commit: 28a2e3650dbdfff61ea5b72f34a2625691196dfc
parent b082e1f86b412b627db04d719233432fd387a30a
Author: Lain Soykaf <lain@lain.com>
Date: Sun, 20 Jul 2025 21:32:57 +0400
AdminAPI: Add (failing) test for admin self-revocation
Diffstat:
1 file changed, 30 insertions(+), 0 deletions(-)
diff --git a/test/pleroma/web/admin_api/controllers/admin_api_controller_test.exs b/test/pleroma/web/admin_api/controllers/admin_api_controller_test.exs
@@ -321,6 +321,36 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
assert ModerationLog.get_log_entry_message(log_entry) ==
"@#{admin.nickname} revoked admin role from @#{user_one.nickname}, @#{user_two.nickname}"
end
+
+ test "/:right DELETE, admin cannot revoke their own admin status (single)", %{
+ admin: admin,
+ conn: conn
+ } do
+ conn =
+ conn
+ |> put_req_header("accept", "application/json")
+ |> delete("/api/pleroma/admin/users/#{admin.nickname}/permission_group/admin")
+
+ assert json_response(conn, 403) == %{"error" => "You can't revoke your own admin status."}
+ end
+
+ test "/:right DELETE, admin cannot revoke their own admin status (multiple)", %{
+ admin: admin,
+ conn: conn
+ } do
+ user = insert(:user, is_admin: true)
+
+ conn =
+ conn
+ |> put_req_header("accept", "application/json")
+ |> delete("/api/pleroma/admin/users/permission_group/admin", %{
+ nicknames: [admin.nickname, user.nickname]
+ })
+
+ assert json_response(conn, 403) == %{
+ "error" => "You can't revoke your own admin/moderator status."
+ }
+ end
end
describe "/api/pleroma/admin/users/:nickname/password_reset" do
