Community administrators now can use checkorder and checkinvoice commands

[Luquitasjeffrey]

Before you needed to be superadmin in order been able to run those commands

Summary by CodeRabbit

• New Features
  • The checkorder and checkinvoice bot commands are now accessible to admin users.
  • Command behavior and error handling remain unchanged; only the permission requirement has been relaxed so admins can run these checks without altering outcomes.

[coderabbitai]

Walkthrough

The pull request changes two bot command handlers in bot/start.ts: checkorder and checkinvoice now use adminMiddleware instead of superAdminMiddleware, keeping their logic intact while lowering the required permission level.

Changes

Cohort / File(s)	Summary
Access control change bot/start.ts	Replaced superAdminMiddleware with adminMiddleware for checkorder and checkinvoice. checkinvoice had its internal retrieval/validation block reordered but preserved existing error handling and eventual call to checkInvoiceMessage.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 I nibble lines of code tonight,

Two gates trimmed to let admins light,
Logs stay steady, checks still run,
A smaller hop — but same fun! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: replacing superAdminMiddleware with adminMiddleware to allow community administrators to use checkorder and checkinvoice commands.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch issue703

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

bot/start.ts (1)

582-595: ⚠️ Potential issue | 🟠 Major

Add community scoping for non‑super admins in checkorder/checkinvoice.

By switching to adminMiddleware without adding the community checks used elsewhere, a community admin can query any order/invoice by ID across communities. That’s a permissions regression.

🔧 Suggested fix (apply to both commands)

   bot.command('checkorder', adminMiddleware, async (ctx: MainContext) => {
     try {
       const [orderId] = (await validateParams(ctx, 2, '\\<_order id_\\>'))!;
       if (!orderId) return;
       if (!(await validateObjectId(ctx, orderId))) return;
       const order = await Order.findOne({ _id: orderId });

       if (order === null) return;
+      if (!ctx.admin.admin) {
+        if (!order.community_id) return await messages.notAuthorized(ctx);
+        if (order.community_id != ctx.admin.default_community_id) {
+          return await messages.notAuthorized(ctx);
+        }
+      }

       const buyer = await User.findOne({ _id: order.buyer_id });
       const seller = await User.findOne({ _id: order.seller_id });

       await messages.checkOrderMessage(ctx, order, buyer, seller);
     } catch (error) {
       logger.error(error);
     }
   });

   bot.command(
     'checkinvoice',
     adminMiddleware,
     async (ctx: MainContext) => {
       try {
         const [orderId] = (await validateParams(ctx, 2, '\\<_order id_\\>'))!;
         if (!orderId) return;
         if (!(await validateObjectId(ctx, orderId))) return;
         const order = await Order.findOne({ _id: orderId });

         if (order === null) return;
+        if (!ctx.admin.admin) {
+          if (!order.community_id) return await messages.notAuthorized(ctx);
+          if (order.community_id != ctx.admin.default_community_id) {
+            return await messages.notAuthorized(ctx);
+          }
+        }
         if (!order.hash) return;

         const invoice = await getInvoice({ hash: order.hash });
         if (invoice === undefined) {
           throw new Error('invoice is undefined');
         }

Also applies to: 600-623

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

bot/start.ts (1)

582-624: ⚠️ Potential issue | 🟠 Major

Scope community admins to their community before revealing order/invoice details.

With adminMiddleware, community admins can now call these commands. Without a community check, any admin can query any order/invoice by ID, which leaks cross‑community data. Add the same non‑super‑admin guard used elsewhere in this file (e.g., cancelorder/settleorder).

🔒 Proposed fix (apply to both handlers)

   bot.command('checkorder', adminMiddleware, async (ctx: MainContext) => {
     try {
       const [orderId] = (await validateParams(ctx, 2, '\\<_order id_\\>'))!;
       if (!orderId) return;
       if (!(await validateObjectId(ctx, orderId))) return;
       const order = await Order.findOne({ _id: orderId });

       if (order === null) return;
+
+      // Restrict community admins to their community orders
+      if (!ctx.admin.admin) {
+        if (!order.community_id) return await messages.notAuthorized(ctx);
+        if (order.community_id != ctx.admin.default_community_id) {
+          return await messages.notAuthorized(ctx);
+        }
+      }

       const buyer = await User.findOne({ _id: order.buyer_id });
       const seller = await User.findOne({ _id: order.seller_id });

       await messages.checkOrderMessage(ctx, order, buyer, seller);
     } catch (error) {
       logger.error(error);
     }
   });

   bot.command('checkinvoice', adminMiddleware, async (ctx: MainContext) => {
     try {
       const [orderId] = (await validateParams(ctx, 2, '\\<_order id_\\>'))!;
       if (!orderId) return;
       if (!(await validateObjectId(ctx, orderId))) return;
       const order = await Order.findOne({ _id: orderId });

       if (order === null) return;
+      // Restrict community admins to their community orders
+      if (!ctx.admin.admin) {
+        if (!order.community_id) return await messages.notAuthorized(ctx);
+        if (order.community_id != ctx.admin.default_community_id) {
+          return await messages.notAuthorized(ctx);
+        }
+      }
       if (!order.hash) return;

       const invoice = await getInvoice({ hash: order.hash });
       if (invoice === undefined) {
         throw new Error('invoice is undefined');
       }

       await messages.checkInvoiceMessage(
         ctx,
         invoice.is_confirmed,
         invoice.is_canceled!,
         invoice.is_held!,
       );
     } catch (error) {
       logger.error(error);
     }
   });

[mostronatorcoder]

Missing community scope check ❌

The original issue (#703) explicitly states:

"but only for orders created within their own communities"

This PR changes superAdminMiddleware → adminMiddleware, which allows any admin (including community admins and dispute solvers) to query any order in the system, not just orders from their own community.

validateAdmin() passes if user.admin === true OR isDisputeSolver(community, user). A dispute solver in community A could use checkorder to inspect orders from community B — that's an information leak.

Required fix

After fetching the order, verify the admin has jurisdiction:

const order = await Order.findOne({ _id: orderId });
if (order === null) return;

// If not a super admin, verify the order belongs to the admin's community
if (!ctx.admin.admin && order.community_id) {
  if (String(order.community_id) !== String(ctx.admin.default_community_id)) {
    return await messages.notAuthorized(ctx, ctx.admin.tg_id);
  }
}

Same check needed in both checkorder and checkinvoice.

Code quality ✅

The refactoring from callback-style to flat bot.command() for checkinvoice is a nice cleanup.

CI ✅

All checks passing.

Summary

The change in middleware is correct directionally, but without the community scope check it's a privilege escalation — community admins can see orders from other communities. Request changes until the scope check is added.

[mostronatorcoder]

🔴 Missing community scope check

This allows any admin/solver to query ANY order in the system. Per #703, community admins should only see orders from their own community.

Add after Order.findOne():

if (!ctx.admin.admin && order.community_id) {
  if (String(order.community_id) !== String(ctx.admin.default_community_id)) {
    return await messages.notAuthorized(ctx, ctx.admin.tg_id);
  }
}