From 726e98a493bfc61fa721bf665cf18971d1ff0661 Mon Sep 17 00:00:00 2001
From: semper-lux <danidoesntdrink@gmail.com>
Date: Fri, 24 Oct 2025 17:01:20 +0100
Subject: [PATCH 1/2] Adding ACL scope to reminder remove

---
 plugins/reminders.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/plugins/reminders.py b/plugins/reminders.py
index 521435f..d010dfa 100644
--- a/plugins/reminders.py
+++ b/plugins/reminders.py
@@ -11,7 +11,7 @@
 from sqlalchemy.orm import Mapped, mapped_column
 from sqlalchemy.sql.functions import current_timestamp
 
-from bot.acl import privileged
+from bot.acl import EvalResult, evaluate_ctx, privileged, register_action
 from bot.client import client
 from bot.commands import Context, cleanup, plugin_command
 from bot.tasks import task
@@ -44,6 +44,7 @@ def __init__(
 
 
 logger = logging.getLogger(__name__)
+manage_reminders = register_action("manage_reminders")  # For use in removing reminders
 
 
 def format_msg(guild_id: int, channel_id: int, msg_id: int) -> str:
@@ -191,6 +192,11 @@ async def reminder_remove(ctx: Context, id: int) -> None:
     """Delete a reminder."""
     async with sessionmaker() as session:
         if reminder := await session.get(Reminder, id):
+            # Checking if reminder creator and author are different users
+            if reminder.user_id != ctx.author.id:
+                # If different users, checking if author has permission anyway
+                if manage_reminders.evaluate(*evaluate_ctx(ctx)) != EvalResult.TRUE:
+                    raise UserError("Reminder {} is owned by a different user.".format(id))
             await session.delete(reminder)
             await session.commit()
             await ctx.send(

From b57f0cfffaff0d75a7cb1c4c179765eec86b86d8 Mon Sep 17 00:00:00 2001
From: semper-lux <danidoesntdrink@gmail.com>
Date: Fri, 24 Oct 2025 17:32:41 +0100
Subject: [PATCH 2/2] Updated comment following reviewer suggestion

---
 plugins/reminders.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/plugins/reminders.py b/plugins/reminders.py
index d010dfa..8cfc2d2 100644
--- a/plugins/reminders.py
+++ b/plugins/reminders.py
@@ -192,9 +192,8 @@ async def reminder_remove(ctx: Context, id: int) -> None:
     """Delete a reminder."""
     async with sessionmaker() as session:
         if reminder := await session.get(Reminder, id):
-            # Checking if reminder creator and author are different users
+            # To remove another user's reminders you need elevated permissions
             if reminder.user_id != ctx.author.id:
-                # If different users, checking if author has permission anyway
                 if manage_reminders.evaluate(*evaluate_ctx(ctx)) != EvalResult.TRUE:
                     raise UserError("Reminder {} is owned by a different user.".format(id))
             await session.delete(reminder)