From 76279b703a26acb75dc7c481568883f9381d5e8d Mon Sep 17 00:00:00 2001
From: indifferentketchup <samkintop@gmail.com>
Date: Tue, 19 May 2026 18:26:12 +0000
Subject: [PATCH] gmail-poll: lock email-ticket channels to staff role only
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

guild.channels.create in findOrCreateTicketChannel previously had no
permissionOverwrites — newly created email-ticket channels inherited
whatever the parent category granted. If the category ever had @everyone
View Channel allowed (or undefined → default-allow), every server member
could read every email ticket.

Add explicit overrides on creation:
- @everyone (guild.id): deny ViewChannel
- ROLE_ID_TO_PING: allow ViewChannel + SendMessages + ReadMessageHistory
  (gated on ROLE_ID_TO_PING being set — empty string skips the entry
  rather than creating a malformed overwrite).

Email tickets have no Discord creator (the customer reaches the bot via
email, not as a guild member) so the only "allow" entry is the staff
role. Modal-created and context-menu-created tickets already set
creator+role overrides on creation; this change brings the third path
into line.

Pairs with category-level Discord config: TICKET_CATEGORY_ID and the
ESCALATED2/3 categories should still deny @everyone and allow
ROLE_ID_TO_PING at the category level for defense in depth.
---
 gmail-poll.js | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/gmail-poll.js b/gmail-poll.js
index 5ca2136..fd8dbd7 100644
--- a/gmail-poll.js
+++ b/gmail-poll.js
@@ -7,8 +7,8 @@
  */
 const {
   ChannelType,
-
-  EmbedBuilder
+  EmbedBuilder,
+  PermissionFlagsBits
 } = require('discord.js');
 const { mongoose, withRetry } = require('./db-connection');
 const { CONFIG } = require('./config');
@@ -150,7 +150,22 @@ async function findOrCreateTicketChannel(guild, parsed, number) {
     const channel = await guild.channels.create({
       name: chanName,
       type: ChannelType.GuildText,
-      parent: parentCategoryId
+      parent: parentCategoryId,
+      // Email tickets have no Discord creator — the customer is reachable
+      // only by email. So the only per-channel allow is the staff role; we
+      // still explicitly deny @everyone in case the category permissions
+      // are ever misconfigured to grant View Channel server-wide.
+      permissionOverwrites: [
+        { id: guild.id, deny: [PermissionFlagsBits.ViewChannel] },
+        ...(CONFIG.ROLE_ID_TO_PING ? [{
+          id: CONFIG.ROLE_ID_TO_PING,
+          allow: [
+            PermissionFlagsBits.ViewChannel,
+            PermissionFlagsBits.SendMessages,
+            PermissionFlagsBits.ReadMessageHistory
+          ]
+        }] : [])
+      ]
     });
     return { channel, parentCategoryId };
   } catch (createErr) {