Add priviledges for :user_credentials

I only moved the ones from the :require_privileged_staff block for now
2022-05-26 13:27:06 +02:00 · 2022-05-26 13:27:06 +02:00 · 8a9144ca8b
commit 8a9144ca8b
parent 9f6c364759
4 changed files with 53 additions and 14 deletions
--- a/config/config.exs
+++ b/config/config.exs
@ -257,7 +257,7 @@
  password_reset_token_validity: 60 * 60 * 24,
  profile_directory: true,
  privileged_staff: false,
-  admin_privileges: [:user_deletion],
+  admin_privileges: [:user_deletion, :user_credentials],
  moderator_privileges: [],
  max_endorsed_users: 20,
  birthday_required: false,
--- a/config/description.exs
+++ b/config/description.exs
@ -969,14 +969,14 @@
      %{
        key: :admin_privileges,
        type: {:list, :atom},
-        suggestions: [:user_deletion],
+        suggestions: [:user_deletion, :user_credentials],
        description:
          "What extra priviledges to allow admins (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
      },
      %{
        key: :moderator_privileges,
        type: {:list, :atom},
-        suggestions: [:user_deletion],
+        suggestions: [:user_deletion, :user_credentials],
        description:
          "What extra priviledges to allow moderators (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
      },
--- a/lib/pleroma/web/router.ex
+++ b/lib/pleroma/web/router.ex
@ -114,6 +114,11 @@ defmodule Pleroma.Web.Router do
    plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_deletion)
  end
  pipeline :require_privileged_role_user_credentials do
    plug(:admin_api)
    plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_credentials)
  end
  pipeline :pleroma_html do
    plug(:browser)
    plug(:authenticate)
@ -206,7 +211,6 @@ defmodule Pleroma.Web.Router do
    patch("/users/force_password_reset", AdminAPIController, :force_password_reset)
    get("/users/:nickname/credentials", AdminAPIController, :show_user_credentials)
    patch("/users/:nickname/credentials", AdminAPIController, :update_user_credentials)
    get("/instance_document/:name", InstanceDocumentController, :show)
    patch("/instance_document/:name", InstanceDocumentController, :update)
@ -243,12 +247,17 @@ defmodule Pleroma.Web.Router do
    delete("/users", UserController, :delete)
  end
-  # AdminAPI: admins and mods (staff) can perform these actions (if enabled by config)
+  # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role)
  scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
-    pipe_through([:admin_api, :require_privileged_staff])
+    pipe_through([:admin_api, :require_privileged_role_user_credentials])
    get("/users/:nickname/password_reset", AdminAPIController, :get_password_reset)
    patch("/users/:nickname/credentials", AdminAPIController, :update_user_credentials)
  end
  # AdminAPI: admins and mods (staff) can perform these actions (if enabled by config)
  scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
    pipe_through([:admin_api, :require_privileged_staff])
    get("/users/:nickname/statuses", AdminAPIController, :list_user_statuses)
    get("/users/:nickname/chats", AdminAPIController, :list_user_chats)
--- a/test/pleroma/web/admin_api/controllers/admin_api_controller_test.exs
+++ b/test/pleroma/web/admin_api/controllers/admin_api_controller_test.exs
@ -271,17 +271,32 @@ test "/:right DELETE, can remove from a permission group (multiple)", %{
    end
  end
-  test "/api/pleroma/admin/users/:nickname/password_reset", %{conn: conn} do
+  describe "/api/pleroma/admin/users/:nickname/password_reset" do
-    user = insert(:user)
+    test "it returns a password reset link", %{conn: conn} do
      clear_config([:instance, :admin_privileges], [:user_credentials])
-    conn =
+      user = insert(:user)
      conn
      |> put_req_header("accept", "application/json")
      |> get("/api/pleroma/admin/users/#{user.nickname}/password_reset")
-    resp = json_response(conn, 200)
+      conn =
        conn
        |> put_req_header("accept", "application/json")
        |> get("/api/pleroma/admin/users/#{user.nickname}/password_reset")
-    assert Regex.match?(~r/(http:\/\/|https:\/\/)/, resp["link"])
+      resp = json_response(conn, 200)
      assert Regex.match?(~r/(http:\/\/|https:\/\/)/, resp["link"])
    end
    test "it requires privileged role :user_credentials", %{conn: conn} do
      clear_config([:instance, :admin_privileges], [])
      response =
        conn
        |> put_req_header("accept", "application/json")
        |> get("/api/pleroma/admin/users/nickname/password_reset")
      assert json_response(response, :forbidden)
    end
  end
  describe "PUT disable_mfa" do
@ -714,6 +729,8 @@ test "returns 403 if requested by a non-admin" do
    end
    test "changes password and email", %{conn: conn, admin: admin, user: user} do
      clear_config([:instance, :admin_privileges], [:user_credentials])
      assert user.password_reset_pending == false
      conn =
@ -756,6 +773,19 @@ test "returns 403 if requested by a non-admin", %{user: user} do
      assert json_response(conn, :forbidden)
    end
    test "returns 403 if not privileged with :user_credentials", %{conn: conn, user: user} do
      clear_config([:instance, :admin_privileges], [])
      conn =
        patch(conn, "/api/pleroma/admin/users/#{user.nickname}/credentials", %{
          "password" => "new_password",
          "email" => "new_email@example.com",
          "name" => "new_name"
        })
      assert json_response(conn, :forbidden)
    end
    test "changes actor type from permitted list", %{conn: conn, user: user} do
      assert user.actor_type == "Person"