avatar fixes and implementation to edit

2026-01-17 01:11:05 -06:00 · 2026-01-17 01:11:05 -06:00 · c3320ddcce
commit c3320ddcce
parent acab2f017d
11 changed files with 1417 additions and 37 deletions
--- a/crates/chattyness-db/src/queries/avatars.rs
+++ b/crates/chattyness-db/src/queries/avatars.rs
@ -960,3 +960,82 @@ pub async fn set_emotion_simple<'e>(

    Ok(())
 }
+
+/// Update an avatar slot by assigning an inventory item to it.
+///
+/// The column_name should be one of:
+/// - "l_skin_0" through "l_skin_8"
+/// - "l_clothes_0" through "l_clothes_8"
+/// - "l_accessories_0" through "l_accessories_8"
+/// - "e_{emotion}_0" through "e_{emotion}_8" (e.g., "e_happy_4")
+pub async fn update_avatar_slot(
+    conn: &mut PgConnection,
+    user_id: Uuid,
+    realm_id: Uuid,
+    column_name: &str,
+    inventory_id: Option<Uuid>,
+) -> Result<(), AppError> {
+    // Validate column name format to prevent SQL injection
+    let valid_prefixes = [
+        "l_skin_",
+        "l_clothes_",
+        "l_accessories_",
+        "e_neutral_",
+        "e_happy_",
+        "e_sad_",
+        "e_angry_",
+        "e_surprised_",
+        "e_thinking_",
+        "e_laughing_",
+        "e_crying_",
+        "e_love_",
+        "e_confused_",
+        "e_sleeping_",
+        "e_wink_",
+    ];
+
+    let is_valid = valid_prefixes
+        .iter()
+        .any(|prefix| column_name.starts_with(prefix))
+        && column_name
+            .chars()
+            .last()
+            .map(|c| c.is_ascii_digit() && c <= '8')
+            .unwrap_or(false);
+
+    if !is_valid {
+        return Err(AppError::Validation(format!(
+            "Invalid column name: {}",
+            column_name
+        )));
+    }
+
+    // Build dynamic UPDATE query
+    // Note: We've validated the column name format above to prevent SQL injection
+    let query = format!(
+        r#"
+        UPDATE auth.avatars
+        SET {} = $3, updated_at = now()
+        WHERE id = (
+            SELECT avatar_id FROM auth.active_avatars
+            WHERE user_id = $1 AND realm_id = $2
+        )
+        "#,
+        column_name
+    );
+
+    let result = sqlx::query(&query)
+        .bind(user_id)
+        .bind(realm_id)
+        .bind(inventory_id)
+        .execute(&mut *conn)
+        .await?;
+
+    if result.rows_affected() == 0 {
+        return Err(AppError::NotFound(
+            "No active avatar for this user in this realm".to_string(),
+        ));
+    }
+
+    Ok(())
+}