles, check_discord_permissions } = config.permissions ?? {};
127
128			if (member.roles.cache.hasAny(admin_role ?? "_", mod_role ?? "_", staff_role ?? "_")) {
129			log("Member has roles that are immune to this action");
130			return false;
131			}
132
133			for (const roleId of invincible_roles) {
134			if (member.roles.cache.has(roleId)) {
135			log("Member has roles that are immune to this action");
136			return false;
137			}
138			}
139
140			if (
141			(check_discord_permissions === "manual_actions" \|\| check_discord_permissions === "both") &&
142			member.roles.highest.position >= moderator.roles.highest.position
143			) {
144			log("Member has higher/equal roles than moderator");
145			return false;
146			}
147
148			const manager = await this.getManager(member.guild.id);
149			return await manager.shouldModerate(member, moderator);
150			}
151
152			protected getMode(guildId: string) {
153			return this.client.configManager.config[guildId]?.permissions.mode ?? "discord";
154			}
155
156			async getManager(guildId: string): Promise<M> {
157			const manager = this.managers[this.getMode(guildId)];
158
159			if (!manager) {
160			throw new Error("Unknown/Unsupported permission mode: " + this.getMode(guildId));
161			}
162
163			await manager.triggerSyncIfNeeded();
164			return manager as M;
165			}
166
167			async getMemberPermissions(member: GuildMember, mergeWithDiscordPermissions?: boolean) {
168			console.log("before Getting member permissions");
169			const manager = await this.getManager(member.guild.id);
170			console.log("Getting member permissions");
171			return manager.getMemberPermissions(member, mergeWithDiscordPermissions);
172			}
173
174			usesLayeredMode(guildId: string) {
175			return this.getMode(guildId) === "layered";
176			}
177
178			usesLevelBasedMode(guildId: string): this is PermissionManager<LevelBasedPermissionManager> {
179			return this.getMode(guildId) === "levels";
180			}
181
182			usesDiscordMode(guildId: string) {
183			return this.getMode(guildId) === "discord";
184			}
185			}