fix(discord-bot): harden RBAC checks and DB prefix defaults

VoxHash · VoxHash · commit 3d5087d6ea04 · 2026-03-26T13:43:21.000-04:00
Enforce admin permission at create-license modal submission, normalize owner/admin env parsing, and default DB table prefix to discord_bot_ with env override.

Made-with: Cursor
diff --git a/src/database/DatabaseManager.js b/src/database/DatabaseManager.js
@@ -1,12 +1,13 @@
 /**
  * Database Manager for Discord Bot
- * Uses Supabase/PostgreSQL tg_bot_* tables. Set DATABASE_URL to Postgres connection string.
+ * Uses Supabase/PostgreSQL discord_bot_* tables by default.
+ * Set DATABASE_URL to Postgres connection string.
  */
 
 const { Pool } = require('pg');
 const Logger = require('../utils/Logger');
 
-const PREFIX = 'tg_bot_';
+const PREFIX = (process.env.BOT_DB_TABLE_PREFIX || 'discord_bot_').trim();
 
 function getConnectionConfig() {
   const url = process.env.DATABASE_URL || '';
diff --git a/src/handlers/CommandHandler.js b/src/handlers/CommandHandler.js
@@ -5,6 +5,7 @@
 const { Collection, SlashCommandBuilder, EmbedBuilder, ActionRowBuilder, ButtonBuilder, ButtonStyle, ModalBuilder, TextInputBuilder, TextInputStyle } = require('discord.js');
 const fs = require('fs');
 const path = require('path');
+const PermissionManager = require('../utils/PermissionManager');
 
 class CommandHandler {
   constructor(client, licenseClient, dbManager) {
@@ -56,6 +57,9 @@ class CommandHandler {
     if (interaction.isModalSubmit && interaction.isModalSubmit()) {
       if (interaction.customId === 'create_license_modal') {
         try {
+          const permissionManager = new PermissionManager(interaction.client);
+          await permissionManager.requirePermission(interaction.member, 'admin');
+
           const applicationName = interaction.fields.getTextInputValue('application_name');
           const planRaw = interaction.fields.getTextInputValue('plan');
           const plan = String(planRaw || '').trim().toUpperCase();
diff --git a/src/utils/PermissionManager.js b/src/utils/PermissionManager.js
@@ -9,8 +9,11 @@ const logger = new Logger('PermissionManager');
 class PermissionManager {
   constructor(client) {
     this.client = client;
-    this.ownerId = process.env.BOT_OWNER_ID || null;
-    this.adminRoleIds = (process.env.ADMIN_ROLE_IDS || '').split(',').filter(id => id.trim());
+    this.ownerId = (process.env.BOT_OWNER_ID || '').trim() || null;
+    this.adminRoleIds = (process.env.ADMIN_ROLE_IDS || '')
+      .split(',')
+      .map(id => id.trim())
+      .filter(Boolean);
   }
 
   /**
