last off :statuses_read

From the endpoints left to do, I believe these should be under :statuses_read.
These should be the last for that privilege for this MR

lib/pleroma/web/router.ex

@@ -292,6 +292,10 @@ defmodule Pleroma.Web.Router do
 
     get("/chats/:id", ChatController, :show)
     get("/chats/:id/messages", ChatController, :messages)
+
+    get("/instances/:instance/statuses", InstanceController, :list_statuses)
+
+    get("/statuses/:id", StatusController, :show)
   end
 
   # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role)
@@ -345,10 +349,8 @@ defmodule Pleroma.Web.Router do
   scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
     pipe_through(:admin_api)
 
-    get("/instances/:instance/statuses", InstanceController, :list_statuses)
     delete("/instances/:instance", InstanceController, :delete)
 
-    get("/statuses/:id", StatusController, :show)
     put("/statuses/:id", StatusController, :update)
     delete("/statuses/:id", StatusController, :delete)
 

test/pleroma/web/admin_api/controllers/instance_controller_test.exs

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: AGPL-3.0-only
 
 defmodule Pleroma.Web.AdminAPI.InstanceControllerTest do
-  use Pleroma.Web.ConnCase
+  use Pleroma.Web.ConnCase, async: false
   use Oban.Testing, repo: Pleroma.Repo
 
   import Pleroma.Factory
@@ -31,6 +31,7 @@ defmodule Pleroma.Web.AdminAPI.InstanceControllerTest do
   end
 
   test "GET /instances/:instance/statuses", %{conn: conn} do
+    clear_config([:instance, :admin_privileges], [:statuses_read])
     user = insert(:user, local: false, ap_id: "https://archae.me/users/archaeme")
     user2 = insert(:user, local: false, ap_id: "https://test.com/users/test")
     insert_pair(:note_activity, user: user)
@@ -60,6 +61,10 @@ test "GET /instances/:instance/statuses", %{conn: conn} do
       |> json_response(200)
 
     assert length(activities) == 3
+
+    clear_config([:instance, :admin_privileges], [])
+
+    conn |> get("/api/pleroma/admin/instances/archae.me/statuses") |> json_response(:forbidden)
   end
 
   test "DELETE /instances/:instance", %{conn: conn} do

test/pleroma/web/admin_api/controllers/status_controller_test.exs

@@ -26,6 +26,10 @@ defmodule Pleroma.Web.AdminAPI.StatusControllerTest do
   end
 
   describe "GET /api/pleroma/admin/statuses/:id" do
+    setup do
+      clear_config([:instance, :admin_privileges], [:statuses_read])
+    end
+
     test "not found", %{conn: conn} do
       assert conn
              |> get("/api/pleroma/admin/statuses/not_found")
@@ -50,6 +54,12 @@ test "shows activity", %{conn: conn} do
       assert account["is_active"] == actor.is_active
       assert account["is_confirmed"] == actor.is_confirmed
     end
+
+    test "denies reading activity when not privileged", %{conn: conn} do
+      clear_config([:instance, :admin_privileges], [])
+
+      assert conn |> get("/api/pleroma/admin/statuses/some_id") |> json_response(:forbidden)
+    end
   end
 
   describe "PUT /api/pleroma/admin/statuses/:id" do