removed check for bot account under group member fetch

revoltchat / backend

Monorepo for Revolt backend services.

https://developers.revolt.chat/api/

Other

1.1k stars 121 forks source link

removed check for bot account under group member fetch #245

Closed toastxc closed 1 year ago

toastxc commented 1 year ago

Please make sure to check the following tasks before opening and submitting a PR

[x] I understand and have followed the contribution guide
[x] I have tested my changes locally and they are working as intended
[x] These changes do not have any notable side effects on other Revolt projects

toastxc commented 1 year ago

The output of this route is literally generic user data as shown in source, this information can be pulled by a bot by literally polling a user account

Result<Json<Vec<User>>>

I'm certain that this is not a security problem

toastxc commented 1 year ago

Unrelated: The name of this route doesn't seem right Servers have members, and Member is a different data structure to what is return by this route. Perhaps the route should be named channels/group_member_fetch.rs and channels/group_member_fetch_all.rs instead of channels/members_fetch.rs

nulldg commented 1 year ago

I'm certain that this is not a security problem

i'm only concerned about whether or not this route is heavy on the backend and how much of a problem overuse could be. this being said, if you're not concerned, then i'm satisfied.

LGTM :+1:

insertish commented 1 year ago

Bots can already fetch server members (a much more expensive operation, involving more data and usually more people than a group); LGTM although I'm curious if @insertish had a specific reason for this check