From 5c0472eb9577d5a838ae24e93ab14b8b2413b12a Mon Sep 17 00:00:00 2001
From: spiral <spiral@spiral.sh>
Date: Sat, 31 Dec 2022 02:17:26 +0000
Subject: [PATCH] fix(api): limit autoproxy member patch to own system

---
 PluralKit.API/Controllers/v2/AutoproxyControllerV2.cs | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/PluralKit.API/Controllers/v2/AutoproxyControllerV2.cs b/PluralKit.API/Controllers/v2/AutoproxyControllerV2.cs
index 23a118be..25227322 100644
--- a/PluralKit.API/Controllers/v2/AutoproxyControllerV2.cs
+++ b/PluralKit.API/Controllers/v2/AutoproxyControllerV2.cs
@@ -57,7 +57,11 @@ public class AutoproxyControllerV2: PKControllerBase
 
         PKMember? member = null;
         if (updateMember)
+        {
             member = await ResolveMember(data.Value<string>("autoproxy_member"));
+            if (member != null && ContextFor(member) != LookupContext.ByOwner)
+                throw Errors.GenericMissingPermissions;
+        }
 
         var patch = AutoproxyPatch.FromJson(data, member?.Id);