if (!$_GET['type'] || !$_GET['username'] || !$_GET['scope'] || !$_GET['level']) { json_p($INVALID); } $type = $_GET['type']; $username = $_GET['username']; $scope = $_GET['scope']; $level = $_GET['level']; if ($type !== "add" && $type !== "remove") { json_p(['success' => false, 'reason' => "Expected values of add or remove for parameter type."]); } $user = Auth::user(); if (!$user) { json_p(["success" => false, "This endpoint requires authentication."]); } $dbManager = new DatabaseManager(); if (!$dbManager->validateScope($scope)) { json_p("Invalid room name."); } switch ($level) { case "admin": if (!$dbManager->isOwner($user, $scope)) { json_p(['success' => false, 'reason' => "Only the room owner can appoint or demote admins."]); } json_p($dbManager->changePermission($type, $username, $scope, DatabaseManager::PERMISSION_LEVEL_ROOM_ADMIN)); break; case "host": case "ban": if (!$dbManager->isOwnerOrAdmin($user, $scope)) { json_p(['success' => false, 'reason' => "You don't have permission to do this."]); } json_p($dbManager->changePermission($type, $username, $scope, $level === "host" ? DatabaseManager::PERMISSION_LEVEL_ROOM_HOST : DatabaseManager::PERMISSION_LEVEL_ROOM_BANNED));