This PR changes how permissions for actions are checked. This has to be done to prevent users with Manage Webhook permissions to create components or commands that hand out roles that they shouldn't have access to.
Previously permissions were checked when the message or command was created. This meant that all actions had to be statically analyzed to see what permissions they require. With more complex action types and nested / recursive actions this becomes nearly impossible.
Now permissions are checked when the action is executed. For this we store a DervivedPermission object with each action set which contains the permissions of the user that has sent the message or created the command.
Messages and commands before this change bypass the new permission checks because they should already have been checked when they were created.
This PR changes how permissions for actions are checked. This has to be done to prevent users with Manage Webhook permissions to create components or commands that hand out roles that they shouldn't have access to.
Previously permissions were checked when the message or command was created. This meant that all actions had to be statically analyzed to see what permissions they require. With more complex action types and nested / recursive actions this becomes nearly impossible.
Now permissions are checked when the action is executed. For this we store a
DervivedPermissionobject with each action set which contains the permissions of the user that has sent the message or created the command.Messages and commands before this change bypass the new permission checks because they should already have been checked when they were created.
closes #92