commit: 8a9144ca8b8e17df509dc8ac3934656b7dac8d77
parent 9f6c36475914bfd1b8c02035341765b4d1bd4395
Author: Ilja <ilja@ilja.space>
Date: Thu, 26 May 2022 13:27:06 +0200
Add priviledges for :user_credentials
I only moved the ones from the :require_privileged_staff block for now
Diffstat:
4 files changed, 53 insertions(+), 14 deletions(-)
diff --git a/config/config.exs b/config/config.exs
@@ -257,7 +257,7 @@ config :pleroma, :instance,
password_reset_token_validity: 60 * 60 * 24,
profile_directory: true,
privileged_staff: false,
- admin_privileges: [:user_deletion],
+ admin_privileges: [:user_deletion, :user_credentials],
moderator_privileges: [],
max_endorsed_users: 20,
birthday_required: false,
diff --git a/config/description.exs b/config/description.exs
@@ -969,14 +969,14 @@ config :pleroma, :config_description, [
%{
key: :admin_privileges,
type: {:list, :atom},
- suggestions: [:user_deletion],
+ suggestions: [:user_deletion, :user_credentials],
description:
"What extra priviledges to allow admins (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
},
%{
key: :moderator_privileges,
type: {:list, :atom},
- suggestions: [:user_deletion],
+ suggestions: [:user_deletion, :user_credentials],
description:
"What extra priviledges to allow moderators (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
},
diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex
@@ -114,6 +114,11 @@ defmodule Pleroma.Web.Router do
plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_deletion)
end
+ pipeline :require_privileged_role_user_credentials do
+ plug(:admin_api)
+ plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_credentials)
+ end
+
pipeline :pleroma_html do
plug(:browser)
plug(:authenticate)
@@ -206,7 +211,6 @@ defmodule Pleroma.Web.Router do
patch("/users/force_password_reset", AdminAPIController, :force_password_reset)
get("/users/:nickname/credentials", AdminAPIController, :show_user_credentials)
- patch("/users/:nickname/credentials", AdminAPIController, :update_user_credentials)
get("/instance_document/:name", InstanceDocumentController, :show)
patch("/instance_document/:name", InstanceDocumentController, :update)
@@ -243,12 +247,17 @@ defmodule Pleroma.Web.Router do
delete("/users", UserController, :delete)
end
- # AdminAPI: admins and mods (staff) can perform these actions (if enabled by config)
+ # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role)
scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
- pipe_through([:admin_api, :require_privileged_staff])
+ pipe_through([:admin_api, :require_privileged_role_user_credentials])
get("/users/:nickname/password_reset", AdminAPIController, :get_password_reset)
patch("/users/:nickname/credentials", AdminAPIController, :update_user_credentials)
+ end
+
+ # AdminAPI: admins and mods (staff) can perform these actions (if enabled by config)
+ scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
+ pipe_through([:admin_api, :require_privileged_staff])
get("/users/:nickname/statuses", AdminAPIController, :list_user_statuses)
get("/users/:nickname/chats", AdminAPIController, :list_user_chats)
diff --git a/test/pleroma/web/admin_api/controllers/admin_api_controller_test.exs b/test/pleroma/web/admin_api/controllers/admin_api_controller_test.exs
@@ -271,17 +271,32 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
end
end
- test "/api/pleroma/admin/users/:nickname/password_reset", %{conn: conn} do
- user = insert(:user)
+ describe "/api/pleroma/admin/users/:nickname/password_reset" do
+ test "it returns a password reset link", %{conn: conn} do
+ clear_config([:instance, :admin_privileges], [:user_credentials])
- conn =
- conn
- |> put_req_header("accept", "application/json")
- |> get("/api/pleroma/admin/users/#{user.nickname}/password_reset")
+ user = insert(:user)
+
+ conn =
+ conn
+ |> put_req_header("accept", "application/json")
+ |> get("/api/pleroma/admin/users/#{user.nickname}/password_reset")
+
+ resp = json_response(conn, 200)
+
+ assert Regex.match?(~r/(http:\/\/|https:\/\/)/, resp["link"])
+ end
- resp = json_response(conn, 200)
+ test "it requires privileged role :user_credentials", %{conn: conn} do
+ clear_config([:instance, :admin_privileges], [])
+
+ response =
+ conn
+ |> put_req_header("accept", "application/json")
+ |> get("/api/pleroma/admin/users/nickname/password_reset")
- assert Regex.match?(~r/(http:\/\/|https:\/\/)/, resp["link"])
+ assert json_response(response, :forbidden)
+ end
end
describe "PUT disable_mfa" do
@@ -714,6 +729,8 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
end
test "changes password and email", %{conn: conn, admin: admin, user: user} do
+ clear_config([:instance, :admin_privileges], [:user_credentials])
+
assert user.password_reset_pending == false
conn =
@@ -756,6 +773,19 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
assert json_response(conn, :forbidden)
end
+ test "returns 403 if not privileged with :user_credentials", %{conn: conn, user: user} do
+ clear_config([:instance, :admin_privileges], [])
+
+ conn =
+ patch(conn, "/api/pleroma/admin/users/#{user.nickname}/credentials", %{
+ "password" => "new_password",
+ "email" => "new_email@example.com",
+ "name" => "new_name"
+ })
+
+ assert json_response(conn, :forbidden)
+ end
+
test "changes actor type from permitted list", %{conn: conn, user: user} do
assert user.actor_type == "Person"
