From cb60cc4e02af270fcccdcd552df4fa3ff858d67f Mon Sep 17 00:00:00 2001 From: Ilja Date: Thu, 26 May 2022 16:25:28 +0200 Subject: [PATCH] Add privileges for :user_tag --- config/config.exs | 2 +- config/description.exs | 4 +- lib/pleroma/web/router.ex | 14 ++- .../controllers/admin_api_controller_test.exs | 87 +++++++++++++++---- 4 files changed, 84 insertions(+), 23 deletions(-) diff --git a/config/config.exs b/config/config.exs index 4cdc90c7a..f2001eef0 100644 --- a/config/config.exs +++ b/config/config.exs @@ -256,7 +256,7 @@ show_reactions: true, password_reset_token_validity: 60 * 60 * 24, profile_directory: true, - admin_privileges: [:user_deletion, :user_credentials, :statuses_read], + admin_privileges: [:user_deletion, :user_credentials, :statuses_read, :user_tag], moderator_privileges: [], max_endorsed_users: 20, birthday_required: false, diff --git a/config/description.exs b/config/description.exs index b0b8ecd88..f455a2e46 100644 --- a/config/description.exs +++ b/config/description.exs @@ -963,14 +963,14 @@ %{ key: :admin_privileges, type: {:list, :atom}, - suggestions: [:user_deletion, :user_credentials, :statuses_read], + suggestions: [:user_deletion, :user_credentials, :statuses_read, :user_tag], description: "What extra priviledges to allow admins (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)" }, %{ key: :moderator_privileges, type: {:list, :atom}, - suggestions: [:user_deletion, :user_credentials, :statuses_read], + suggestions: [:user_deletion, :user_credentials, :statuses_read, :user_tag], description: "What extra priviledges to allow moderators (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)" }, diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex index 21b77b624..b5b9e7d07 100644 --- a/lib/pleroma/web/router.ex +++ b/lib/pleroma/web/router.ex @@ -120,6 +120,11 @@ defmodule Pleroma.Web.Router do plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :statuses_read) end + pipeline :require_privileged_role_user_tag do + plug(:admin_api) + plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_tag) + end + pipeline :pleroma_html do plug(:browser) plug(:authenticate) @@ -269,12 +274,17 @@ defmodule Pleroma.Web.Router do get("/chats/:id/messages", ChatController, :messages) end - # AdminAPI: admins and mods (staff) can perform these actions + # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role) scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do - pipe_through(:admin_api) + pipe_through(:require_privileged_role_user_tag) put("/users/tag", AdminAPIController, :tag_users) delete("/users/tag", AdminAPIController, :untag_users) + end + + # AdminAPI: admins and mods (staff) can perform these actions + scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do + pipe_through(:admin_api) patch("/users/:nickname/toggle_activation", UserController, :toggle_activation) patch("/users/activate", UserController, :activate) diff --git a/test/pleroma/web/admin_api/controllers/admin_api_controller_test.exs b/test/pleroma/web/admin_api/controllers/admin_api_controller_test.exs index c630ee31b..178e0e88a 100644 --- a/test/pleroma/web/admin_api/controllers/admin_api_controller_test.exs +++ b/test/pleroma/web/admin_api/controllers/admin_api_controller_test.exs @@ -92,18 +92,12 @@ test "GET /api/pleroma/admin/users/:nickname requires admin:read:accounts or bro describe "PUT /api/pleroma/admin/users/tag" do setup %{conn: conn} do + clear_config([:instance, :admin_privileges], [:user_tag]) + user1 = insert(:user, %{tags: ["x"]}) user2 = insert(:user, %{tags: ["y"]}) user3 = insert(:user, %{tags: ["unchanged"]}) - conn = - conn - |> put_req_header("accept", "application/json") - |> put( - "/api/pleroma/admin/users/tag?nicknames[]=#{user1.nickname}&nicknames[]=" <> - "#{user2.nickname}&tags[]=foo&tags[]=bar" - ) - %{conn: conn, user1: user1, user2: user2, user3: user3} end @@ -113,6 +107,14 @@ test "it appends specified tags to users with specified nicknames", %{ user1: user1, user2: user2 } do + conn = + conn + |> put_req_header("accept", "application/json") + |> put( + "/api/pleroma/admin/users/tag?nicknames[]=#{user1.nickname}&nicknames[]=" <> + "#{user2.nickname}&tags[]=foo&tags[]=bar" + ) + assert empty_json_response(conn) assert User.get_cached_by_id(user1.id).tags == ["x", "foo", "bar"] assert User.get_cached_by_id(user2.id).tags == ["y", "foo", "bar"] @@ -130,26 +132,43 @@ test "it appends specified tags to users with specified nicknames", %{ "@#{admin.nickname} added tags: #{tags} to users: #{users}" end - test "it does not modify tags of not specified users", %{conn: conn, user3: user3} do + test "it does not modify tags of not specified users", %{ + conn: conn, + user1: user1, + user2: user2, + user3: user3 + } do + conn = + conn + |> put_req_header("accept", "application/json") + |> put( + "/api/pleroma/admin/users/tag?nicknames[]=#{user1.nickname}&nicknames[]=" <> + "#{user2.nickname}&tags[]=foo&tags[]=bar" + ) + assert empty_json_response(conn) assert User.get_cached_by_id(user3.id).tags == ["unchanged"] end + + test "it requires privileged role :user_tag", %{conn: conn} do + clear_config([:instance, :admin_privileges], []) + + response = + conn + |> put_req_header("accept", "application/json") + |> put("/api/pleroma/admin/users/tag?nicknames[]=nickname&tags[]=foo&tags[]=bar") + + assert json_response(response, :forbidden) + end end describe "DELETE /api/pleroma/admin/users/tag" do setup %{conn: conn} do + clear_config([:instance, :admin_privileges], [:user_tag]) user1 = insert(:user, %{tags: ["x"]}) user2 = insert(:user, %{tags: ["y", "z"]}) user3 = insert(:user, %{tags: ["unchanged"]}) - conn = - conn - |> put_req_header("accept", "application/json") - |> delete( - "/api/pleroma/admin/users/tag?nicknames[]=#{user1.nickname}&nicknames[]=" <> - "#{user2.nickname}&tags[]=x&tags[]=z" - ) - %{conn: conn, user1: user1, user2: user2, user3: user3} end @@ -159,6 +178,14 @@ test "it removes specified tags from users with specified nicknames", %{ user1: user1, user2: user2 } do + conn = + conn + |> put_req_header("accept", "application/json") + |> delete( + "/api/pleroma/admin/users/tag?nicknames[]=#{user1.nickname}&nicknames[]=" <> + "#{user2.nickname}&tags[]=x&tags[]=z" + ) + assert empty_json_response(conn) assert User.get_cached_by_id(user1.id).tags == [] assert User.get_cached_by_id(user2.id).tags == ["y"] @@ -176,10 +203,34 @@ test "it removes specified tags from users with specified nicknames", %{ "@#{admin.nickname} removed tags: #{tags} from users: #{users}" end - test "it does not modify tags of not specified users", %{conn: conn, user3: user3} do + test "it does not modify tags of not specified users", %{ + conn: conn, + user1: user1, + user2: user2, + user3: user3 + } do + conn = + conn + |> put_req_header("accept", "application/json") + |> delete( + "/api/pleroma/admin/users/tag?nicknames[]=#{user1.nickname}&nicknames[]=" <> + "#{user2.nickname}&tags[]=x&tags[]=z" + ) + assert empty_json_response(conn) assert User.get_cached_by_id(user3.id).tags == ["unchanged"] end + + test "it requires privileged role :user_tag", %{conn: conn} do + clear_config([:instance, :admin_privileges], []) + + response = + conn + |> put_req_header("accept", "application/json") + |> delete("/api/pleroma/admin/users/tag?nicknames[]=nickname&tags[]=foo&tags[]=bar") + + assert json_response(response, :forbidden) + end end describe "/api/pleroma/admin/users/:nickname/permission_group" do