commit: cb60cc4e02af270fcccdcd552df4fa3ff858d67f
parent 5a65e2dac5e689b8067e37817bbfe4a6fe1a0426
Author: Ilja <ilja@ilja.space>
Date: Thu, 26 May 2022 16:25:28 +0200
Add privileges for :user_tag
Diffstat:
4 files changed, 84 insertions(+), 23 deletions(-)
diff --git a/config/config.exs b/config/config.exs
@@ -256,7 +256,7 @@ config :pleroma, :instance,
show_reactions: true,
password_reset_token_validity: 60 * 60 * 24,
profile_directory: true,
- admin_privileges: [:user_deletion, :user_credentials, :statuses_read],
+ admin_privileges: [:user_deletion, :user_credentials, :statuses_read, :user_tag],
moderator_privileges: [],
max_endorsed_users: 20,
birthday_required: false,
diff --git a/config/description.exs b/config/description.exs
@@ -963,14 +963,14 @@ config :pleroma, :config_description, [
%{
key: :admin_privileges,
type: {:list, :atom},
- suggestions: [:user_deletion, :user_credentials, :statuses_read],
+ suggestions: [:user_deletion, :user_credentials, :statuses_read, :user_tag],
description:
"What extra priviledges to allow admins (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
},
%{
key: :moderator_privileges,
type: {:list, :atom},
- suggestions: [:user_deletion, :user_credentials, :statuses_read],
+ suggestions: [:user_deletion, :user_credentials, :statuses_read, :user_tag],
description:
"What extra priviledges to allow moderators (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
},
diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex
@@ -120,6 +120,11 @@ defmodule Pleroma.Web.Router do
plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :statuses_read)
end
+ pipeline :require_privileged_role_user_tag do
+ plug(:admin_api)
+ plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_tag)
+ end
+
pipeline :pleroma_html do
plug(:browser)
plug(:authenticate)
@@ -269,12 +274,17 @@ defmodule Pleroma.Web.Router do
get("/chats/:id/messages", ChatController, :messages)
end
- # AdminAPI: admins and mods (staff) can perform these actions
+ # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role)
scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
- pipe_through(:admin_api)
+ pipe_through(:require_privileged_role_user_tag)
put("/users/tag", AdminAPIController, :tag_users)
delete("/users/tag", AdminAPIController, :untag_users)
+ end
+
+ # AdminAPI: admins and mods (staff) can perform these actions
+ scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
+ pipe_through(:admin_api)
patch("/users/:nickname/toggle_activation", UserController, :toggle_activation)
patch("/users/activate", UserController, :activate)
diff --git a/test/pleroma/web/admin_api/controllers/admin_api_controller_test.exs b/test/pleroma/web/admin_api/controllers/admin_api_controller_test.exs
@@ -92,18 +92,12 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
describe "PUT /api/pleroma/admin/users/tag" do
setup %{conn: conn} do
+ clear_config([:instance, :admin_privileges], [:user_tag])
+
user1 = insert(:user, %{tags: ["x"]})
user2 = insert(:user, %{tags: ["y"]})
user3 = insert(:user, %{tags: ["unchanged"]})
- conn =
- conn
- |> put_req_header("accept", "application/json")
- |> put(
- "/api/pleroma/admin/users/tag?nicknames[]=#{user1.nickname}&nicknames[]=" <>
- "#{user2.nickname}&tags[]=foo&tags[]=bar"
- )
-
%{conn: conn, user1: user1, user2: user2, user3: user3}
end
@@ -113,6 +107,14 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
user1: user1,
user2: user2
} do
+ conn =
+ conn
+ |> put_req_header("accept", "application/json")
+ |> put(
+ "/api/pleroma/admin/users/tag?nicknames[]=#{user1.nickname}&nicknames[]=" <>
+ "#{user2.nickname}&tags[]=foo&tags[]=bar"
+ )
+
assert empty_json_response(conn)
assert User.get_cached_by_id(user1.id).tags == ["x", "foo", "bar"]
assert User.get_cached_by_id(user2.id).tags == ["y", "foo", "bar"]
@@ -130,26 +132,43 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
"@#{admin.nickname} added tags: #{tags} to users: #{users}"
end
- test "it does not modify tags of not specified users", %{conn: conn, user3: user3} do
+ test "it does not modify tags of not specified users", %{
+ conn: conn,
+ user1: user1,
+ user2: user2,
+ user3: user3
+ } do
+ conn =
+ conn
+ |> put_req_header("accept", "application/json")
+ |> put(
+ "/api/pleroma/admin/users/tag?nicknames[]=#{user1.nickname}&nicknames[]=" <>
+ "#{user2.nickname}&tags[]=foo&tags[]=bar"
+ )
+
assert empty_json_response(conn)
assert User.get_cached_by_id(user3.id).tags == ["unchanged"]
end
+
+ test "it requires privileged role :user_tag", %{conn: conn} do
+ clear_config([:instance, :admin_privileges], [])
+
+ response =
+ conn
+ |> put_req_header("accept", "application/json")
+ |> put("/api/pleroma/admin/users/tag?nicknames[]=nickname&tags[]=foo&tags[]=bar")
+
+ assert json_response(response, :forbidden)
+ end
end
describe "DELETE /api/pleroma/admin/users/tag" do
setup %{conn: conn} do
+ clear_config([:instance, :admin_privileges], [:user_tag])
user1 = insert(:user, %{tags: ["x"]})
user2 = insert(:user, %{tags: ["y", "z"]})
user3 = insert(:user, %{tags: ["unchanged"]})
- conn =
- conn
- |> put_req_header("accept", "application/json")
- |> delete(
- "/api/pleroma/admin/users/tag?nicknames[]=#{user1.nickname}&nicknames[]=" <>
- "#{user2.nickname}&tags[]=x&tags[]=z"
- )
-
%{conn: conn, user1: user1, user2: user2, user3: user3}
end
@@ -159,6 +178,14 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
user1: user1,
user2: user2
} do
+ conn =
+ conn
+ |> put_req_header("accept", "application/json")
+ |> delete(
+ "/api/pleroma/admin/users/tag?nicknames[]=#{user1.nickname}&nicknames[]=" <>
+ "#{user2.nickname}&tags[]=x&tags[]=z"
+ )
+
assert empty_json_response(conn)
assert User.get_cached_by_id(user1.id).tags == []
assert User.get_cached_by_id(user2.id).tags == ["y"]
@@ -176,10 +203,34 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
"@#{admin.nickname} removed tags: #{tags} from users: #{users}"
end
- test "it does not modify tags of not specified users", %{conn: conn, user3: user3} do
+ test "it does not modify tags of not specified users", %{
+ conn: conn,
+ user1: user1,
+ user2: user2,
+ user3: user3
+ } do
+ conn =
+ conn
+ |> put_req_header("accept", "application/json")
+ |> delete(
+ "/api/pleroma/admin/users/tag?nicknames[]=#{user1.nickname}&nicknames[]=" <>
+ "#{user2.nickname}&tags[]=x&tags[]=z"
+ )
+
assert empty_json_response(conn)
assert User.get_cached_by_id(user3.id).tags == ["unchanged"]
end
+
+ test "it requires privileged role :user_tag", %{conn: conn} do
+ clear_config([:instance, :admin_privileges], [])
+
+ response =
+ conn
+ |> put_req_header("accept", "application/json")
+ |> delete("/api/pleroma/admin/users/tag?nicknames[]=nickname&tags[]=foo&tags[]=bar")
+
+ assert json_response(response, :forbidden)
+ end
end
describe "/api/pleroma/admin/users/:nickname/permission_group" do
