escalation/de-escalation: keep ticket creator and /add'd users on the channel

enqueueMove called channel.setParent(categoryId, { lockPermissions: true }). discord.js's default for setParent is also true. With lockPermissions: true, Discord re-syncs the channel's permission overwrites to match the new parent category — so the explicit per-user allows set at ticket creation (creator) and via /add (extra members) got wiped on every escalate, de-escalate, and /move. The creator literally lost View Channel on their own ticket the moment staff hit Escalate. Flip to lockPermissions: false so the existing channel-level overwrites are preserved across the parent change. Inheritance still applies for anything the channel doesn't override — and the deny-@everyone / role-allow set at creation continues to gate access correctly. Affects every caller of enqueueMove: - handlers/commands/escalation.js runEscalation - handlers/commands/escalation.js runDeescalation - handlers/commands/index.js handleMove (/move)
security: gate /help, signature modal submit, and cancel_delete_tag on staff role
2026-05-19 20:09:58 +00:00 · 2026-05-19 19:58:41 +00:00 · 2026-05-19 19:55:01 +00:00 · 2026-05-19 18:38:18 +00:00
5 changed files with 51 additions and 12 deletions
--- a/broccolini-discord.js
+++ b/broccolini-discord.js
@@ -11,6 +11,7 @@ const { mongoose } = require('./db-connection');
 // Handlers
 const { handleButton, handleTicketModal } = require('./handlers/buttons');
 const { handleCommand, handleContextMenu, handleAutocomplete } = require('./handlers/commands');
+const { requireStaffRole } = require('./handlers/commands/helpers');
 const { handleDiscordReply } = require('./handlers/messages');

 // Services & jobs
@@ -110,6 +111,9 @@ client.on('interactionCreate', async interaction => {
  }

  if (interaction.isModalSubmit() && interaction.customId.startsWith('signature_modal_')) {
+    // Staff-only: /signature shows this modal, which is gated; double-gate the
+    // submit path in case an attacker crafts the submission directly.
+    if (await requireStaffRole(interaction)) return;
    // Handle signature modal submit
    try {
      const valediction = interaction.fields.getTextInputValue('valediction');
--- a/handlers/buttons.js
+++ b/handlers/buttons.js
@@ -34,6 +34,7 @@ const { addMemberToStaffThread, createStaffThread } = require('../services/staff
 const { pinMessage } = require('../services/pinMessage');
 const { logError, logTicketEvent } = require('../services/debugLog');
 const { findTicketForChannel, runDeferred } = require('./sharedHelpers');
+const { requireStaffRole } = require('./commands/helpers');

 const Ticket = mongoose.model('Ticket');
 const Transcript = mongoose.model('Transcript');
@@ -706,12 +707,15 @@ async function postTicketWelcomeEmbeds(channel, interaction, email, game, descri
 // Dispatch tables
 // ============================================================

-/** Buttons that don't depend on a ticket-bound channel. */
+/**
+ * Public-facing buttons that don't require a staff role: the panel buttons
+ * that any member uses to open a ticket. Customer-facing entry points stay
+ * here. cancel_delete_tag is staff-only and gated separately in handleButton.
+ */
 const FREE_BUTTON_HANDLERS = {
  open_ticket: handleOpenTicketModal,
  open_ticket_thread: handleOpenTicketModal,
-  open_ticket_channel: handleOpenTicketModal,
-  cancel_delete_tag: handleTagDeleteCancel
+  open_ticket_channel: handleOpenTicketModal
 };

 /** Buttons that fire inside a ticket channel. The dispatcher does the lookup. */
@@ -732,16 +736,35 @@ async function handleButton(interaction) {
  const { customId } = interaction;

  // Tag-delete confirm has a dynamic id (`confirm_delete_tag::<name>`).
+  // Mutates the Tag collection — staff only.
  if (customId.startsWith('confirm_delete_tag::')) {
+    if (await requireStaffRole(interaction)) return;
    return handleTagDeleteConfirm(interaction);
  }

+  // Tag-delete cancel: paired with the staff-only delete flow; gate to keep
+  // the button surface consistent (non-staff can't reach the dialog anyway).
+  if (customId === 'cancel_delete_tag') {
+    if (await requireStaffRole(interaction)) return;
+    return handleTagDeleteCancel(interaction);
+  }
+
+  // FREE_BUTTON_HANDLERS are the public-facing panel buttons (open_ticket*).
+  // Customers/members must be able to click these to open a ticket.
  const freeHandler = FREE_BUTTON_HANDLERS[customId];
  if (freeHandler) return freeHandler(interaction);

  const ticketHandler = TICKET_BUTTON_HANDLERS[customId];
  if (!ticketHandler) return;

+  // Every TICKET_BUTTON_HANDLERS entry mutates ticket state
+  // (claim/close/confirm_close*/cancel_close/escalate*/deescalate). The slash
+  // command dispatcher in handlers/commands/index.js gates these via
+  // requireStaffRole; the button dispatcher must do the same — non-staff
+  // members with view access to the ticket channel (creator, /add'd users)
+  // could otherwise click Claim, Escalate, Close, etc.
+  if (await requireStaffRole(interaction)) return;
+
  const ticket = await findTicketForChannel(
    interaction,
    'This channel is not linked to a ticket, or the ticket could not be found.'
--- a/handlers/commands/index.js
+++ b/handlers/commands/index.js
@@ -274,11 +274,11 @@ const CONTEXT_MENU_HANDLERS = {
 };

 /**
- * Slash-command dispatcher. /help is open to everyone; everything else
- * requires the staff role.
+ * Slash-command dispatcher. Every command is staff-only — including /help,
+ * which previously bypassed the role check.
 */
 async function handleCommand(interaction) {
-  if (interaction.commandName !== 'help' && (await requireStaffRole(interaction))) return;
+  if (await requireStaffRole(interaction)) return;
  const handler = COMMAND_HANDLERS[interaction.commandName];
  if (handler) await handler(interaction);
 }
--- a/services/channelQueue.js
+++ b/services/channelQueue.js
@@ -25,10 +25,13 @@ async function executeRename(channel, entry) {
      // (403), or no token configured — fall back to the primary Discord.js client.
      // Non-fallback errors rethrow so enqueueRename's catch can classify/log.
      if (err && err.fallback === true && channel && typeof channel.setName === 'function') {
-        logWarn(
-          'renameQueue',
-          `secondary-bot ${err.status ?? 'unavailable'}; falling back to primary channel=${channel.id}`
-        ).catch(() => {});
+        // Local log only; discord.js's REST client transparently handles 429s
+        // on the primary fallback, so this used to post a paired warning to
+        // the debug channel for every secondary-bot quota event with no
+        // operator action required. Keep the visibility in container logs.
+        console.warn(
+          `[renameQueue] secondary-bot ${err.status ?? 'unavailable'}; falling back to primary channel=${channel.id}`
+        );
        await channel.setName(currentName);
      } else {
        throw err;
@@ -80,6 +83,12 @@ function enqueueRename(channel, newName) {

 // Shares renameChains so a move+rename pair on the same channel executes in
 // call order. No coalescing: every move is a distinct chain link.
+//
+// lockPermissions: false preserves the channel's existing permission overwrites
+// across the parent change. With the default (true), Discord re-syncs the
+// channel's overwrites to match the new category and wipes per-user grants —
+// in practice that kicked the ticket creator and any /add'd users off the
+// channel on every escalate / de-escalate / /move.
 function enqueueMove(channel, categoryId) {
  let entry = renameChains.get(channel.id);
  if (!entry) {
@@ -87,7 +96,7 @@ function enqueueMove(channel, categoryId) {
    renameChains.set(channel.id, entry);
  }

-  const next = entry.chain.catch(() => {}).then(() => channel.setParent(categoryId, { lockPermissions: true }));
+  const next = entry.chain.catch(() => {}).then(() => channel.setParent(categoryId, { lockPermissions: false }));
  entry.chain = next;

  next.catch((err) => {
--- a/utils/renamer.js
+++ b/utils/renamer.js
@@ -41,7 +41,10 @@ async function renameChannel(channelId, newName) {
  if (res.status === 429) {
    const retryAfterSec = (body && typeof body === 'object' && body.retry_after) || null;
    const retryAfterMs = retryAfterSec != null ? Math.ceil(Number(retryAfterSec) * 1000) : null;
-    logWarn('renamer', `429 rename channel=${channelId} retry_after=${retryAfterSec}`).catch(() => {});
+    // Local log only; the channelQueue fallback path handles recovery
+    // transparently via discord.js's built-in 429 retry. Posting these to
+    // the debug channel was non-actionable noise.
+    console.warn(`[renamer] 429 rename channel=${channelId} retry_after=${retryAfterSec}`);

    // Respect retry_after up to 2000ms; otherwise fail over immediately.
    if (retryAfterMs != null && retryAfterMs > 0 && retryAfterMs <= 2000) {
Author	SHA1	Message	Date
indifferentketchup	2152544d09	escalation/de-escalation: keep ticket creator and /add'd users on the channel enqueueMove called channel.setParent(categoryId, { lockPermissions: true }). discord.js's default for setParent is also true. With lockPermissions: true, Discord re-syncs the channel's permission overwrites to match the new parent category — so the explicit per-user allows set at ticket creation (creator) and via /add (extra members) got wiped on every escalate, de-escalate, and /move. The creator literally lost View Channel on their own ticket the moment staff hit Escalate. Flip to lockPermissions: false so the existing channel-level overwrites are preserved across the parent change. Inheritance still applies for anything the channel doesn't override — and the deny-@everyone / role-allow set at creation continues to gate access correctly. Affects every caller of enqueueMove: - handlers/commands/escalation.js runEscalation - handlers/commands/escalation.js runDeescalation - handlers/commands/index.js handleMove (/move)	2026-05-19 20:09:58 +00:00
indifferentketchup	c79463fc2a	security: gate /help, signature modal submit, and cancel_delete_tag on staff role Closes the remaining non-broccolini interaction paths after the prior TICKET_BUTTON_HANDLERS gate. After this commit, every bot interaction is staff-only except the panel buttons (open_ticket / open_ticket_thread / open_ticket_channel) and their ticket-creation modal submit — those have to stay public because they're how members and customers open tickets. Specific changes: - handlers/commands/index.js: handleCommand no longer has the `!== 'help'` carve-out. /help now goes through requireStaffRole like every other slash command. Non-staff get the same ephemeral "only available to the support team" reply. - broccolini-discord.js: the signature_modal_* modal-submit handler now calls requireStaffRole before writing to StaffSignature. /signature already gates the modal display via the slash-command staff check; this is defense in depth against directly crafted submissions. - handlers/buttons.js: cancel_delete_tag moved out of FREE_BUTTON_HANDLERS and gated alongside confirm_delete_tag::*. The dialog is only shown ephemerally to the staff who triggered /response delete, so non-staff can't reach it in normal flow; gating keeps the button surface consistent. Kept public (by design — these are the customer entry points): open_ticket / open_ticket_thread / open_ticket_channel buttons ticket_modal / ticket_modal_thread / ticket_modal_channel submits	2026-05-19 19:58:41 +00:00
indifferentketchup	e8e114e4ad	security: gate ticket buttons + tag-delete confirm on staff role handleButton routed claim_ticket, close_ticket, confirm_close / confirm_close_with_email / confirm_close_no_email, cancel_close, escalate_ticket, escalate_to_tier2, escalate_to_tier3, deescalate_ticket, and confirm_delete_tag::* straight to their handlers without any staff check. Any non-staff member with View Channel on a ticket — the ticket creator themselves, or anyone /add'd to it — could click those buttons and mutate ticket state (claim, escalate, close, delete saved-response tags). The slash-command dispatcher in handlers/commands/index.js already calls requireStaffRole before invoking any handler; the button dispatcher needed the same gate. Now: - confirm_delete_tag::<name> → requireStaffRole, then proceed. - TICKET_BUTTON_HANDLERS dispatch → requireStaffRole, then proceed. - FREE_BUTTON_HANDLERS (open_ticket* panel buttons, cancel_delete_tag) remain ungated — those are public-facing by design. requireStaffRole replies ephemerally ("This command is only available to the support team (<@&role>)") and returns true when the caller should bail, matching the slash-command behavior.	2026-05-19 19:55:01 +00:00
indifferentketchup	452f005aea	silence secondary-bot 429 fallback noise from debug channel Two paired logWarn calls used to post to DEBUGGING_CHANNEL_ID every time the RENAMER_BOT secondary token hit Discord's per-channel rename quota: Warning: renamer — "429 rename channel=… retry_after=…" Warning: renameQueue — "secondary-bot 429; falling back to primary…" Both fire on the recoverable path: the channelQueue immediately falls back to the primary discord.js client, and that client's REST handler transparently waits out the retry_after and retries — the rename lands without operator action. Posting these to the debug channel was pure noise; staff were reading them as failures when nothing had failed. Demoted both to console.warn so they still appear in `docker logs broccolini` for diagnostic purposes but no longer post to Discord. Kept untouched: - utils/renamer.js:64 — 401/403 logWarn on secondary-bot auth/permission errors (real config problems; the operator does need to know). - services/channelQueue.js next.catch logError for status 401/403/429 — only fires when the fallback itself also failed (rare and worth a debug-channel post).	2026-05-19 18:38:18 +00:00