[colorme] does not move role up in hierarchy

[DetermineAbsurd]

I am unsure if this is intentional or not, but the colorme cog does not move the role up the hierarchy when first using [p]colorme change <hex> and forces the administrators to move it manually.

There are no errors in the red.log or cmd console.

[flapjax]

Yes, this was a change made on purpose to address some security issues with using the top role.
See #24 for an explanation.

The recommended solution is to remove color from your higher up roles (thus reverting to the standard gray color). Then, the color from the lower colorme roles will take effect.

[DetermineAbsurd]

I just tried it with one of my server members. I set a role that has every permission and placed the users color role above it and they did not have the option to kick anyone or ban anyone.

[flapjax]

Ok. Thank you for the data. I will do some further testing when I can get to it. I am not necessarily opposed to adding an "enable this at your own risk" option to use top roles. But the default will remain bottom roles.

[bleonard252]

So long as the color roles are clean...

[aikaterna]

This will not be addressed in the v2 version but I am leaving this open as a possibility for a v3 feature.

[ProfessorFartsalot]

I've tested just now that the colors role does not give any unexpected permissions. If #24 can be tested again now that it's 5 years later can we please begin placing them at the top once more?

Edit: I am not sure how it is for servers that give all members kick powers so that's why I'm asking for someone to test it. For my relatively large server I have no issues with people having the colors at the top. However, for convenience I'll still do it by taking all the colors off the existing roles just so everyone can more easily use it.

Edit: Scratch all this. Yes, it is still possible for an admin/moderator with the "manage roles" permission to give someone ANY role under the color role. Why this is, I do not know and Discord should probably fix it. Thanks for pointing this out here. Five years, and Discord still hasn't figured it out.

[aikaterna]

#24 is for an ancient version of Red that doesn't work any more. It is also unlikely that this feature would be added as this repo is in maintenance mode.

[ProfessorFartsalot]

Updated my post. Seems discord still hasn't discovered this possibility. Or have they posted about it somewhere?

[HelmicNewciv]

To clarify @Dovahkiin-Warrior , what's happening is that Discord uses rank to determine who can do moderation actions, and rank is determined purely by a user's highest role in the hierarchy, regardless of the rank of hte role that actually grants them the permission. So a mod whose highest role is the 2nd highest, even though it's just a cosmetic role, can actually ban a mod whose highest role is 3rd highest (even if the mod roles that actually grant the ban powers are 6th and 5th, respectively).

"Manage roles" has the fun, fun interaction with this behavior of deciding any role lower than your highest (even if your highest is a cosmetic role and the role that actually grants you the manage roles permission is actually quite low ranking) is a valid role to add or remove, which means if an admin role is below your cosmetic role, you can actually give yourself admin and start banning users, deleting channels, and other nasty things, all at a potentially high enough rank that nobody other than the server owner can actually stop you.

Discord's permissions logic is absolutely nonsense and users ought to be utterly paranoid of them. Always grant the minimum number of permissions at the lowest feasible ranks, and cosmetic roles should ALWAYS be empty except for colors and ALWAYS go at the bottom to avoid privilege escalation exploits.

[greenrhino33]

Is there any movement on the optional override for role placement? My scenario is a server that has a point redemption for the ability to customize color, but default roles already have color. Don't want to force the mod team to constantly move roles up the order. Ideally, the bot would put the color roles directly beneath the bot role with the override enabled.

[aikaterna]

Is there any movement on the optional override for role placement?

No, this repo is in maintrnance mode and will not have any code feature updates any time soon.

[greenrhino33]

Noted. I assume I'm allowed to fork and attempt to implement this feature myself?

[aikaterna]

Sure thing, this repo is MIT licensed so as long as that's respected everything is cool there. If you do get something working that's pythonic and such, and if you feel like making a pull request, it could be added to the repo.