Add privilege :user_deletion

This commit is contained in:
Ilja 2022-05-26 12:49:09 +02:00
parent 5b19543f0a
commit 9f6c364759
4 changed files with 33 additions and 7 deletions

View file

@ -257,7 +257,7 @@
password_reset_token_validity: 60 * 60 * 24,
profile_directory: true,
privileged_staff: false,
admin_privileges: [],
admin_privileges: [:user_deletion],
moderator_privileges: [],
max_endorsed_users: 20,
birthday_required: false,

View file

@ -969,14 +969,16 @@
%{
key: :admin_privileges,
type: {:list, :atom},
suggestions: [],
description: "What extra priviledges to allow admins (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
suggestions: [:user_deletion],
description:
"What extra priviledges to allow admins (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
},
%{
key: :moderator_privileges,
type: {:list, :atom},
suggestions: [],
description: "What extra priviledges to allow moderators (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
suggestions: [:user_deletion],
description:
"What extra priviledges to allow moderators (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
},
%{
key: :birthday_required,

View file

@ -109,6 +109,11 @@ defmodule Pleroma.Web.Router do
plug(Pleroma.Web.Plugs.UserIsAdminPlug)
end
pipeline :require_privileged_role_user_deletion do
plug(:admin_api)
plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_deletion)
end
pipeline :pleroma_html do
plug(:browser)
plug(:authenticate)
@ -231,12 +236,17 @@ defmodule Pleroma.Web.Router do
post("/backups", AdminAPIController, :create_backup)
end
# AdminAPI: admins and mods (staff) can perform these actions (if privileged by role)
scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
pipe_through([:admin_api, :require_privileged_role_user_deletion])
delete("/users", UserController, :delete)
end
# AdminAPI: admins and mods (staff) can perform these actions (if enabled by config)
scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
pipe_through([:admin_api, :require_privileged_staff])
delete("/users", UserController, :delete)
get("/users/:nickname/password_reset", AdminAPIController, :get_password_reset)
patch("/users/:nickname/credentials", AdminAPIController, :update_user_credentials)

View file

@ -94,6 +94,7 @@ test "GET /api/pleroma/admin/users/:nickname requires admin:read:accounts or bro
describe "DELETE /api/pleroma/admin/users" do
test "single user", %{admin: admin, conn: conn} do
clear_config([:instance, :federating], true)
clear_config([:instance, :admin_privileges], [:user_deletion])
user =
insert(:user,
@ -149,6 +150,8 @@ test "single user", %{admin: admin, conn: conn} do
end
test "multiple users", %{admin: admin, conn: conn} do
clear_config([:instance, :admin_privileges], [:user_deletion])
user_one = insert(:user)
user_two = insert(:user)
@ -168,6 +171,17 @@ test "multiple users", %{admin: admin, conn: conn} do
assert response -- [user_one.nickname, user_two.nickname] == []
end
test "Needs privileged role", %{conn: conn} do
clear_config([:instance, :admin_privileges], [])
response =
conn
|> put_req_header("accept", "application/json")
|> delete("/api/pleroma/admin/users?nickname=nickname")
assert json_response(response, :forbidden)
end
end
describe "/api/pleroma/admin/users" do