From a9a7501c05af67f926dd2d7390b9c74ca7dbec62 Mon Sep 17 00:00:00 2001
From: Azareal <azareal@users.noreply.github.com>
Date: Sun, 29 Sep 2019 15:25:36 +1000
Subject: [PATCH] Tighten validation on group promotion create.

---
 routes/panel/groups.go | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/routes/panel/groups.go b/routes/panel/groups.go
index 62a5bb47..a0df8129 100644
--- a/routes/panel/groups.go
+++ b/routes/panel/groups.go
@@ -205,6 +205,32 @@ func GroupsPromotionsCreateSubmit(w http.ResponseWriter, r *http.Request, user c
 		return c.LocalError("level must be integer", w, r, user)
 	}
 
+	g, err := c.Groups.Get(from)
+	if err == sql.ErrNoRows {
+		return c.LocalError("No such group.",w, r, user)
+	} else if err != nil {
+		return c.InternalError(err, w, r)
+	}
+	if g.IsAdmin && !user.Perms.EditGroupAdmin {
+		return c.LocalError(p.GetErrorPhrase("panel_groups_cannot_edit_admin"), w, r, user)
+	}
+	if g.IsMod && !user.Perms.EditGroupSuperMod {
+		return c.LocalError(p.GetErrorPhrase("panel_groups_cannot_edit_supermod"), w, r, user)
+	}
+
+	g, err = c.Groups.Get(to)
+	if err == sql.ErrNoRows {
+		return c.LocalError("No such group.",w, r, user)
+	} else if err != nil {
+		return c.InternalError(err, w, r)
+	}
+	if g.IsAdmin && !user.Perms.EditGroupAdmin {
+		return c.LocalError(p.GetErrorPhrase("panel_groups_cannot_edit_admin"), w, r, user)
+	}
+	if g.IsMod && !user.Perms.EditGroupSuperMod {
+		return c.LocalError(p.GetErrorPhrase("panel_groups_cannot_edit_supermod"), w, r, user)
+	}
+
 	_, err = c.GroupPromotions.Create(from, to, twoWay, level)
 	if err != nil {
 		return c.InternalError(err,w,r)