From 0ac41699e54f1262c73277d96798d53786a838c6 Mon Sep 17 00:00:00 2001
From: Linden <65407488+thelindat@users.noreply.github.com>
Date: Fri, 25 Oct 2024 20:56:32 +1100
Subject: [PATCH] fix(server/accounts): blacklist some account actions on group
 accounts

---
 server/accounts/roles.ts | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/server/accounts/roles.ts b/server/accounts/roles.ts
index 9a7bf790..357a3cdb 100644
--- a/server/accounts/roles.ts
+++ b/server/accounts/roles.ts
@@ -8,6 +8,15 @@ type OxAccountMetadataRow = OxAccountPermissions & { id?: number; name?: OxAccou
 
 const accountRoles = {} as Record<string, OxAccountPermissions>;
 
+const blacklistedGroupActions = {
+  addUser: true,
+  removeUser: true,
+  manageUser: true,
+  transferOwnership: true,
+  manageAccount: true,
+  closeAccount: true,
+} as Record<keyof OxAccountPermissions, true>;
+
 export function CheckRolePermission(roleName: OxAccountRole | null, permission: keyof OxAccountPermissions) {
   if (!roleName) return;
 
@@ -25,6 +34,8 @@ export async function CanPerformAction(
   const groupName = (await SelectAccount(accountId))?.group;
 
   if (groupName) {
+    if (action in blacklistedGroupActions) return false;
+
     const group = GetGroup(groupName);
     const groupRole = group.accountRoles[player.getGroup(groupName)];