logo

pleroma

My custom branche(s) on git.pleroma.social/pleroma/pleroma git clone https://hacktivis.me/git/pleroma.git
commit: 3f26f1b30fe605635e3faf610f813f3ae3ad43ec
parent 14e697a64fe2613649634d46a71acf4d9a7d7bd6
Author: Ilja <ilja@ilja.space>
Date:   Sat, 28 May 2022 09:43:57 +0200

Add privileges for :report_handle


Diffstat:


Mconfig/config.exs3++-


Mconfig/description.exs6++++--


Mlib/pleroma/web/router.ex22++++++++++++++++------


Mtest/pleroma/web/admin_api/controllers/report_controller_test.exs62++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


4 files changed, 84 insertions(+), 9 deletions(-)

diff --git a/config/config.exs b/config/config.exs
@@ -262,7 +262,8 @@ config :pleroma, :instance,
     :statuses_read,
     :user_tag,
     :user_activation,
-    :user_invite
+    :user_invite,
+    :report_handle
   ],
   moderator_privileges: [],
   max_endorsed_users: 20,
diff --git a/config/description.exs b/config/description.exs
@@ -969,7 +969,8 @@ config :pleroma, :config_description, [
           :statuses_read,
           :user_tag,
           :user_activation,
-          :user_invite
+          :user_invite,
+          :report_handle
         ],
         description:
           "What extra priviledges to allow admins (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
@@ -983,7 +984,8 @@ config :pleroma, :config_description, [
           :statuses_read,
           :user_tag,
           :user_activation,
-          :user_invite
+          :user_invite,
+          :report_handle
         ],
         description:
           "What extra priviledges to allow moderators (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex
@@ -135,6 +135,11 @@ defmodule Pleroma.Web.Router do
     plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_invite)
   end
 
+  pipeline :require_privileged_role_report_handle do
+    plug(:admin_api)
+    plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :report_handle)
+  end
+
   pipeline :pleroma_html do
     plug(:browser)
     plug(:authenticate)
@@ -312,6 +317,17 @@ defmodule Pleroma.Web.Router do
     post("/users/email_invite", InviteController, :email)
   end
 
+  # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role)
+  scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
+    pipe_through(:require_privileged_role_report_handle)
+
+    get("/reports", ReportController, :index)
+    get("/reports/:id", ReportController, :show)
+    patch("/reports", ReportController, :update)
+    post("/reports/:id/notes", ReportController, :notes_create)
+    delete("/reports/:report_id/notes/:id", ReportController, :notes_delete)
+  end
+
   # AdminAPI: admins and mods (staff) can perform these actions
   scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
     pipe_through(:admin_api)
@@ -322,12 +338,6 @@ defmodule Pleroma.Web.Router do
     get("/instances/:instance/statuses", InstanceController, :list_statuses)
     delete("/instances/:instance", InstanceController, :delete)
 
-    get("/reports", ReportController, :index)
-    get("/reports/:id", ReportController, :show)
-    patch("/reports", ReportController, :update)
-    post("/reports/:id/notes", ReportController, :notes_create)
-    delete("/reports/:report_id/notes/:id", ReportController, :notes_delete)
-
     get("/statuses/:id", StatusController, :show)
     put("/statuses/:id", StatusController, :update)
     delete("/statuses/:id", StatusController, :delete)
diff --git a/test/pleroma/web/admin_api/controllers/report_controller_test.exs b/test/pleroma/web/admin_api/controllers/report_controller_test.exs
@@ -26,6 +26,20 @@ defmodule Pleroma.Web.AdminAPI.ReportControllerTest do
   end
 
   describe "GET /api/pleroma/admin/reports/:id" do
+    setup do
+      clear_config([:instance, :admin_privileges], [:report_handle])
+    end
+
+    test "returns 403 if not privileged with :report_handle", %{conn: conn} do
+      clear_config([:instance, :admin_privileges], [])
+
+      conn =
+        conn
+        |> get("/api/pleroma/admin/reports/report_id")
+
+      assert json_response(conn, :forbidden)
+    end
+
     test "returns report by its id", %{conn: conn} do
       [reporter, target_user] = insert_pair(:user)
       activity = insert(:note_activity, user: target_user)
@@ -63,6 +77,8 @@ defmodule Pleroma.Web.AdminAPI.ReportControllerTest do
 
   describe "PATCH /api/pleroma/admin/reports" do
     setup do
+      clear_config([:instance, :admin_privileges], [:report_handle])
+
       [reporter, target_user] = insert_pair(:user)
       activity = insert(:note_activity, user: target_user)
 
@@ -86,6 +102,20 @@ defmodule Pleroma.Web.AdminAPI.ReportControllerTest do
       }
     end
 
+    test "returns 403 if not privileged with :report_handle", %{conn: conn, id: id, admin: admin} do
+      clear_config([:instance, :admin_privileges], [])
+
+      conn =
+        conn
+        |> assign(:token, insert(:oauth_token, user: admin, scopes: ["admin:write:reports"]))
+        |> put_req_header("content-type", "application/json")
+        |> patch("/api/pleroma/admin/reports", %{
+          "reports" => [%{"state" => "resolved", "id" => id}]
+        })
+
+      assert json_response(conn, :forbidden)
+    end
+
     test "requires admin:write:reports scope", %{conn: conn, id: id, admin: admin} do
       read_token = insert(:oauth_token, user: admin, scopes: ["admin:read"])
       write_token = insert(:oauth_token, user: admin, scopes: ["admin:write:reports"])
@@ -209,6 +239,20 @@ defmodule Pleroma.Web.AdminAPI.ReportControllerTest do
   end
 
   describe "GET /api/pleroma/admin/reports" do
+    setup do
+      clear_config([:instance, :admin_privileges], [:report_handle])
+    end
+
+    test "returns 403 if not privileged with :report_handle", %{conn: conn} do
+      clear_config([:instance, :admin_privileges], [])
+
+      conn =
+        conn
+        |> get(report_path(conn, :index))
+
+      assert json_response(conn, :forbidden)
+    end
+
     test "returns empty response when no reports created", %{conn: conn} do
       response =
         conn
@@ -317,6 +361,8 @@ defmodule Pleroma.Web.AdminAPI.ReportControllerTest do
 
   describe "POST /api/pleroma/admin/reports/:id/notes" do
     setup %{conn: conn, admin: admin} do
+      clear_config([:instance, :admin_privileges], [:report_handle])
+
       [reporter, target_user] = insert_pair(:user)
       activity = insert(:note_activity, user: target_user)
 
@@ -345,6 +391,22 @@ defmodule Pleroma.Web.AdminAPI.ReportControllerTest do
       }
     end
 
+    test "returns 403 if not privileged with :report_handle", %{conn: conn, report_id: report_id} do
+      clear_config([:instance, :admin_privileges], [])
+
+      post_conn =
+        conn
+        |> put_req_header("content-type", "application/json")
+        |> post("/api/pleroma/admin/reports/#{report_id}/notes", %{
+          content: "this is disgusting2!"
+        })
+
+      delete_conn = delete(conn, "/api/pleroma/admin/reports/#{report_id}/notes/note.id")
+
+      assert json_response(post_conn, :forbidden)
+      assert json_response(delete_conn, :forbidden)
+    end
+
     test "it creates report note", %{admin_id: admin_id, report_id: report_id} do
       assert [note, _] = Repo.all(ReportNote)