commit: 9f6c36475914bfd1b8c02035341765b4d1bd4395
parent 5b19543f0afaaad7f8fc302946547ae5c18e8bb3
Author: Ilja <ilja@ilja.space>
Date: Thu, 26 May 2022 12:49:09 +0200
Add privilege :user_deletion
Diffstat:
4 files changed, 33 insertions(+), 7 deletions(-)
diff --git a/config/config.exs b/config/config.exs
@@ -257,7 +257,7 @@ config :pleroma, :instance,
password_reset_token_validity: 60 * 60 * 24,
profile_directory: true,
privileged_staff: false,
- admin_privileges: [],
+ admin_privileges: [:user_deletion],
moderator_privileges: [],
max_endorsed_users: 20,
birthday_required: false,
diff --git a/config/description.exs b/config/description.exs
@@ -969,14 +969,16 @@ config :pleroma, :config_description, [
%{
key: :admin_privileges,
type: {:list, :atom},
- suggestions: [],
- description: "What extra priviledges to allow admins (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
+ suggestions: [:user_deletion],
+ description:
+ "What extra priviledges to allow admins (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
},
%{
key: :moderator_privileges,
type: {:list, :atom},
- suggestions: [],
- description: "What extra priviledges to allow moderators (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
+ suggestions: [:user_deletion],
+ description:
+ "What extra priviledges to allow moderators (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
},
%{
key: :birthday_required,
diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex
@@ -109,6 +109,11 @@ defmodule Pleroma.Web.Router do
plug(Pleroma.Web.Plugs.UserIsAdminPlug)
end
+ pipeline :require_privileged_role_user_deletion do
+ plug(:admin_api)
+ plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_deletion)
+ end
+
pipeline :pleroma_html do
plug(:browser)
plug(:authenticate)
@@ -231,11 +236,16 @@ defmodule Pleroma.Web.Router do
post("/backups", AdminAPIController, :create_backup)
end
- # AdminAPI: admins and mods (staff) can perform these actions (if enabled by config)
+ # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role)
scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
- pipe_through([:admin_api, :require_privileged_staff])
+ pipe_through([:admin_api, :require_privileged_role_user_deletion])
delete("/users", UserController, :delete)
+ end
+
+ # AdminAPI: admins and mods (staff) can perform these actions (if enabled by config)
+ scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
+ pipe_through([:admin_api, :require_privileged_staff])
get("/users/:nickname/password_reset", AdminAPIController, :get_password_reset)
patch("/users/:nickname/credentials", AdminAPIController, :update_user_credentials)
diff --git a/test/pleroma/web/admin_api/controllers/user_controller_test.exs b/test/pleroma/web/admin_api/controllers/user_controller_test.exs
@@ -94,6 +94,7 @@ defmodule Pleroma.Web.AdminAPI.UserControllerTest do
describe "DELETE /api/pleroma/admin/users" do
test "single user", %{admin: admin, conn: conn} do
clear_config([:instance, :federating], true)
+ clear_config([:instance, :admin_privileges], [:user_deletion])
user =
insert(:user,
@@ -149,6 +150,8 @@ defmodule Pleroma.Web.AdminAPI.UserControllerTest do
end
test "multiple users", %{admin: admin, conn: conn} do
+ clear_config([:instance, :admin_privileges], [:user_deletion])
+
user_one = insert(:user)
user_two = insert(:user)
@@ -168,6 +171,17 @@ defmodule Pleroma.Web.AdminAPI.UserControllerTest do
assert response -- [user_one.nickname, user_two.nickname] == []
end
+
+ test "Needs privileged role", %{conn: conn} do
+ clear_config([:instance, :admin_privileges], [])
+
+ response =
+ conn
+ |> put_req_header("accept", "application/json")
+ |> delete("/api/pleroma/admin/users?nickname=nickname")
+
+ assert json_response(response, :forbidden)
+ end
end
describe "/api/pleroma/admin/users" do
