From f41686b17d72267be86dfbaf3ed916f2241eae3c Mon Sep 17 00:00:00 2001
From: Flatlogic Bot <support@flatlogic.com>
Date: Mon, 16 Feb 2026 00:04:01 +0000
Subject: [PATCH] regles v2

---
 api_v1_rules.php  | 5 +++--
 assets/js/main.js | 3 ++-
 requests.log      | 3 +++
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/api_v1_rules.php b/api_v1_rules.php
index 31f6e97..ccfbee7 100644
--- a/api_v1_rules.php
+++ b/api_v1_rules.php
@@ -78,11 +78,12 @@ if ($_SERVER['REQUEST_METHOD'] === 'PATCH') {
     $id = $data['id'] ?? 0;
     $dir = $data['dir'] ?? 'up';
 
-    $stmt = db()->prepare("SELECT channel_id, position FROM channel_rules WHERE id = ?");
+    // Check permission
+    $stmt = db()->prepare("SELECT c.server_id, r.channel_id, r.position FROM channels c JOIN channel_rules r ON c.id = r.channel_id WHERE r.id = ?");
     $stmt->execute([$id]);
     $current = $stmt->fetch();
 
-    if ($current) {
+    if ($current && Permissions::hasPermission($user_id, $current['server_id'], Permissions::MANAGE_CHANNELS)) {
         $channel_id = $current['channel_id'];
         $pos = $current['position'];
         
diff --git a/assets/js/main.js b/assets/js/main.js
index 0526954..a80faf1 100644
--- a/assets/js/main.js
+++ b/assets/js/main.js
@@ -987,6 +987,7 @@ document.addEventListener('DOMContentLoaded', () => {
         }
 
         if (e.target.classList.contains('move-rule-btn')) {
+            if (!window.canManageChannels) return;
             const id = e.target.dataset.id;
             const dir = e.target.dataset.dir;
             const resp = await fetch('api_v1_rules.php', {
@@ -1905,7 +1906,7 @@ document.addEventListener('DOMContentLoaded', () => {
     });
 
     const rulesListSortable = document.getElementById('rules-list-sortable');
-    if (typeof Sortable !== 'undefined' && rulesListSortable) {
+    if (typeof Sortable !== 'undefined' && rulesListSortable && window.canManageChannels) {
         new Sortable(rulesListSortable, {
             animation: 150,
             ghostClass: 'sortable-ghost',
diff --git a/requests.log b/requests.log
index b9d7d7d..fde3b26 100644
--- a/requests.log
+++ b/requests.log
@@ -58,3 +58,6 @@
 2026-02-15 23:57:30 - GET /index.php?server_id=1&channel_id=11 - POST: []
 2026-02-15 23:57:46 - GET /index.php?server_id=1&channel_id=6 - POST: []
 2026-02-15 23:57:49 - GET /index.php?server_id=1&channel_id=11 - POST: []
+2026-02-15 23:59:43 - GET /?fl_project=38443 - POST: []
+2026-02-16 00:02:15 - GET /index.php?server_id=1&channel_id=11 - POST: []
+2026-02-16 00:02:20 - GET /index.php?server_id=1&channel_id=11 - POST: []