From 1c64838816ef020019d2811cef184e892b980b3e Mon Sep 17 00:00:00 2001
From: Arkane <niflheim.exease@gmail.com>
Date: Tue, 24 Mar 2026 19:10:04 -0500
Subject: [PATCH 1/2] actually do a permission check for patching players

---
 pointercrate-demonlist-api/src/endpoints/player.rs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pointercrate-demonlist-api/src/endpoints/player.rs b/pointercrate-demonlist-api/src/endpoints/player.rs
index 91d82687..c477a5e8 100644
--- a/pointercrate-demonlist-api/src/endpoints/player.rs
+++ b/pointercrate-demonlist-api/src/endpoints/player.rs
@@ -70,6 +70,7 @@ pub async fn get(player_id: i32, pool: &State<PointercratePool>) -> Result<Tagge
 pub async fn patch(
     player_id: i32, mut auth: Auth<ApiToken>, precondition: Precondition, patch: Json<PatchPlayer>,
 ) -> Result<Tagged<FullPlayer>> {
+    auth.require_permission(LIST_MODERATOR)?;
     let player = Player::by_id(player_id, &mut auth.connection)
         .await?
         .upgrade(&mut auth.connection)

From d774f9cd669889bce663ec52d4323a872bb64517 Mon Sep 17 00:00:00 2001
From: Arkane <niflheim.exease@gmail.com>
Date: Tue, 24 Mar 2026 19:18:11 -0500
Subject: [PATCH 2/2] im not good at rust

---
 pointercrate-demonlist-api/src/endpoints/player.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pointercrate-demonlist-api/src/endpoints/player.rs b/pointercrate-demonlist-api/src/endpoints/player.rs
index c477a5e8..c8fa9c8b 100644
--- a/pointercrate-demonlist-api/src/endpoints/player.rs
+++ b/pointercrate-demonlist-api/src/endpoints/player.rs
@@ -14,7 +14,7 @@ use pointercrate_demonlist::{
         claim::{ListedClaim, PatchPlayerClaim, PlayerClaim, PlayerClaimPagination},
         DatabasePlayer, FullPlayer, PatchPlayer, Player, PlayerPagination, RankedPlayer, RankingPagination,
     },
-    LIST_HELPER,
+    LIST_HELPER, LIST_MODERATOR,
 };
 use pointercrate_user::{auth::ApiToken, MODERATOR};
 use pointercrate_user_api::auth::Auth;