audit

handlers/accountinfo.js

@@ -7,6 +7,7 @@ const { CONFIG } = require('../config');
 const { mongoose } = require('../db-connection');
 const { logSecurity } = require('../services/debugLog');
 const { enqueueSend } = require('../services/channelQueue');
+const { isStaff } = require('../utils');
 
 const User = mongoose.model('User');
 
@@ -134,6 +135,13 @@ async function handleAccountInfoCommand(interaction) {
 async function handleSendAccountInfoToChannel(interaction) {
   if (!interaction.isButton() || !interaction.customId.startsWith(BUTTON_PREFIX)) return false;
 
+  // Dispatched directly from interactionCreate — no upstream command-level staff gate here, so enforce it.
+  if (!isStaff(interaction.member)) {
+    logSecurity('Unauthorized account-info button', interaction.user, `non-staff pressed ${interaction.customId}`, null, 0xff0000).catch(() => {});
+    await interaction.reply({ content: 'You do not have permission to do that.', ephemeral: true }).catch(() => {});
+    return true;
+  }
+
   const payload = interaction.customId.slice(BUTTON_PREFIX.length);
   const [type, value] = payload.includes(':') ? payload.split(':') : [payload, ''];