Severity: HIGH
Location: src/Controllers/AdminModerationController.php:163-362
Bug: warn/suspend/ban/shadowBan compare roles but not actor.id === reported.id.
Fix: Reject when $actor['id'] === $reported['id'].
Status: open. Will reply with remediation details when resolved.
Resolved.
Added self-targeting guards to all four moderation actions in src/Controllers/AdminModerationController.php:
warn($id)suspend($id)ban($id)shadowBan($id)Each now checks (int) $reported['id'] === (int) $actor['id'] before the privilege-ceiling check and rejects with a clear flash error. A mod can no longer file a report against themselves and then dismiss/warn/act on it to create a false audit trail.
Locking this thread.
We noticed you are visiting from a mobile device. We are glad you are here, but know that 6502ish is best experienced on the desktop. Some features are not easily used via mobile and your experience may vary from the full experience via desktop.