commit: 0ee8f33250f649c7807fd161b9d6588757f5dc94
parent 34a98990dba1e021a75a23b225cff22af23f5ca2
Author: Ilja <ilja@ilja.space>
Date: Sat, 11 Jun 2022 13:08:40 +0200
Add privilige :status_delete
It also allows to update a message, so it's not just deleting. I need a better name...
Diffstat:
5 files changed, 54 insertions(+), 9 deletions(-)
diff --git a/config/config.exs b/config/config.exs
@@ -264,7 +264,8 @@ config :pleroma, :instance,
:user_activation,
:user_invite,
:report_handle,
- :user_read
+ :user_read,
+ :status_delete
],
moderator_privileges: [],
max_endorsed_users: 20,
diff --git a/config/description.exs b/config/description.exs
@@ -971,7 +971,8 @@ config :pleroma, :config_description, [
:user_activation,
:user_invite,
:report_handle,
- :user_read
+ :user_read,
+ :status_delete
],
description:
"What extra priviledges to allow admins (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
@@ -987,7 +988,8 @@ config :pleroma, :config_description, [
:user_activation,
:user_invite,
:report_handle,
- :user_read
+ :user_read,
+ :status_delete
],
description:
"What extra priviledges to allow moderators (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex
@@ -145,6 +145,11 @@ defmodule Pleroma.Web.Router do
plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_read)
end
+ pipeline :require_privileged_role_status_delete do
+ plug(:admin_api)
+ plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :status_delete)
+ end
+
pipeline :pleroma_html do
plug(:browser)
plug(:authenticate)
@@ -345,21 +350,26 @@ defmodule Pleroma.Web.Router do
get("/users/:nickname", UserController, :show)
end
+ # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role)
+ scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
+ pipe_through(:require_privileged_role_status_delete)
+
+ put("/statuses/:id", StatusController, :update)
+ delete("/statuses/:id", StatusController, :delete)
+
+ delete("/chats/:id/messages/:message_id", ChatController, :delete_message)
+ end
+
# AdminAPI: admins and mods (staff) can perform these actions
scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
pipe_through(:admin_api)
delete("/instances/:instance", InstanceController, :delete)
- put("/statuses/:id", StatusController, :update)
- delete("/statuses/:id", StatusController, :delete)
-
get("/moderation_log", AdminAPIController, :list_log)
post("/reload_emoji", AdminAPIController, :reload_emoji)
get("/stats", AdminAPIController, :stats)
-
- delete("/chats/:id/messages/:message_id", ChatController, :delete_message)
end
scope "/api/v1/pleroma/emoji", Pleroma.Web.PleromaAPI do
diff --git a/test/pleroma/web/admin_api/controllers/chat_controller_test.exs b/test/pleroma/web/admin_api/controllers/chat_controller_test.exs
@@ -27,7 +27,10 @@ defmodule Pleroma.Web.AdminAPI.ChatControllerTest do
end
describe "DELETE /api/pleroma/admin/chats/:id/messages/:message_id" do
- setup do: admin_setup()
+ setup do
+ clear_config([:instance, :admin_privileges], [:status_delete])
+ admin_setup()
+ end
test "it deletes a message from the chat", %{conn: conn, admin: admin} do
user = insert(:user)
@@ -60,6 +63,15 @@ defmodule Pleroma.Web.AdminAPI.ChatControllerTest do
refute MessageReference.get_by_id(recipient_cm_ref.id)
assert %{data: %{"type" => "Tombstone"}} = Object.get_by_id(object.id)
end
+
+ test "it requires privileged role :status_delete", %{conn: conn} do
+ clear_config([:instance, :admin_privileges], [])
+
+ assert conn
+ |> put_req_header("content-type", "application/json")
+ |> delete("/api/pleroma/admin/chats/some_id/messages/some_ref_id")
+ |> json_response(:forbidden)
+ end
end
describe "GET /api/pleroma/admin/chats/:id/messages" do
diff --git a/test/pleroma/web/admin_api/controllers/status_controller_test.exs b/test/pleroma/web/admin_api/controllers/status_controller_test.exs
@@ -64,6 +64,7 @@ defmodule Pleroma.Web.AdminAPI.StatusControllerTest do
describe "PUT /api/pleroma/admin/statuses/:id" do
setup do
+ clear_config([:instance, :admin_privileges], [:status_delete])
activity = insert(:note_activity)
%{id: activity.id}
@@ -132,10 +133,20 @@ defmodule Pleroma.Web.AdminAPI.StatusControllerTest do
assert %{"error" => "test - Invalid value for enum."} =
json_response_and_validate_schema(conn, :bad_request)
end
+
+ test "it requires privileged role :status_delete", %{conn: conn} do
+ clear_config([:instance, :admin_privileges], [])
+
+ assert conn
+ |> put_req_header("content-type", "application/json")
+ |> put("/api/pleroma/admin/statuses/some_id", %{})
+ |> json_response(:forbidden)
+ end
end
describe "DELETE /api/pleroma/admin/statuses/:id" do
setup do
+ clear_config([:instance, :admin_privileges], [:status_delete])
activity = insert(:note_activity)
%{id: activity.id}
@@ -159,6 +170,15 @@ defmodule Pleroma.Web.AdminAPI.StatusControllerTest do
assert json_response_and_validate_schema(conn, :not_found) == %{"error" => "Not found"}
end
+
+ test "it requires privileged role :status_delete", %{conn: conn} do
+ clear_config([:instance, :admin_privileges], [])
+
+ assert conn
+ |> put_req_header("content-type", "application/json")
+ |> delete("/api/pleroma/admin/statuses/some_id")
+ |> json_response(:forbidden)
+ end
end
describe "GET /api/pleroma/admin/statuses" do
