diff --git a/config/config.exs b/config/config.exs index 2d501e577..496a1d57a 100644 --- a/config/config.exs +++ b/config/config.exs @@ -257,7 +257,7 @@ password_reset_token_validity: 60 * 60 * 24, profile_directory: true, privileged_staff: false, - admin_privileges: [], + admin_privileges: [:user_deletion], moderator_privileges: [], max_endorsed_users: 20, birthday_required: false, diff --git a/config/description.exs b/config/description.exs index b73b92c46..b45d416b1 100644 --- a/config/description.exs +++ b/config/description.exs @@ -969,14 +969,16 @@ %{ key: :admin_privileges, type: {:list, :atom}, - suggestions: [], - description: "What extra priviledges to allow admins (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)" + suggestions: [:user_deletion], + description: + "What extra priviledges to allow admins (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)" }, %{ key: :moderator_privileges, type: {:list, :atom}, - suggestions: [], - description: "What extra priviledges to allow moderators (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)" + suggestions: [:user_deletion], + description: + "What extra priviledges to allow moderators (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)" }, %{ key: :birthday_required, diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex index ceb6c3cfd..5012fbf9a 100644 --- a/lib/pleroma/web/router.ex +++ b/lib/pleroma/web/router.ex @@ -109,6 +109,11 @@ defmodule Pleroma.Web.Router do plug(Pleroma.Web.Plugs.UserIsAdminPlug) end + pipeline :require_privileged_role_user_deletion do + plug(:admin_api) + plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_deletion) + end + pipeline :pleroma_html do plug(:browser) plug(:authenticate) @@ -231,12 +236,17 @@ defmodule Pleroma.Web.Router do post("/backups", AdminAPIController, :create_backup) end + # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role) + scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do + pipe_through([:admin_api, :require_privileged_role_user_deletion]) + + delete("/users", UserController, :delete) + end + # AdminAPI: admins and mods (staff) can perform these actions (if enabled by config) scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do pipe_through([:admin_api, :require_privileged_staff]) - delete("/users", UserController, :delete) - get("/users/:nickname/password_reset", AdminAPIController, :get_password_reset) patch("/users/:nickname/credentials", AdminAPIController, :update_user_credentials) diff --git a/test/pleroma/web/admin_api/controllers/user_controller_test.exs b/test/pleroma/web/admin_api/controllers/user_controller_test.exs index 79971be06..54a9619e8 100644 --- a/test/pleroma/web/admin_api/controllers/user_controller_test.exs +++ b/test/pleroma/web/admin_api/controllers/user_controller_test.exs @@ -94,6 +94,7 @@ test "GET /api/pleroma/admin/users/:nickname requires admin:read:accounts or bro describe "DELETE /api/pleroma/admin/users" do test "single user", %{admin: admin, conn: conn} do clear_config([:instance, :federating], true) + clear_config([:instance, :admin_privileges], [:user_deletion]) user = insert(:user, @@ -149,6 +150,8 @@ test "single user", %{admin: admin, conn: conn} do end test "multiple users", %{admin: admin, conn: conn} do + clear_config([:instance, :admin_privileges], [:user_deletion]) + user_one = insert(:user) user_two = insert(:user) @@ -168,6 +171,17 @@ test "multiple users", %{admin: admin, conn: conn} do assert response -- [user_one.nickname, user_two.nickname] == [] end + + test "Needs privileged role", %{conn: conn} do + clear_config([:instance, :admin_privileges], []) + + response = + conn + |> put_req_header("accept", "application/json") + |> delete("/api/pleroma/admin/users?nickname=nickname") + + assert json_response(response, :forbidden) + end end describe "/api/pleroma/admin/users" do