Implement a way to change channel permissions for each user.

[2Pacalypse-]

No description provided.

[2Pacalypse-]

Depends on #1279

[claude]

CLAUDE.md violation: translation file manually edited

CLAUDE.md states:

Don't edit translation files (global.json) manually - run pnpm run gen-translations

Translation keys should be extracted from source code by the gen-translations command rather than added directly to global.json. Manual edits may be overwritten or cause conflicts on the next generation run.

[claude]

CLAUDE.md violation: class method doesn't use this

CLAUDE.md states:

If a class method doesn't use this, extract it as a module-level function instead.

listUserChannelEntries only calls module-level functions (getChannelInfo, getUserChannelEntryForUser, getUserChannelEntriesForChannel, findUsersById, toUserChannelEntryJson) and never references this. It should be extracted as a standalone exported function at module level, similar to the pattern used by other functions in this file.

[claude]

Security: missing target restrictions allow privilege escalation

The authorization check here only validates that the caller has sufficient permissions, but does not restrict who can be targeted. This creates three distinct privilege escalation paths:

1. Self-escalation: A user with editPermissions can pass their own userId as targetId and grant themselves ban, kick, togglePrivate, or changeTopic. The only guard is client-side (the UI hides this option), making the endpoint directly exploitable.

2. Targeting the channel owner: A non-owner moderator with editPermissions can target channelInfo.ownerId as targetId and modify the owner's stored channelPermissions. Again, only the client prevents this.

3. editPermissions cascade: A user with editPermissions (not the owner or server admin) can grant editPermissions to any other channel member, since there is no restriction on which specific permissions a delegated moderator can set. This allows unbounded privilege promotion chains.

Suggested fixes:

• Add if (!isAdmin && !isUserChannelOwner && targetId === userId) throw new ChatServiceError(...) to prevent self-targeting.
• Add a guard preventing non-owners/non-admins from targeting the channel owner.
• Restrict which permissions a delegated moderator can grant — at minimum, prevent non-owners/non-admins from granting editPermissions to others.

[claude]

Code review

Found 3 issues (2 CLAUDE.md violations, 1 security concern):

• server/public/locales/en/global.json — Translation keys added manually; CLAUDE.md requires running pnpm run gen-translations instead.
• server/lib/chat/chat-service.ts (listUserChannelEntries) — Class method never uses this and should be extracted as a module-level function per CLAUDE.md.
• server/lib/chat/chat-service.ts (updateUserPermissions) — Authorization only checks the caller, not the target, enabling three privilege escalation paths: self-promotion, modifying the channel owner's permissions, and cascading editPermissions grants to arbitrary users.