commit: e102d25d2385761077c08e0b280359392f0592cb
parent cb60cc4e02af270fcccdcd552df4fa3ff858d67f
Author: Ilja <ilja@ilja.space>
Date: Thu, 26 May 2022 16:41:48 +0200
Add privileges for :user_activation
Diffstat:
4 files changed, 137 insertions(+), 62 deletions(-)
diff --git a/config/config.exs b/config/config.exs
@@ -256,7 +256,13 @@ config :pleroma, :instance,
show_reactions: true,
password_reset_token_validity: 60 * 60 * 24,
profile_directory: true,
- admin_privileges: [:user_deletion, :user_credentials, :statuses_read, :user_tag],
+ admin_privileges: [
+ :user_deletion,
+ :user_credentials,
+ :statuses_read,
+ :user_tag,
+ :user_activation
+ ],
moderator_privileges: [],
max_endorsed_users: 20,
birthday_required: false,
diff --git a/config/description.exs b/config/description.exs
@@ -963,14 +963,26 @@ config :pleroma, :config_description, [
%{
key: :admin_privileges,
type: {:list, :atom},
- suggestions: [:user_deletion, :user_credentials, :statuses_read, :user_tag],
+ suggestions: [
+ :user_deletion,
+ :user_credentials,
+ :statuses_read,
+ :user_tag,
+ :user_activation
+ ],
description:
"What extra priviledges to allow admins (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
},
%{
key: :moderator_privileges,
type: {:list, :atom},
- suggestions: [:user_deletion, :user_credentials, :statuses_read, :user_tag],
+ suggestions: [
+ :user_deletion,
+ :user_credentials,
+ :statuses_read,
+ :user_tag,
+ :user_activation
+ ],
description:
"What extra priviledges to allow moderators (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
},
diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex
@@ -125,6 +125,11 @@ defmodule Pleroma.Web.Router do
plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_tag)
end
+ pipeline :require_privileged_role_user_activation do
+ plug(:admin_api)
+ plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_activation)
+ end
+
pipeline :pleroma_html do
plug(:browser)
plug(:authenticate)
@@ -282,15 +287,20 @@ defmodule Pleroma.Web.Router do
delete("/users/tag", AdminAPIController, :untag_users)
end
- # AdminAPI: admins and mods (staff) can perform these actions
+ # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role)
scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
- pipe_through(:admin_api)
+ pipe_through(:require_privileged_role_user_activation)
patch("/users/:nickname/toggle_activation", UserController, :toggle_activation)
patch("/users/activate", UserController, :activate)
patch("/users/deactivate", UserController, :deactivate)
- patch("/users/approve", UserController, :approve)
+ end
+
+ # AdminAPI: admins and mods (staff) can perform these actions
+ scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
+ pipe_through(:admin_api)
+ patch("/users/approve", UserController, :approve)
post("/users/invite_token", InviteController, :create)
get("/users/invites", InviteController, :index)
post("/users/revoke_invite", InviteController, :revoke)
diff --git a/test/pleroma/web/admin_api/controllers/user_controller_test.exs b/test/pleroma/web/admin_api/controllers/user_controller_test.exs
@@ -824,48 +824,6 @@ defmodule Pleroma.Web.AdminAPI.UserControllerTest do
end
end
- test "PATCH /api/pleroma/admin/users/activate", %{admin: admin, conn: conn} do
- user_one = insert(:user, is_active: false)
- user_two = insert(:user, is_active: false)
-
- conn =
- conn
- |> put_req_header("content-type", "application/json")
- |> patch(
- "/api/pleroma/admin/users/activate",
- %{nicknames: [user_one.nickname, user_two.nickname]}
- )
-
- response = json_response_and_validate_schema(conn, 200)
- assert Enum.map(response["users"], & &1["is_active"]) == [true, true]
-
- log_entry = Repo.one(ModerationLog)
-
- assert ModerationLog.get_log_entry_message(log_entry) ==
- "@#{admin.nickname} activated users: @#{user_one.nickname}, @#{user_two.nickname}"
- end
-
- test "PATCH /api/pleroma/admin/users/deactivate", %{admin: admin, conn: conn} do
- user_one = insert(:user, is_active: true)
- user_two = insert(:user, is_active: true)
-
- conn =
- conn
- |> put_req_header("content-type", "application/json")
- |> patch(
- "/api/pleroma/admin/users/deactivate",
- %{nicknames: [user_one.nickname, user_two.nickname]}
- )
-
- response = json_response_and_validate_schema(conn, 200)
- assert Enum.map(response["users"], & &1["is_active"]) == [false, false]
-
- log_entry = Repo.one(ModerationLog)
-
- assert ModerationLog.get_log_entry_message(log_entry) ==
- "@#{admin.nickname} deactivated users: @#{user_one.nickname}, @#{user_two.nickname}"
- end
-
test "PATCH /api/pleroma/admin/users/approve", %{admin: admin, conn: conn} do
user_one = insert(:user, is_approved: false)
user_two = insert(:user, is_approved: false)
@@ -937,24 +895,113 @@ defmodule Pleroma.Web.AdminAPI.UserControllerTest do
"@#{admin.nickname} removed suggested users: @#{user1.nickname}, @#{user2.nickname}"
end
- test "PATCH /api/pleroma/admin/users/:nickname/toggle_activation", %{admin: admin, conn: conn} do
- user = insert(:user)
+ describe "user activation" do
+ test "PATCH /api/pleroma/admin/users/activate", %{admin: admin, conn: conn} do
+ clear_config([:instance, :admin_privileges], [:user_activation])
- conn =
- conn
- |> put_req_header("content-type", "application/json")
- |> patch("/api/pleroma/admin/users/#{user.nickname}/toggle_activation")
+ user_one = insert(:user, is_active: false)
+ user_two = insert(:user, is_active: false)
- assert json_response_and_validate_schema(conn, 200) ==
- user_response(
- user,
- %{"is_active" => !user.is_active}
- )
+ conn =
+ conn
+ |> put_req_header("content-type", "application/json")
+ |> patch(
+ "/api/pleroma/admin/users/activate",
+ %{nicknames: [user_one.nickname, user_two.nickname]}
+ )
- log_entry = Repo.one(ModerationLog)
+ response = json_response_and_validate_schema(conn, 200)
+ assert Enum.map(response["users"], & &1["is_active"]) == [true, true]
- assert ModerationLog.get_log_entry_message(log_entry) ==
- "@#{admin.nickname} deactivated users: @#{user.nickname}"
+ log_entry = Repo.one(ModerationLog)
+
+ assert ModerationLog.get_log_entry_message(log_entry) ==
+ "@#{admin.nickname} activated users: @#{user_one.nickname}, @#{user_two.nickname}"
+ end
+
+ test "PATCH /api/pleroma/admin/users/deactivate", %{admin: admin, conn: conn} do
+ clear_config([:instance, :admin_privileges], [:user_activation])
+
+ user_one = insert(:user, is_active: true)
+ user_two = insert(:user, is_active: true)
+
+ conn =
+ conn
+ |> put_req_header("content-type", "application/json")
+ |> patch(
+ "/api/pleroma/admin/users/deactivate",
+ %{nicknames: [user_one.nickname, user_two.nickname]}
+ )
+
+ response = json_response_and_validate_schema(conn, 200)
+ assert Enum.map(response["users"], & &1["is_active"]) == [false, false]
+
+ log_entry = Repo.one(ModerationLog)
+
+ assert ModerationLog.get_log_entry_message(log_entry) ==
+ "@#{admin.nickname} deactivated users: @#{user_one.nickname}, @#{user_two.nickname}"
+ end
+
+ test "PATCH /api/pleroma/admin/users/:nickname/toggle_activation", %{admin: admin, conn: conn} do
+ clear_config([:instance, :admin_privileges], [:user_activation])
+
+ user = insert(:user)
+
+ conn =
+ conn
+ |> put_req_header("content-type", "application/json")
+ |> patch("/api/pleroma/admin/users/#{user.nickname}/toggle_activation")
+
+ assert json_response_and_validate_schema(conn, 200) ==
+ user_response(
+ user,
+ %{"is_active" => !user.is_active}
+ )
+
+ log_entry = Repo.one(ModerationLog)
+
+ assert ModerationLog.get_log_entry_message(log_entry) ==
+ "@#{admin.nickname} deactivated users: @#{user.nickname}"
+ end
+
+ test "it requires privileged role :statuses_activation to activate", %{conn: conn} do
+ clear_config([:instance, :admin_privileges], [])
+
+ conn =
+ conn
+ |> put_req_header("content-type", "application/json")
+ |> patch(
+ "/api/pleroma/admin/users/activate",
+ %{nicknames: ["user_one.nickname", "user_two.nickname"]}
+ )
+
+ assert json_response(conn, :forbidden)
+ end
+
+ test "it requires privileged role :statuses_activation to deactivate", %{conn: conn} do
+ clear_config([:instance, :admin_privileges], [])
+
+ conn =
+ conn
+ |> put_req_header("content-type", "application/json")
+ |> patch(
+ "/api/pleroma/admin/users/deactivate",
+ %{nicknames: ["user_one.nickname", "user_two.nickname"]}
+ )
+
+ assert json_response(conn, :forbidden)
+ end
+
+ test "it requires privileged role :statuses_activation to toggle activation", %{conn: conn} do
+ clear_config([:instance, :admin_privileges], [])
+
+ conn =
+ conn
+ |> put_req_header("content-type", "application/json")
+ |> patch("/api/pleroma/admin/users/user.nickname/toggle_activation")
+
+ assert json_response(conn, :forbidden)
+ end
end
defp user_response(user, attrs \\ %{}) do
