commit: ecd42a2ce112489bb09cadcffc3661314a37a7fa
parent 0ee8f33250f649c7807fd161b9d6588757f5dc94
Author: Ilja <ilja@ilja.space>
Date: Sat, 11 Jun 2022 22:18:21 +0200
Add privilige :emoji_management
Diffstat:
6 files changed, 138 insertions(+), 7 deletions(-)
diff --git a/config/config.exs b/config/config.exs
@@ -265,7 +265,8 @@ config :pleroma, :instance,
:user_invite,
:report_handle,
:user_read,
- :status_delete
+ :status_delete,
+ :emoji_management
],
moderator_privileges: [],
max_endorsed_users: 20,
diff --git a/config/description.exs b/config/description.exs
@@ -972,7 +972,8 @@ config :pleroma, :config_description, [
:user_invite,
:report_handle,
:user_read,
- :status_delete
+ :status_delete,
+ :emoji_management
],
description:
"What extra priviledges to allow admins (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
@@ -989,7 +990,8 @@ config :pleroma, :config_description, [
:user_invite,
:report_handle,
:user_read,
- :status_delete
+ :status_delete,
+ :emoji_management
],
description:
"What extra priviledges to allow moderators (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex
@@ -150,6 +150,11 @@ defmodule Pleroma.Web.Router do
plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :status_delete)
end
+ pipeline :require_privileged_role_emoji_management do
+ plug(:admin_api)
+ plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :emoji_management)
+ end
+
pipeline :pleroma_html do
plug(:browser)
plug(:authenticate)
@@ -360,6 +365,13 @@ defmodule Pleroma.Web.Router do
delete("/chats/:id/messages/:message_id", ChatController, :delete_message)
end
+ # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role)
+ scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
+ pipe_through(:require_privileged_role_emoji_management)
+
+ post("/reload_emoji", AdminAPIController, :reload_emoji)
+ end
+
# AdminAPI: admins and mods (staff) can perform these actions
scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
pipe_through(:admin_api)
@@ -368,13 +380,12 @@ defmodule Pleroma.Web.Router do
get("/moderation_log", AdminAPIController, :list_log)
- post("/reload_emoji", AdminAPIController, :reload_emoji)
get("/stats", AdminAPIController, :stats)
end
scope "/api/v1/pleroma/emoji", Pleroma.Web.PleromaAPI do
scope "/pack" do
- pipe_through(:admin_api)
+ pipe_through(:require_privileged_role_emoji_management)
post("/", EmojiPackController, :create)
patch("/", EmojiPackController, :update)
@@ -389,7 +400,7 @@ defmodule Pleroma.Web.Router do
# Modifying packs
scope "/packs" do
- pipe_through(:admin_api)
+ pipe_through(:require_privileged_role_emoji_management)
get("/import", EmojiPackController, :import_from_filesystem)
get("/remote", EmojiPackController, :remote)
diff --git a/test/pleroma/web/admin_api/controllers/admin_api_controller_test.exs b/test/pleroma/web/admin_api/controllers/admin_api_controller_test.exs
@@ -1060,6 +1060,34 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
assert Repo.aggregate(Pleroma.User.Backup, :count) == 2
end
end
+
+ describe "POST /api/v1/pleroma/admin/reload_emoji" do
+ setup do
+ clear_config([:instance, :admin_privileges], [:emoji_management])
+
+ admin = insert(:user, is_admin: true)
+ token = insert(:oauth_admin_token, user: admin)
+
+ conn =
+ build_conn()
+ |> assign(:user, admin)
+ |> assign(:token, token)
+
+ {:ok, %{conn: conn, admin: admin}}
+ end
+
+ test "it requires privileged role :emoji_management", %{conn: conn} do
+ assert conn
+ |> post("/api/v1/pleroma/admin/reload_emoji")
+ |> json_response(200)
+
+ clear_config([:instance, :admin_privileges], [])
+
+ assert conn
+ |> post("/api/v1/pleroma/admin/reload_emoji")
+ |> json_response(:forbidden)
+ end
+ end
end
# Needed for testing
diff --git a/test/pleroma/web/pleroma_api/controllers/emoji_file_controller_test.exs b/test/pleroma/web/pleroma_api/controllers/emoji_file_controller_test.exs
@@ -3,7 +3,7 @@
# SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.Web.PleromaAPI.EmojiFileControllerTest do
- use Pleroma.Web.ConnCase
+ use Pleroma.Web.ConnCase, async: false
import Mock
import Tesla.Mock
@@ -30,6 +30,7 @@ defmodule Pleroma.Web.PleromaAPI.EmojiFileControllerTest do
describe "POST/PATCH/DELETE /api/pleroma/emoji/packs/files?name=:name" do
setup do
+ clear_config([:instance, :admin_privileges], [:emoji_management])
pack_file = "#{@emoji_path}/test_pack/pack.json"
original_content = File.read!(pack_file)
@@ -377,5 +378,32 @@ defmodule Pleroma.Web.PleromaAPI.EmojiFileControllerTest do
})
|> json_response_and_validate_schema(:bad_request)
end
+
+ test "it requires privileged role :emoji_management", %{admin_conn: admin_conn} do
+ clear_config([:instance, :admin_privileges], [])
+
+ assert admin_conn
+ |> put_req_header("content-type", "multipart/form-data")
+ |> post("/api/pleroma/emoji/packs/files?name=test_pack", %{
+ file: %Plug.Upload{
+ filename: "shortcode.png",
+ path: "#{Pleroma.Config.get([:instance, :static_dir])}/add/shortcode.png"
+ }
+ })
+ |> json_response(:forbidden)
+
+ assert admin_conn
+ |> put_req_header("content-type", "multipart/form-data")
+ |> patch("/api/pleroma/emoji/packs/files?name=test_pack", %{
+ shortcode: "blank",
+ new_filename: "dir_2/blank_3.png"
+ })
+ |> json_response(:forbidden)
+
+ assert admin_conn
+ |> put_req_header("content-type", "multipart/form-data")
+ |> delete("/api/pleroma/emoji/packs/files?name=test_pack&shortcode=blank3")
+ |> json_response(:forbidden)
+ end
end
end
diff --git a/test/pleroma/web/pleroma_api/controllers/emoji_pack_controller_test.exs b/test/pleroma/web/pleroma_api/controllers/emoji_pack_controller_test.exs
@@ -99,6 +99,10 @@ defmodule Pleroma.Web.PleromaAPI.EmojiPackControllerTest do
end
describe "GET /api/pleroma/emoji/packs/remote" do
+ setup do
+ clear_config([:instance, :admin_privileges], [:emoji_management])
+ end
+
test "shareable instance", %{admin_conn: admin_conn, conn: conn} do
resp =
conn
@@ -136,6 +140,14 @@ defmodule Pleroma.Web.PleromaAPI.EmojiPackControllerTest do
"error" => "The requested instance does not support sharing emoji packs"
}
end
+
+ test "it requires privileged role :emoji_management", %{admin_conn: admin_conn} do
+ clear_config([:instance, :admin_privileges], [])
+
+ assert admin_conn
+ |> get("/api/pleroma/emoji/packs/remote?url=https://example.com")
+ |> json_response(:forbidden)
+ end
end
describe "GET /api/pleroma/emoji/packs/archive?name=:name" do
@@ -170,6 +182,10 @@ defmodule Pleroma.Web.PleromaAPI.EmojiPackControllerTest do
end
describe "POST /api/pleroma/emoji/packs/download" do
+ setup do
+ clear_config([:instance, :admin_privileges], [:emoji_management])
+ end
+
test "shared pack from remote and non shared from fallback-src", %{
admin_conn: admin_conn,
conn: conn
@@ -344,10 +360,24 @@ defmodule Pleroma.Web.PleromaAPI.EmojiPackControllerTest do
"The pack was not set as shared and there is no fallback src to download from"
}
end
+
+ test "it requires privileged role :emoji_management", %{admin_conn: conn} do
+ clear_config([:instance, :admin_privileges], [])
+
+ assert conn
+ |> put_req_header("content-type", "multipart/form-data")
+ |> post("/api/pleroma/emoji/packs/download", %{
+ url: "https://example.com",
+ name: "test_pack",
+ as: "test_pack2"
+ })
+ |> json_response(:forbidden)
+ end
end
describe "PATCH/update /api/pleroma/emoji/pack?name=:name" do
setup do
+ clear_config([:instance, :admin_privileges], [:emoji_management])
pack_file = "#{@emoji_path}/test_pack/pack.json"
original_content = File.read!(pack_file)
@@ -435,9 +465,22 @@ defmodule Pleroma.Web.PleromaAPI.EmojiPackControllerTest do
"error" => "The fallback archive does not have all files specified in pack.json"
}
end
+
+ test "it requires privileged role :emoji_management", %{admin_conn: conn, new_data: new_data} do
+ clear_config([:instance, :admin_privileges], [])
+
+ assert conn
+ |> put_req_header("content-type", "multipart/form-data")
+ |> patch("/api/pleroma/emoji/pack?name=test_pack", %{metadata: new_data})
+ |> json_response(:forbidden)
+ end
end
describe "POST/DELETE /api/pleroma/emoji/pack?name=:name" do
+ setup do
+ clear_config([:instance, :admin_privileges], [:emoji_management])
+ end
+
test "returns an error on creates pack when file system not writable", %{
admin_conn: admin_conn
} do
@@ -520,6 +563,18 @@ defmodule Pleroma.Web.PleromaAPI.EmojiPackControllerTest do
"error" => "pack name cannot be empty"
}
end
+
+ test "it requires privileged role :emoji_management", %{admin_conn: admin_conn} do
+ clear_config([:instance, :admin_privileges], [])
+
+ assert admin_conn
+ |> post("/api/pleroma/emoji/pack?name= ")
+ |> json_response(:forbidden)
+
+ assert admin_conn
+ |> delete("/api/pleroma/emoji/pack?name= ")
+ |> json_response(:forbidden)
+ end
end
test "deleting nonexisting pack", %{admin_conn: admin_conn} do
@@ -578,6 +633,12 @@ defmodule Pleroma.Web.PleromaAPI.EmojiPackControllerTest do
"blank2" => "blank.png",
"foo" => "blank.png"
}
+
+ clear_config([:instance, :admin_privileges], [])
+
+ assert admin_conn
+ |> get("/api/pleroma/emoji/packs/import")
+ |> json_response(:forbidden)
end
describe "GET /api/pleroma/emoji/pack?name=:name" do
