generated from nhcarrigan/template
hikari
ec58c9c843
CI / dependency-pin-check-typescript (push) Successful in 5s
CI / dependency-pin-check-python (push) Successful in 4s
CI / python (push) Successful in 9m28s
CI / typescript (push) Successful in 9m42s
Security Scan and Upload / Security & DefectDojo Upload (push) Successful in 1m39s
## Summary This PR completes the bash script restructuring and adds comprehensive documentation across all script categories. ### Bash Restructuring - Moved cohort shell scripts (`remove_github_members.sh`, `update_github_teams.sh`) from `python/cohort/` into a new `bash/cohort/` directory - Moved existing bash utilities (`add-keys-to-git.sh`, `fix-yubikey-perms.sh`, `list-yubikey-ssh-keys.sh`) into a new `bash/yubikey/` subdirectory - Updated `run.sh` to support **Bash** as a third language option alongside TypeScript and Python - Bash scripts are run directly (no 1Password secret injection needed) - Category discovery and script listing works the same as for TS/Python - Removed dead "Root Scripts" logic that was no longer needed ### Documentation Added `README.md` files for all script categories that were missing them: - `bash/cohort/README.md` — cohort GitHub team management scripts - `bash/yubikey/README.md` — YubiKey SSH key and permission utilities - `typescript/src/crowdin/README.md` — Crowdin translation management scripts - `typescript/src/discord/README.md` — Discord bot utility scripts - `typescript/src/discourse/README.md` — Discourse forum management scripts - `typescript/src/gitea/README.md` — Gitea bulk repository operation scripts - `typescript/src/github/README.md` — GitHub API interaction scripts - `typescript/src/music/README.md` — Music file metadata tools - `typescript/src/s3/README.md` — S3-compatible object storage scripts - `typescript/src/security/README.md` — Security analysis and reporting scripts - `python/cohort/README.md` — Updated to remove moved shell scripts, fix usage commands Also updated project-level docs: - **`README.md`** — Corrected project structure, fixed running instructions (removed references to non-existent `make run-ts`/`make run-py` targets), added Bash prerequisites - **`CLAUDE.md`** — Updated project overview, structure, development standards, and script-adding guides to reflect the current state of the project ✨ This PR was created with help from Hikari~ 🌸 Co-authored-by: Naomi Carrigan <commits@nhcarrigan.com> Reviewed-on: #6 Co-authored-by: Hikari <hikari@nhcarrigan.com> Co-committed-by: Hikari <hikari@nhcarrigan.com>
143 lines
4.8 KiB
Python
143 lines
4.8 KiB
Python
#!/usr/bin/env python3
|
|
"""Check cohort-team-* channels for incorrect @everyone or @cohort permissions.
|
|
|
|
Find channels where @everyone or @cohort has Send Messages or
|
|
Send Messages in Threads enabled.
|
|
"""
|
|
|
|
import asyncio
|
|
import os
|
|
|
|
import aiohttp
|
|
|
|
DISCORD_BOT_TOKEN = os.environ["DISCORD_BOT_TOKEN"]
|
|
BASE_URL = "https://discord.com/api/v10"
|
|
GUILD_ID = "739845668582981683"
|
|
|
|
SEND_MESSAGES = 0x0000000000000800
|
|
SEND_MESSAGES_IN_THREADS = 0x0000004000000000
|
|
|
|
|
|
async def check_permissions() -> None:
|
|
"""Check all cohort-team-* channels for permission issues."""
|
|
headers = {"Authorization": f"Bot {DISCORD_BOT_TOKEN}"}
|
|
|
|
async with aiohttp.ClientSession() as session:
|
|
print("Fetching channels...")
|
|
async with session.get(
|
|
f"{BASE_URL}/guilds/{GUILD_ID}/channels", headers=headers
|
|
) as resp:
|
|
if resp.status != 200:
|
|
error = await resp.text()
|
|
print(f"Error fetching channels: {resp.status} - {error}")
|
|
return
|
|
channels = await resp.json()
|
|
|
|
print("Fetching roles...")
|
|
async with session.get(
|
|
f"{BASE_URL}/guilds/{GUILD_ID}/roles", headers=headers
|
|
) as resp:
|
|
if resp.status != 200:
|
|
error = await resp.text()
|
|
print(f"Error fetching roles: {resp.status} - {error}")
|
|
return
|
|
roles = await resp.json()
|
|
|
|
everyone_role_id = GUILD_ID
|
|
|
|
cohort_role_id = None
|
|
for role in roles:
|
|
if "cohort" in role["name"].lower():
|
|
cohort_role_id = role["id"]
|
|
print(f"Found cohort role: {role['name']} ({role['id']})")
|
|
break
|
|
|
|
if not cohort_role_id:
|
|
print("Warning: Could not find @cohort role!")
|
|
|
|
cohort_channels = [
|
|
ch
|
|
for ch in channels
|
|
if ch["name"].startswith("cohort-team-") and ch["type"] == 0
|
|
]
|
|
|
|
print(f"\nFound {len(cohort_channels)} cohort-team-* channels\n")
|
|
|
|
problematic_channels = []
|
|
|
|
for channel in sorted(cohort_channels, key=lambda x: x["name"]):
|
|
channel_name = channel["name"]
|
|
channel_id = channel["id"]
|
|
permission_overwrites = channel.get("permission_overwrites", [])
|
|
|
|
everyone_perms = None
|
|
cohort_perms = None
|
|
|
|
for overwrite in permission_overwrites:
|
|
if overwrite["id"] == everyone_role_id:
|
|
everyone_perms = overwrite
|
|
elif cohort_role_id and overwrite["id"] == cohort_role_id:
|
|
cohort_perms = overwrite
|
|
|
|
issues = []
|
|
|
|
if everyone_perms:
|
|
deny = int(everyone_perms.get("deny", "0"))
|
|
allow = int(everyone_perms.get("allow", "0"))
|
|
|
|
if (allow & SEND_MESSAGES) or not (deny & SEND_MESSAGES):
|
|
issues.append("@everyone can send messages")
|
|
|
|
if (allow & SEND_MESSAGES_IN_THREADS) or not (
|
|
deny & SEND_MESSAGES_IN_THREADS
|
|
):
|
|
issues.append("@everyone can send messages in threads")
|
|
else:
|
|
issues.append(
|
|
"@everyone has no permission overwrite (inheriting server perms)"
|
|
)
|
|
|
|
if cohort_perms and cohort_role_id:
|
|
deny = int(cohort_perms.get("deny", "0"))
|
|
allow = int(cohort_perms.get("allow", "0"))
|
|
|
|
if (allow & SEND_MESSAGES) or not (deny & SEND_MESSAGES):
|
|
issues.append("@cohort can send messages")
|
|
|
|
if (allow & SEND_MESSAGES_IN_THREADS) or not (
|
|
deny & SEND_MESSAGES_IN_THREADS
|
|
):
|
|
issues.append("@cohort can send messages in threads")
|
|
elif cohort_role_id:
|
|
issues.append(
|
|
"@cohort has no permission overwrite (inheriting server perms)"
|
|
)
|
|
|
|
if issues:
|
|
problematic_channels.append(
|
|
{"name": channel_name, "id": channel_id, "issues": issues}
|
|
)
|
|
print(f"❌ {channel_name}")
|
|
for issue in issues:
|
|
print(f" - {issue}")
|
|
else:
|
|
print(f"✅ {channel_name}")
|
|
|
|
print("\n" + "=" * 60)
|
|
print(
|
|
f"\nSummary: {len(problematic_channels)} channels with permission issues\n"
|
|
)
|
|
|
|
if problematic_channels:
|
|
print("Problematic channels:")
|
|
for ch in problematic_channels:
|
|
print(f"\n{ch['name']} (ID: {ch['id']})")
|
|
for issue in ch["issues"]:
|
|
print(f" • {issue}")
|
|
else:
|
|
print("All channels have correct permissions! 🎉")
|
|
|
|
|
|
if __name__ == "__main__":
|
|
asyncio.run(check_permissions())
|