src/services/PermissionManager.ts

/**
 * This file is part of SudoBot.
 *
 * Copyright (C) 2021-2023 OSN Developers.
 *
 * SudoBot is free software; you can redistribute it and/or modify it
 * under the terms of the GNU Affero General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * SudoBot is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with SudoBot. If not, see <https://www.gnu.org/licenses/>.
 */

import { PermissionOverwrite } from "@prisma/client";
import {
    GuildMember,
    PermissionFlagsBits,
    PermissionResolvable,
    PermissionsBitField,
    Role,
    Snowflake
} from "discord.js";
import Service from "../core/Service";
import AbstractPermissionManager from "../security/AbstractPermissionManager";
import DiscordBasedPermissionManager from "../security/DiscordBasedPermissionManager";
import LayerBasedPermissionManager from "../security/LayerBasedPermissionManager";
import LevelBasedPermissionManager from "../security/LevelBasedPermissionManager";
import { log, logInfo } from "../utils/Logger";
import { GuildConfig } from "./ConfigManager";

export const name = "permissionManager";

export type GetMemberPermissionInGuildResult = {
    permissions: PermissionsBitField;
} & (
    | {
          type: "levels";
          level: number;
      }
    | {
          type: "discord";
      }
    | {
          type: "layered";
          highestOverwrite?: PermissionOverwrite;
          highestRoleHavingOverwrite?: Role;
          overwriteIds: number[];
      }
);

export default class PermissionManager<
    M extends AbstractPermissionManager = AbstractPermissionManager
> extends Service {
    protected readonly cache: Record<`${Snowflake}_${Snowflake}`, object> = {};
    protected readonly managers: Record<
        NonNullable<GuildConfig["permissions"]["mode"]>,
        AbstractPermissionManager | undefined
    > = {
        layered: new LayerBasedPermissionManager(this.client),
        discord: new DiscordBasedPermissionManager(this.client),
        levels: new LevelBasedPermissionManager(this.client)
    };

    boot() {
        if (!this.client.configManager.systemConfig.sync_permission_managers_on_boot) {
            return;
        }

        for (const managerName in this.managers) {
            this.managers[managerName as keyof typeof this.managers]?.sync?.();
            logInfo(`[${this.constructor.name}] Synchronizing ${managerName} permission manager`);
        }
    }

    async isImmuneToAutoMod(
        member: GuildMember,
        permission?: PermissionResolvable[] | PermissionResolvable
    ) {
        if (this.client.configManager.systemConfig.system_admins.includes(member.user.id))
            return true;

        const config = this.client.configManager.config[member.guild.id];

        if (!config) return true;

        const { admin_role, mod_role, staff_role, check_discord_permissions, invincible_roles } =
            config.permissions ?? {};

        if (member.roles.cache.hasAny(admin_role ?? "_", mod_role ?? "_", staff_role ?? "_")) {
            log("Member has roles that are immune to automod");
            return true;
        }

        for (const roleId of invincible_roles) {
            if (member.roles.cache.has(roleId)) {
                log("Member has roles that are immune to this action");
                return true;
            }
        }

        if (check_discord_permissions === "automod" || check_discord_permissions === "both") {
            const hasDiscordPerms =
                member.permissions.has(PermissionFlagsBits.ManageGuild, true) ||
                (permission && member.permissions.has(permission, true));

            if (hasDiscordPerms) {
                log("Member has discord permissions that are immune to automod");
                return true;
            }
        }

        const manager = await this.getManager(member.guild.id);
        const { permissions } = manager.getMemberPermissions(member);
        const hasPermissions = permissions.has("Administrator") || permissions.has("ManageGuild");

        if (hasPermissions) {
            log("Member has permissions that are immune to automod");
            return true;
        }

        return manager.isImmuneToAutoMod(member, permission);
    }

    // FIXME: Move these permission checks to DiscordBasedPermissionManager
    async shouldModerate(member: GuildMember, moderator: GuildMember) {
        if (this.client.configManager.systemConfig.system_admins.includes(moderator.user.id))
            return true;

        const config = this.client.configManager.config[member.guild.id];

        if (!config) return false;

        if (member.guild.ownerId === member.user.id) return false;
        if (member.guild.ownerId === moderator.user.id) return true;

        const { admin_role, mod_role, staff_role, invincible_roles, check_discord_permissions } =
            config.permissions ?? {};

        if (member.roles.cache.hasAny(admin_role ?? "_", mod_role ?? "_", staff_role ?? "_")) {
            log("Member has roles that are immune to this action");
            return false;
        }

        for (const roleId of invincible_roles) {
            if (member.roles.cache.has(roleId)) {
                log("Member has roles that are immune to this action");
                return false;
            }
        }

        if (
            (check_discord_permissions === "manual_actions" ||
                check_discord_permissions === "both") &&
            member.roles.highest.position >= moderator.roles.highest.position
        ) {
            log("Member has higher/equal roles than moderator");
            return false;
        }

        const manager = await this.getManager(member.guild.id);
        return await manager.shouldModerate(member, moderator);
    }

    protected getMode(guildId: string) {
        return this.client.configManager.config[guildId]?.permissions.mode ?? "discord";
    }

    async getManager(guildId: string): Promise<M> {
        const manager = this.managers[this.getMode(guildId)];

        if (!manager) {
            throw new Error("Unknown/Unsupported permission mode: " + this.getMode(guildId));
        }

        await manager.triggerSyncIfNeeded();
        return manager as M;
    }

    async getMemberPermissions(member: GuildMember, mergeWithDiscordPermissions?: boolean) {
        const manager = await this.getManager(member.guild.id);
        return manager.getMemberPermissions(member, mergeWithDiscordPermissions);
    }

    usesLayeredMode(guildId: string) {
        return this.getMode(guildId) === "layered";
    }

    usesLevelBasedMode(guildId: string): this is PermissionManager<LevelBasedPermissionManager> {
        return this.getMode(guildId) === "levels";
    }

    usesDiscordMode(guildId: string) {
        return this.getMode(guildId) === "discord";
    }
}
1	/**
2	* This file is part of SudoBot.
3	*
4	* Copyright (C) 2021-2023 OSN Developers.
5	*
6	* SudoBot is free software; you can redistribute it and/or modify it
7	* under the terms of the GNU Affero General Public License as published by
8	* the Free Software Foundation, either version 3 of the License, or
9	* (at your option) any later version.
10	*
11	* SudoBot is distributed in the hope that it will be useful, but
12	* WITHOUT ANY WARRANTY; without even the implied warranty of
13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14	* GNU Affero General Public License for more details.
15	*
16	* You should have received a copy of the GNU Affero General Public License
17	* along with SudoBot. If not, see <https://www.gnu.org/licenses/>.
18	*/
19
20	import { PermissionOverwrite } from "@prisma/client";
21	import {
22	GuildMember,
23	PermissionFlagsBits,
24	PermissionResolvable,
25	PermissionsBitField,
26	Role,
27	Snowflake
28	} from "discord.js";
29	import Service from "../core/Service";
30	import AbstractPermissionManager from "../security/AbstractPermissionManager";
31	import DiscordBasedPermissionManager from "../security/DiscordBasedPermissionManager";
32	import LayerBasedPermissionManager from "../security/LayerBasedPermissionManager";
33	import LevelBasedPermissionManager from "../security/LevelBasedPermissionManager";
34	import { log, logInfo } from "../utils/Logger";
35	import { GuildConfig } from "./ConfigManager";
36
37	export const name = "permissionManager";
38
39	export type GetMemberPermissionInGuildResult = {
40	permissions: PermissionsBitField;
41	} & (
42	\| {
43	type: "levels";
44	level: number;
45	}
46	\| {
47	type: "discord";
48	}
49	\| {
50	type: "layered";
51	highestOverwrite?: PermissionOverwrite;
52	highestRoleHavingOverwrite?: Role;
53	overwriteIds: number[];
54	}
55	);
56
57	export default class PermissionManager<
58	M extends AbstractPermissionManager = AbstractPermissionManager
59	> extends Service {
60	protected readonly cache: Record<`${Snowflake}_${Snowflake}`, object> = {};
61	protected readonly managers: Record<
62	NonNullable<GuildConfig["permissions"]["mode"]>,
63	AbstractPermissionManager \| undefined
64	> = {
65	layered: new LayerBasedPermissionManager(this.client),
66	discord: new DiscordBasedPermissionManager(this.client),
67	levels: new LevelBasedPermissionManager(this.client)
68	};
69
70	boot() {
71	if (!this.client.configManager.systemConfig.sync_permission_managers_on_boot) {
72	return;
73	}
74
75	for (const managerName in this.managers) {
76	this.managers[managerName as keyof typeof this.managers]?.sync?.();
77	logInfo(`[${this.constructor.name}] Synchronizing ${managerName} permission manager`);
78	}
79	}
80
81	async isImmuneToAutoMod(
82	member: GuildMember,
83	permission?: PermissionResolvable[] \| PermissionResolvable
84	) {
85	if (this.client.configManager.systemConfig.system_admins.includes(member.user.id))
86	return true;
87
88	const config = this.client.configManager.config[member.guild.id];
89
90	if (!config) return true;
91
92	const { admin_role, mod_role, staff_role, check_discord_permissions, invincible_roles } =
93	config.permissions ?? {};
94
95	if (member.roles.cache.hasAny(admin_role ?? "_", mod_role ?? "_", staff_role ?? "_")) {
96	log("Member has roles that are immune to automod");
97	return true;
98	}
99
100	for (const roleId of invincible_roles) {
101	if (member.roles.cache.has(roleId)) {
102	log("Member has roles that are immune to this action");
103	return true;
104	}
105	}
106
107	if (check_discord_permissions === "automod" \|\| check_discord_permissions === "both") {
108	const hasDiscordPerms =
109	member.permissions.has(PermissionFlagsBits.ManageGuild, true) \|\|
110	(permission && member.permissions.has(permission, true));
111
112	if (hasDiscordPerms) {
113	log("Member has discord permissions that are immune to automod");
114	return true;
115	}
116	}
117
118	const manager = await this.getManager(member.guild.id);
119	const { permissions } = manager.getMemberPermissions(member);
120	const hasPermissions = permissions.has("Administrator") \|\| permissions.has("ManageGuild");
121
122	if (hasPermissions) {
123	log("Member has permissions that are immune to automod");
124	return true;
125	}
126
127	return manager.isImmuneToAutoMod(member, permission);
128	}
129
130	// FIXME: Move these permission checks to DiscordBasedPermissionManager
131	async shouldModerate(member: GuildMember, moderator: GuildMember) {
132	if (this.client.configManager.systemConfig.system_admins.includes(moderator.user.id))
133	return true;
134
135	const config = this.client.configManager.config[member.guild.id];
136
137	if (!config) return false;
138
139	if (member.guild.ownerId === member.user.id) return false;
140	if (member.guild.ownerId === moderator.user.id) return true;
141
142	const { admin_role, mod_role, staff_role, invincible_roles, check_discord_permissions } =
143	config.permissions ?? {};
144
145	if (member.roles.cache.hasAny(admin_role ?? "_", mod_role ?? "_", staff_role ?? "_")) {
146	log("Member has roles that are immune to this action");
147	return false;
148	}
149
150	for (const roleId of invincible_roles) {
151	if (member.roles.cache.has(roleId)) {
152	log("Member has roles that are immune to this action");
153	return false;
154	}
155	}
156
157	if (
158	(check_discord_permissions === "manual_actions" \|\|
159	check_discord_permissions === "both") &&
160	member.roles.highest.position >= moderator.roles.highest.position
161	) {
162	log("Member has higher/equal roles than moderator");
163	return false;
164	}
165
166	const manager = await this.getManager(member.guild.id);
167	return await manager.shouldModerate(member, moderator);
168	}
169
170	protected getMode(guildId: string) {
171	return this.client.configManager.config[guildId]?.permissions.mode ?? "discord";
172	}
173
174	async getManager(guildId: string): Promise<M> {
175	const manager = this.managers[this.getMode(guildId)];
176
177	if (!manager) {
178	throw new Error("Unknown/Unsupported permission mode: " + this.getMode(guildId));
179	}
180
181	await manager.triggerSyncIfNeeded();
182	return manager as M;
183	}
184
185	async getMemberPermissions(member: GuildMember, mergeWithDiscordPermissions?: boolean) {
186	const manager = await this.getManager(member.guild.id);
187	return manager.getMemberPermissions(member, mergeWithDiscordPermissions);
188	}
189
190	usesLayeredMode(guildId: string) {
191	return this.getMode(guildId) === "layered";
192	}
193
194	usesLevelBasedMode(guildId: string): this is PermissionManager<LevelBasedPermissionManager> {
195	return this.getMode(guildId) === "levels";
196	}
197
198	usesDiscordMode(guildId: string) {
199	return this.getMode(guildId) === "discord";
200	}
201	}