Security patch v2.7.2

kyb3r · kyb3r · commit 45d9c370945a · 2019-01-20T20:48:53.000+11:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,14 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+# v2.7.2
+
+### Added 
+- `config options` command to see a list of valid config variables that you can modify.
+
+### Security
+Thread channels will now default to being private (@everyone's read message perms set to false) if the thread creation category could not be resolved. This will save you from some trouble if for whatever reason your configuration gets messed up 🌚
+
 # v2.7.1
 
 ### Changed
diff --git a/cogs/utility.py b/cogs/utility.py
@@ -367,14 +367,17 @@ async def prefix(self, ctx, *, prefix=None):
     @commands.group()
     @owner_only()
     async def config(self, ctx):
-        """Change configuration for the bot.
-
-        You shouldn't have to use these commands as other commands such
-        as `prefix` and `activity` should change config vars for you.
-        """
+        """Change config vars for the bot."""
         if ctx.invoked_subcommand is None:
             cmd = self.bot.get_command('help')
             await ctx.invoke(cmd, command='config')
+    
+    @config.command()
+    async def options(self, ctx):
+        """Return a list of valid config keys you can change."""
+        valid = ', '.join(f'`{k}`' for k in self.bot.config.allowed_to_change_in_command)
+        em = discord.Embed(title='Valid Keys', description=valid, color=discord.Color.green())
+        await ctx.send(embed=em)
 
     @config.command(name='set')
     async def _set(self, ctx, key: str.lower, *, value):
diff --git a/core/thread.py b/core/thread.py
@@ -411,9 +411,21 @@ async def create(self, recipient, *, creator=None, category=None):
 
         self.cache[recipient.id] = thread = Thread(self, recipient)
 
+        overwrites = { 
+            self.bot.modmail_guild.default_role: discord.PermissionOverwrite(read_messages=False) 
+            }
+        # in case it creates a channel outside of category
+
+        category = category or self.bot.main_category
+
+        if category is not None:
+            overwrites = None 
+
         channel = await self.bot.modmail_guild.create_text_channel(
             name=self._format_channel_name(recipient),
-            category=category or self.bot.main_category
+            category=category,
+            overwrites=overwrites,
+            reason='Creating a thread channel'
         )
 
         thread.channel = channel
