Validator for deleting statusses is now done with priviledge instead of superuser

2022-06-13 13:58:26 +02:00 · 2022-06-13 13:58:26 +02:00 · bb61cfee8d
commit bb61cfee8d
parent 7cf473c500
3 changed files with 17 additions and 8 deletions
--- a/lib/pleroma/web/activity_pub/object_validators/common_validations.ex
+++ b/lib/pleroma/web/activity_pub/object_validators/common_validations.ex
@ -136,11 +136,11 @@ def same_domain?(cng, fields \\ [:actor, :object]) do

  # This figures out if a user is able to create, delete or modify something
  # based on the domain and superuser status
-  @spec validate_modification_rights(Ecto.Changeset.t()) :: Ecto.Changeset.t()
-  def validate_modification_rights(cng) do
+  @spec validate_modification_rights(Ecto.Changeset.t(), atom()) :: Ecto.Changeset.t()
+  def validate_modification_rights(cng, privilege) do
    actor = User.get_cached_by_ap_id(get_field(cng, :actor))

-    if User.superuser?(actor) || same_domain?(cng) do
+    if User.privileged?(actor, privilege) || same_domain?(cng) do
      cng
    else
      cng
--- a/lib/pleroma/web/activity_pub/object_validators/delete_validator.ex
+++ b/lib/pleroma/web/activity_pub/object_validators/delete_validator.ex
@ -61,7 +61,7 @@ defp validate_data(cng) do
    |> validate_required([:id, :type, :actor, :to, :cc, :object])
    |> validate_inclusion(:type, ["Delete"])
    |> validate_delete_actor(:actor)
-    |> validate_modification_rights()
+    |> validate_modification_rights(:status_delete)
    |> validate_object_or_user_presence(allowed_types: @deletable_types)
    |> add_deleted_activity_id()
  end
--- a/test/pleroma/web/activity_pub/object_validators/delete_validation_test.exs
+++ b/test/pleroma/web/activity_pub/object_validators/delete_validation_test.exs
@ -3,7 +3,7 @@
 # SPDX-License-Identifier: AGPL-3.0-only

 defmodule Pleroma.Web.ActivityPub.ObjectValidators.DeleteValidationTest do
-  use Pleroma.DataCase, async: true
+  use Pleroma.DataCase, async: false

  alias Pleroma.Object
  alias Pleroma.Web.ActivityPub.Builder
@ -90,17 +90,26 @@ test "it's invalid if the actor of the object and the actor of delete are from d
      assert {:actor, {"is not allowed to modify object", []}} in cng.errors
    end

-    test "it's valid if the actor of the object is a local superuser",
+    test "it's only valid if the actor of the object is a privileged local user",
         %{valid_post_delete: valid_post_delete} do
+      clear_config([:instance, :moderator_privileges], [:status_delete])
+
      user =
        insert(:user, local: true, is_moderator: true, ap_id: "https://gensokyo.2hu/users/raymoo")

-      valid_other_actor =
+      post_delete_with_moderator_actor =
        valid_post_delete
        |> Map.put("actor", user.ap_id)

-      {:ok, _, meta} = ObjectValidator.validate(valid_other_actor, [])
+      {:ok, _, meta} = ObjectValidator.validate(post_delete_with_moderator_actor, [])
+
      assert meta[:do_not_federate]
+
+      clear_config([:instance, :moderator_privileges], [])
+
+      {:error, cng} = ObjectValidator.validate(post_delete_with_moderator_actor, [])
+
+      assert {:actor, {"is not allowed to modify object", []}} in cng.errors
    end
  end
 end