Skip to content

fix(moderation): add role hierarchy check to all mod actions #1228

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kzndotsh merged 3 commits into from
Mar 29, 2026
Merged

fix(moderation): add role hierarchy check to all mod actions #1228

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
beb8e77
fix(moderation): add role hierarchy check to all mod actions
kzndotsh Mar 29, 2026
d8e3f11
fix(moderation): address PR review feedback on hierarchy checks
kzndotsh Mar 29, 2026
487f200
chore(changelog): add role hierarchy fix entry for #1227
kzndotsh Mar 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),

### Fixed

* **Moderation**: Role hierarchy check added to all moderation actions — moderators can no longer act on members with an equal or higher top role; guild owner bypass uses `owner_id` (cache-safe); bot-vs-target role check prevents `discord.Forbidden` errors when the bot's role is insufficient (#1227)
* **Moderation**: Interaction deferral handling across all moderation modules; improved error handling in slowmode channel conversion; enhanced guild config caching and embed handling in CommunicationService and ExecutionService; added assertions for case and jail role in unjail operation
* **Event handling**: First ready state marked even on setup failure to prevent unnecessary expensive checks on retries
* **Error handling**: Enhanced error logging with context information; improved error handling in moderation coordinator with proper task cancellation
Expand Down
24 changes: 24 additions & 0 deletions src/tux/modules/moderation/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,30 @@
**kwargs : Any
Additional case data
"""
# Role hierarchy checks: only apply when the target is a guild member
if (
ctx.guild
and isinstance(user, discord.Member)
and isinstance(ctx.author, discord.Member)
):
# Use owner_id (always available) instead of owner (may be None if uncached)
if (
ctx.author.id != ctx.guild.owner_id
and user.top_role >= ctx.author.top_role
):
await self._respond(

Check warning on line 111 in src/tux/modules/moderation/__init__.py

View check run for this annotation

Sentry / codecov/patch

src/tux/modules/moderation/__init__.py#L111 

Added line #L111 was not covered by tests
ctx,
"You cannot moderate a member with an equal or higher role than yours.",
)
return

Check warning on line 115 in src/tux/modules/moderation/__init__.py

View check run for this annotation

Sentry / codecov/patch

src/tux/modules/moderation/__init__.py#L115 

Added line #L115 was not covered by tests

if ctx.guild.me.top_role <= user.top_role:
await self._respond(

Check warning on line 118 in src/tux/modules/moderation/__init__.py

View check run for this annotation

Sentry / codecov/patch

src/tux/modules/moderation/__init__.py#L118 

Added line #L118 was not covered by tests
ctx,
"I cannot moderate this member because their role is equal to or higher than mine.",
)
return

Check warning on line 122 in src/tux/modules/moderation/__init__.py

View check run for this annotation

Sentry / codecov/patch

src/tux/modules/moderation/__init__.py#L122 

Added line #L122 was not covered by tests

await self.moderation.execute_moderation_action(
ctx=ctx,
case_type=case_type,
Expand Down
Loading