Add privilege for announcements - pleroma - My custom branche(s) on git.pleroma.social/pleroma/pleroma

commit: c045a49909c2a1078864484d0327e03dac73687b
parent 44d14e8a9c0f9472560b6e389af7f28de6006a2f
Author: Ilja <ilja@ilja.space>
Date:   Thu, 14 Jul 2022 08:40:26 +0200

Add privilege for announcements

Diffstat:
M config/config.exs 1 +
M config/description.exs 2 ++
M lib/pleroma/web/router.ex 10 ++++++++++
M test/pleroma/web/admin_api/controllers/announcement_controller_test.exs 96 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-

4 files changed, 108 insertions(+), 1 deletion(-)
diff --git a/config/config.exs b/config/config.exs
@@ -269,6 +269,7 @@ config :pleroma, :instance,
     :instances_delete,
     :reports_manage_reports,
     :moderation_log_read,
+    :announcements_manage_announcements,
     :emoji_manage_emoji,
     :statistics_read
   ],
diff --git a/config/description.exs b/config/description.exs
@@ -984,6 +984,7 @@ config :pleroma, :config_description, [
           :instances_delete,
           :reports_manage_reports,
           :moderation_log_read,
+          :announcements_manage_announcements,
           :emoji_manage_emoji,
           :statistics_read
         ],
@@ -1005,6 +1006,7 @@ config :pleroma, :config_description, [
           :instances_delete,
           :reports_manage_reports,
           :moderation_log_read,
+          :announcements_manage_announcements,
           :emoji_manage_emoji,
           :statistics_read
         ],
diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex
@@ -170,6 +170,11 @@ defmodule Pleroma.Web.Router do
     plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :statistics_read)
   end
 
+  pipeline :require_privileged_role_announcements_manage_announcements do
+    plug(:admin_api)
+    plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :announcements_manage_announcements)
+  end
+
   pipeline :pleroma_html do
     plug(:browser)
     plug(:authenticate)
@@ -289,6 +294,11 @@ defmodule Pleroma.Web.Router do
     post("/frontends/install", FrontendController, :install)
 
     post("/backups", AdminAPIController, :create_backup)
+  end
+
+  # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role)
+  scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
+    pipe_through(:require_privileged_role_announcements_manage_announcements)
 
     get("/announcements", AnnouncementController, :index)
     post("/announcements", AnnouncementController, :create)
diff --git a/test/pleroma/web/admin_api/controllers/announcement_controller_test.exs b/test/pleroma/web/admin_api/controllers/announcement_controller_test.exs
@@ -3,11 +3,12 @@
 # SPDX-License-Identifier: AGPL-3.0-only
 
 defmodule Pleroma.Web.AdminAPI.AnnouncementControllerTest do
-  use Pleroma.Web.ConnCase
+  use Pleroma.Web.ConnCase, async: false
 
   import Pleroma.Factory
 
   setup do
+    clear_config([:instance, :admin_privileges], [:announcements_manage_announcements])
     admin = insert(:user, is_admin: true)
     token = insert(:oauth_admin_token, user: admin)
 
@@ -31,6 +32,18 @@ defmodule Pleroma.Web.AdminAPI.AnnouncementControllerTest do
       assert [%{"id" => ^id}] = response
     end
 
+    test "it requires privileged role :announcements_manage_announcements", %{conn: conn} do
+      conn
+      |> get("/api/v1/pleroma/admin/announcements")
+      |> json_response_and_validate_schema(:ok)
+
+      clear_config([:instance, :admin_privileges], [])
+
+      conn
+      |> get("/api/v1/pleroma/admin/announcements")
+      |> json_response(:forbidden)
+    end
+
     test "it paginates announcements", %{conn: conn} do
       _announcements = Enum.map(0..20, fn _ -> insert(:announcement) end)
 
@@ -92,6 +105,20 @@ defmodule Pleroma.Web.AdminAPI.AnnouncementControllerTest do
       assert %{"id" => ^id} = response
     end
 
+    test "it requires privileged role :announcements_manage_announcements", %{conn: conn} do
+      %{id: id} = insert(:announcement)
+
+      conn
+      |> get("/api/v1/pleroma/admin/announcements/#{id}")
+      |> json_response_and_validate_schema(:ok)
+
+      clear_config([:instance, :admin_privileges], [])
+
+      conn
+      |> get("/api/v1/pleroma/admin/announcements/#{id}")
+      |> json_response(:forbidden)
+    end
+
     test "it returns not found for non-existent id", %{conn: conn} do
       %{id: id} = insert(:announcement)
 
@@ -112,6 +139,20 @@ defmodule Pleroma.Web.AdminAPI.AnnouncementControllerTest do
         |> json_response_and_validate_schema(:ok)
     end
 
+    test "it requires privileged role :announcements_manage_announcements", %{conn: conn} do
+      %{id: id} = insert(:announcement)
+
+      conn
+      |> delete("/api/v1/pleroma/admin/announcements/#{id}")
+      |> json_response_and_validate_schema(:ok)
+
+      clear_config([:instance, :admin_privileges], [])
+
+      conn
+      |> delete("/api/v1/pleroma/admin/announcements/#{id}")
+      |> json_response(:forbidden)
+    end
+
     test "it returns not found for non-existent id", %{conn: conn} do
       %{id: id} = insert(:announcement)
 
@@ -156,6 +197,29 @@ defmodule Pleroma.Web.AdminAPI.AnnouncementControllerTest do
       assert NaiveDateTime.compare(new.starts_at, starts_at) == :eq
     end
 
+    test "it requires privileged role :announcements_manage_announcements", %{conn: conn} do
+      %{id: id} = insert(:announcement)
+
+      now = NaiveDateTime.utc_now() |> NaiveDateTime.truncate(:second)
+      starts_at = NaiveDateTime.add(now, -10, :second)
+
+      conn
+      |> put_req_header("content-type", "application/json")
+      |> patch("/api/v1/pleroma/admin/announcements/#{id}", %{
+        starts_at: NaiveDateTime.to_iso8601(starts_at)
+      })
+      |> json_response_and_validate_schema(:ok)
+
+      clear_config([:instance, :admin_privileges], [])
+
+      conn
+      |> put_req_header("content-type", "application/json")
+      |> patch("/api/v1/pleroma/admin/announcements/#{id}", %{
+        starts_at: NaiveDateTime.to_iso8601(starts_at)
+      })
+      |> json_response(:forbidden)
+    end
+
     test "it updates with time with utc timezone", %{conn: conn} do
       %{id: id} = insert(:announcement)
 
@@ -250,6 +314,36 @@ defmodule Pleroma.Web.AdminAPI.AnnouncementControllerTest do
       assert NaiveDateTime.compare(announcement.ends_at, ends_at) == :eq
     end
 
+    test "it requires privileged role :announcements_manage_announcements", %{conn: conn} do
+      content = "test post announcement api"
+
+      now = NaiveDateTime.utc_now() |> NaiveDateTime.truncate(:second)
+      starts_at = NaiveDateTime.add(now, -10, :second)
+      ends_at = NaiveDateTime.add(now, 10, :second)
+
+      conn
+      |> put_req_header("content-type", "application/json")
+      |> post("/api/v1/pleroma/admin/announcements", %{
+        "content" => content,
+        "starts_at" => NaiveDateTime.to_iso8601(starts_at),
+        "ends_at" => NaiveDateTime.to_iso8601(ends_at),
+        "all_day" => true
+      })
+      |> json_response_and_validate_schema(:ok)
+
+      clear_config([:instance, :admin_privileges], [])
+
+      conn
+      |> put_req_header("content-type", "application/json")
+      |> post("/api/v1/pleroma/admin/announcements", %{
+        "content" => content,
+        "starts_at" => NaiveDateTime.to_iso8601(starts_at),
+        "ends_at" => NaiveDateTime.to_iso8601(ends_at),
+        "all_day" => true
+      })
+      |> json_response(:forbidden)
+    end
+
     test "creating with time with utc timezones", %{conn: conn} do
       content = "test post announcement api"

M	config/config.exs	1	+
M	config/description.exs	2	++
M	lib/pleroma/web/router.ex	10	++++++++++
M	test/pleroma/web/admin_api/controllers/announcement_controller_test.exs	96	++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-