commit: 705ba6d615ea3d8187673a5ab95af05f3ab7193b
parent c8302826285b31d071b44bf8d2e2013adcffdea6
Author: Haelwenn <contact+git.pleroma.social@hacktivis.me>
Date: Sat, 15 Oct 2022 12:54:20 +0000
Merge branch 'security/PleromaAPI-delete' into 'develop'
CommonAPI: generate ModerationLog for all admin/moderator deletes
See merge request pleroma/pleroma!3765
Diffstat:
5 files changed, 41 insertions(+), 27 deletions(-)
diff --git a/lib/pleroma/web/admin_api/controllers/chat_controller.ex b/lib/pleroma/web/admin_api/controllers/chat_controller.ex
@@ -8,7 +8,6 @@ defmodule Pleroma.Web.AdminAPI.ChatController do
alias Pleroma.Activity
alias Pleroma.Chat
alias Pleroma.Chat.MessageReference
- alias Pleroma.ModerationLog
alias Pleroma.Pagination
alias Pleroma.Web.AdminAPI
alias Pleroma.Web.CommonAPI
@@ -42,12 +41,6 @@ defmodule Pleroma.Web.AdminAPI.ChatController do
^chat_id <- to_string(cm_ref.chat_id),
%Activity{id: activity_id} <- Activity.get_create_by_object_ap_id(object_ap_id),
{:ok, _} <- CommonAPI.delete(activity_id, user) do
- ModerationLog.insert_log(%{
- action: "chat_message_delete",
- actor: user,
- subject_id: message_id
- })
-
conn
|> put_view(MessageReferenceView)
|> render("show.json", chat_message_reference: cm_ref)
diff --git a/lib/pleroma/web/admin_api/controllers/status_controller.ex b/lib/pleroma/web/admin_api/controllers/status_controller.ex
@@ -65,12 +65,6 @@ defmodule Pleroma.Web.AdminAPI.StatusController do
def delete(%{assigns: %{user: user}} = conn, %{id: id}) do
with {:ok, %Activity{}} <- CommonAPI.delete(id, user) do
- ModerationLog.insert_log(%{
- action: "status_delete",
- actor: user,
- subject_id: id
- })
-
json(conn, %{})
end
end
diff --git a/lib/pleroma/web/common_api.ex b/lib/pleroma/web/common_api.ex
@@ -6,6 +6,7 @@ defmodule Pleroma.Web.CommonAPI do
alias Pleroma.Activity
alias Pleroma.Conversation.Participation
alias Pleroma.Formatter
+ alias Pleroma.ModerationLog
alias Pleroma.Object
alias Pleroma.ThreadMute
alias Pleroma.User
@@ -147,6 +148,21 @@ defmodule Pleroma.Web.CommonAPI do
true <- User.superuser?(user) || user.ap_id == object.data["actor"],
{:ok, delete_data, _} <- Builder.delete(user, object.data["id"]),
{:ok, delete, _} <- Pipeline.common_pipeline(delete_data, local: true) do
+ if User.superuser?(user) and user.ap_id != object.data["actor"] do
+ action =
+ if object.data["type"] == "ChatMessage" do
+ "chat_message_delete"
+ else
+ "status_delete"
+ end
+
+ ModerationLog.insert_log(%{
+ action: action,
+ actor: user,
+ subject_id: activity_id
+ })
+ end
+
{:ok, delete}
else
{:find_activity, _} ->
diff --git a/test/pleroma/web/admin_api/controllers/chat_controller_test.exs b/test/pleroma/web/admin_api/controllers/chat_controller_test.exs
@@ -53,7 +53,7 @@ defmodule Pleroma.Web.AdminAPI.ChatControllerTest do
log_entry = Repo.one(ModerationLog)
assert ModerationLog.get_log_entry_message(log_entry) ==
- "@#{admin.nickname} deleted chat message ##{cm_ref.id}"
+ "@#{admin.nickname} deleted chat message ##{message.id}"
assert result["id"] == cm_ref.id
refute MessageReference.get_by_id(cm_ref.id)
diff --git a/test/pleroma/web/mastodon_api/controllers/status_controller_test.exs b/test/pleroma/web/mastodon_api/controllers/status_controller_test.exs
@@ -8,6 +8,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
alias Pleroma.Activity
alias Pleroma.Conversation.Participation
+ alias Pleroma.ModerationLog
alias Pleroma.Object
alias Pleroma.Repo
alias Pleroma.ScheduledActivity
@@ -970,30 +971,40 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
assert Activity.get_by_id(activity.id) == activity
end
- test "when you're an admin or moderator", %{conn: conn} do
- activity1 = insert(:note_activity)
- activity2 = insert(:note_activity)
- admin = insert(:user, is_admin: true)
- moderator = insert(:user, is_moderator: true)
+ test "when you're an admin", %{conn: conn} do
+ activity = insert(:note_activity)
+ user = insert(:user, is_admin: true)
res_conn =
conn
- |> assign(:user, admin)
- |> assign(:token, insert(:oauth_token, user: admin, scopes: ["write:statuses"]))
- |> delete("/api/v1/statuses/#{activity1.id}")
+ |> assign(:user, user)
+ |> assign(:token, insert(:oauth_token, user: user, scopes: ["write:statuses"]))
+ |> delete("/api/v1/statuses/#{activity.id}")
assert %{} = json_response_and_validate_schema(res_conn, 200)
+ assert ModerationLog |> Repo.one() |> ModerationLog.get_log_entry_message() ==
+ "@#{user.nickname} deleted status ##{activity.id}"
+
+ refute Activity.get_by_id(activity.id)
+ end
+
+ test "when you're a moderator", %{conn: conn} do
+ activity = insert(:note_activity)
+ user = insert(:user, is_moderator: true)
+
res_conn =
conn
- |> assign(:user, moderator)
- |> assign(:token, insert(:oauth_token, user: moderator, scopes: ["write:statuses"]))
- |> delete("/api/v1/statuses/#{activity2.id}")
+ |> assign(:user, user)
+ |> assign(:token, insert(:oauth_token, user: user, scopes: ["write:statuses"]))
+ |> delete("/api/v1/statuses/#{activity.id}")
assert %{} = json_response_and_validate_schema(res_conn, 200)
- refute Activity.get_by_id(activity1.id)
- refute Activity.get_by_id(activity2.id)
+ assert ModerationLog |> Repo.one() |> ModerationLog.get_log_entry_message() ==
+ "@#{user.nickname} deleted status ##{activity.id}"
+
+ refute Activity.get_by_id(activity.id)
end
end
