Fix security vulnerability in dashboard allowing everyone to edit all…

… custom commands

Thank you @ErginDapaj for bringing this to my attention

dashboard/src/main/kotlin/com/dunctebot/dashboard/WebHelpers.kt

@@ -6,6 +6,7 @@ import com.dunctebot.dashboard.WebServer.Companion.USER_ID
 import com.fasterxml.jackson.databind.JsonNode
 import com.jagrosh.jdautilities.oauth2.OAuth2Client
 import com.jagrosh.jdautilities.oauth2.session.Session
+import io.javalin.http.ContentType
 import io.javalin.http.Context
 import io.javalin.http.ForbiddenResponse
 import io.javalin.http.UnauthorizedResponse
@@ -65,10 +66,19 @@ fun String?.toSafeLong(): Long {
 }
 
 fun haltDiscordError(ctx: Context, error: DiscordError, guildId: String = ""): ForbiddenResponse {
-    VueComponent(error.component, mapOf(
-        "title" to error.title,
-        "guildId" to guildId,
-    )).handle(ctx)
+    if (ctx.contentType() == ContentType.JSON) {
+        ctx.json(
+            jsonMapper.createObjectNode()
+                .put("success", false)
+                .put("message", error.title)
+                .put("code", 403)
+        )
+    } else {
+        VueComponent(error.component, mapOf(
+            "title" to error.title,
+            "guildId" to guildId,
+        )).handle(ctx)
+    }
 
     throw ForbiddenResponse()
 }

dashboard/src/main/kotlin/com/dunctebot/dashboard/controllers/api/CustomCommandController.kt

@@ -4,6 +4,7 @@ import com.dunctebot.dashboard.*
 import com.dunctebot.dashboard.WebServer.Companion.SESSION_ID
 import com.dunctebot.dashboard.WebServer.Companion.USER_ID
 import com.dunctebot.dashboard.constants.ContentType
+import com.dunctebot.dashboard.controllers.DashboardController
 import com.fasterxml.jackson.databind.JsonNode
 import com.fasterxml.jackson.databind.node.ArrayNode
 import com.fasterxml.jackson.databind.node.ObjectNode
@@ -15,11 +16,14 @@ object CustomCommandController {
     fun before(ctx: Context) {
         val attributes = ctx.sessionAttributeMap()
 
-        if (!(attributes.contains(USER_ID) && attributes.contains(SESSION_ID))) {
-            ctx.contentType(ContentType.JSON)
+        ctx.contentType(ContentType.JSON)
 
+        if (!(attributes.contains(USER_ID) && attributes.contains(SESSION_ID))) {
             throw UnauthorizedResponse("Invalid session")
         }
+
+        // run the same checks as on the view to ensure that the member has permission to perform this action.
+        DashboardController.before(ctx)
     }
 
     fun show(ctx: Context) {

dashboard/src/main/kotlin/com/dunctebot/jda/JDARestClient.kt

@@ -42,11 +42,14 @@ class JDARestClient(token: String) {
         val authConfig = AuthorizationConfig(token)
         val threadConfig = ThreadingConfig.getDefault()
 
-        threadConfig.setRateLimitScheduler(Executors.newScheduledThreadPool(5) {
+        val sched = Executors.newScheduledThreadPool(5) {
             val t = Thread(it, "dunctebot-rest-thread")
             t.isDaemon = true
             return@newScheduledThreadPool t
-        }, true)
+        }
+
+        threadConfig.setRateLimitScheduler(sched, true)
+        threadConfig.setRateLimitElastic(sched, true)
 
         jda = JDAImpl(authConfig, null, threadConfig, null, null)
 

dashboard/src/main/resources/vue/components/settings/app-settings-custom-commands.vue

@@ -250,7 +250,7 @@ Vue.component('app-settings-custom-commands', {
 
             toast("Adding command....");
 
-            doFetch('POST', command, () => {
+            this.doFetch('POST', command, () => {
                 toast('Command added');
                 this.$nextTick(() => {
                     this.hideEditor();
@@ -269,7 +269,7 @@ Vue.component('app-settings-custom-commands', {
 
             toast(`Deleting "${name}"!`);
 
-            doFetch('DELETE', {invoke: name}, () => {
+            this.doFetch('DELETE', {invoke: name}, () => {
                 toast("Deleted!");
                 this.clearEditor();
                 this.$nextTick(() => {