gmail-poll: lock email-ticket channels to staff role only

guild.channels.create in findOrCreateTicketChannel previously had no permissionOverwrites — newly created email-ticket channels inherited whatever the parent category granted. If the category ever had @everyone View Channel allowed (or undefined → default-allow), every server member could read every email ticket. Add explicit overrides on creation: - @everyone (guild.id): deny ViewChannel - ROLE_ID_TO_PING: allow ViewChannel + SendMessages + ReadMessageHistory (gated on ROLE_ID_TO_PING being set — empty string skips the entry rather than creating a malformed overwrite). Email tickets have no Discord creator (the customer reaches the bot via email, not as a guild member) so the only "allow" entry is the staff role. Modal-created and context-menu-created tickets already set creator+role overrides on creation; this change brings the third path into line. Pairs with category-level Discord config: TICKET_CATEGORY_ID and the ESCALATED2/3 categories should still deny @everyone and allow ROLE_ID_TO_PING at the category level for defense in depth.
2026-05-19 18:26:12 +00:00
parent 3c13e55dad
commit 76279b703a
1 changed files with 18 additions and 3 deletions
--- a/gmail-poll.js
+++ b/gmail-poll.js
@@ -7,8 +7,8 @@
 */
 const {
  ChannelType,
-
-  EmbedBuilder
+  EmbedBuilder,
+  PermissionFlagsBits
 } = require('discord.js');
 const { mongoose, withRetry } = require('./db-connection');
 const { CONFIG } = require('./config');
@@ -150,7 +150,22 @@ async function findOrCreateTicketChannel(guild, parsed, number) {
    const channel = await guild.channels.create({
      name: chanName,
      type: ChannelType.GuildText,
-      parent: parentCategoryId
+      parent: parentCategoryId,
+      // Email tickets have no Discord creator — the customer is reachable
+      // only by email. So the only per-channel allow is the staff role; we
+      // still explicitly deny @everyone in case the category permissions
+      // are ever misconfigured to grant View Channel server-wide.
+      permissionOverwrites: [
+        { id: guild.id, deny: [PermissionFlagsBits.ViewChannel] },
+        ...(CONFIG.ROLE_ID_TO_PING ? [{
+          id: CONFIG.ROLE_ID_TO_PING,
+          allow: [
+            PermissionFlagsBits.ViewChannel,
+            PermissionFlagsBits.SendMessages,
+            PermissionFlagsBits.ReadMessageHistory
+          ]
+        }] : [])
+      ]
    });
    return { channel, parentCategoryId };
  } catch (createErr) {