From ba7e6f02f52bb03d383ef57377622ef6ab062c8d Mon Sep 17 00:00:00 2001
From: rxdn <dotrar@protonmail.com>
Date: Mon, 6 Jul 2020 17:40:30 +0100
Subject: [PATCH] guild count check

---
 app/http/endpoints/api/getpermissionlevel.go | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/app/http/endpoints/api/getpermissionlevel.go b/app/http/endpoints/api/getpermissionlevel.go
index b877db5..1c6ab78 100644
--- a/app/http/endpoints/api/getpermissionlevel.go
+++ b/app/http/endpoints/api/getpermissionlevel.go
@@ -12,9 +12,20 @@ import (
 func GetPermissionLevel(ctx *gin.Context) {
 	userId := ctx.Keys["userid"].(uint64)
 
+	guilds := strings.Split(ctx.Query("guilds"), ",")
+	if len(guilds) > 100 {
+		ctx.JSON(400, gin.H{
+			"success": false,
+			"error": "too many guilds",
+		})
+		return
+	}
+
+	// TODO: Check whether the bot is in the guild to prevent us getting maliciously 429'd
+
 	levels := make(map[string]permission.PermissionLevel)
 
-	for _, raw := range strings.Split(ctx.Query("guilds"), ",") {
+	for _, raw := range guilds {
 		guildId, err := strconv.ParseUint(raw, 10, 64)
 		if err != nil {
 			ctx.JSON(400, gin.H{
@@ -28,7 +39,6 @@ func GetPermissionLevel(ctx *gin.Context) {
 		levels[strconv.FormatUint(guildId, 10)] = level
 	}
 
-
 	ctx.JSON(200, gin.H{
 		"success": true,
 		"levels": levels,