forked from AkkomaGang/akkoma
OAuthScopesPlug: remove transform_scopes in favor of explicit admin scope definitions
Transforming scopes is no longer necessary since we are dropping support for accessing admin api without `admin:` prefix in scopes.
This commit is contained in:
parent
95a22c1cc2
commit
2ab9499258
16 changed files with 30 additions and 45 deletions
lib/pleroma
config.ex
web
admin_api/controllers
admin_api_controller.exchat_controller.exconfig_controller.exfrontend_controller.exinstance_document_controller.exinvite_controller.exmedia_proxy_cache_controller.exo_auth_app_controller.exrelay_controller.exreport_controller.exstatus_controller.exuser_controller.ex
pleroma_api/controllers
plugs
|
@ -99,8 +99,4 @@ def restrict_unauthenticated_access?(resource, kind) do
|
||||||
def oauth_consumer_strategies, do: get([:auth, :oauth_consumer_strategies], [])
|
def oauth_consumer_strategies, do: get([:auth, :oauth_consumer_strategies], [])
|
||||||
|
|
||||||
def oauth_consumer_enabled?, do: oauth_consumer_strategies() != []
|
def oauth_consumer_enabled?, do: oauth_consumer_strategies() != []
|
||||||
|
|
||||||
def oauth_admin_scopes(scopes) when is_list(scopes) do
|
|
||||||
Enum.map(scopes, fn scope -> "admin:#{scope}" end)
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -25,13 +25,13 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIController do
|
||||||
|
|
||||||
plug(
|
plug(
|
||||||
OAuthScopesPlug,
|
OAuthScopesPlug,
|
||||||
%{scopes: ["read:accounts"], admin: true}
|
%{scopes: ["admin:read:accounts"]}
|
||||||
when action in [:right_get, :show_user_credentials, :create_backup]
|
when action in [:right_get, :show_user_credentials, :create_backup]
|
||||||
)
|
)
|
||||||
|
|
||||||
plug(
|
plug(
|
||||||
OAuthScopesPlug,
|
OAuthScopesPlug,
|
||||||
%{scopes: ["write:accounts"], admin: true}
|
%{scopes: ["admin:write:accounts"]}
|
||||||
when action in [
|
when action in [
|
||||||
:get_password_reset,
|
:get_password_reset,
|
||||||
:force_password_reset,
|
:force_password_reset,
|
||||||
|
@ -48,19 +48,19 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIController do
|
||||||
|
|
||||||
plug(
|
plug(
|
||||||
OAuthScopesPlug,
|
OAuthScopesPlug,
|
||||||
%{scopes: ["read:statuses"], admin: true}
|
%{scopes: ["admin:read:statuses"]}
|
||||||
when action in [:list_user_statuses, :list_instance_statuses]
|
when action in [:list_user_statuses, :list_instance_statuses]
|
||||||
)
|
)
|
||||||
|
|
||||||
plug(
|
plug(
|
||||||
OAuthScopesPlug,
|
OAuthScopesPlug,
|
||||||
%{scopes: ["read:chats"], admin: true}
|
%{scopes: ["admin:read:chats"]}
|
||||||
when action in [:list_user_chats]
|
when action in [:list_user_chats]
|
||||||
)
|
)
|
||||||
|
|
||||||
plug(
|
plug(
|
||||||
OAuthScopesPlug,
|
OAuthScopesPlug,
|
||||||
%{scopes: ["read"], admin: true}
|
%{scopes: ["admin:read"]}
|
||||||
when action in [
|
when action in [
|
||||||
:list_log,
|
:list_log,
|
||||||
:stats,
|
:stats,
|
||||||
|
@ -70,7 +70,7 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIController do
|
||||||
|
|
||||||
plug(
|
plug(
|
||||||
OAuthScopesPlug,
|
OAuthScopesPlug,
|
||||||
%{scopes: ["write"], admin: true}
|
%{scopes: ["admin:write"]}
|
||||||
when action in [
|
when action in [
|
||||||
:restart,
|
:restart,
|
||||||
:resend_confirmation_email,
|
:resend_confirmation_email,
|
||||||
|
|
|
@ -21,12 +21,12 @@ defmodule Pleroma.Web.AdminAPI.ChatController do
|
||||||
|
|
||||||
plug(
|
plug(
|
||||||
OAuthScopesPlug,
|
OAuthScopesPlug,
|
||||||
%{scopes: ["read:chats"], admin: true} when action in [:show, :messages]
|
%{scopes: ["admin:read:chats"]} when action in [:show, :messages]
|
||||||
)
|
)
|
||||||
|
|
||||||
plug(
|
plug(
|
||||||
OAuthScopesPlug,
|
OAuthScopesPlug,
|
||||||
%{scopes: ["write:chats"], admin: true} when action in [:delete_message]
|
%{scopes: ["admin:write:chats"]} when action in [:delete_message]
|
||||||
)
|
)
|
||||||
|
|
||||||
action_fallback(Pleroma.Web.AdminAPI.FallbackController)
|
action_fallback(Pleroma.Web.AdminAPI.FallbackController)
|
||||||
|
|
|
@ -10,11 +10,11 @@ defmodule Pleroma.Web.AdminAPI.ConfigController do
|
||||||
alias Pleroma.Web.Plugs.OAuthScopesPlug
|
alias Pleroma.Web.Plugs.OAuthScopesPlug
|
||||||
|
|
||||||
plug(Pleroma.Web.ApiSpec.CastAndValidate)
|
plug(Pleroma.Web.ApiSpec.CastAndValidate)
|
||||||
plug(OAuthScopesPlug, %{scopes: ["write"], admin: true} when action == :update)
|
plug(OAuthScopesPlug, %{scopes: ["admin:write"]} when action == :update)
|
||||||
|
|
||||||
plug(
|
plug(
|
||||||
OAuthScopesPlug,
|
OAuthScopesPlug,
|
||||||
%{scopes: ["read"], admin: true}
|
%{scopes: ["admin:read"]}
|
||||||
when action in [:show, :descriptions]
|
when action in [:show, :descriptions]
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
|
@ -9,8 +9,8 @@ defmodule Pleroma.Web.AdminAPI.FrontendController do
|
||||||
alias Pleroma.Web.Plugs.OAuthScopesPlug
|
alias Pleroma.Web.Plugs.OAuthScopesPlug
|
||||||
|
|
||||||
plug(Pleroma.Web.ApiSpec.CastAndValidate)
|
plug(Pleroma.Web.ApiSpec.CastAndValidate)
|
||||||
plug(OAuthScopesPlug, %{scopes: ["write"], admin: true} when action == :install)
|
plug(OAuthScopesPlug, %{scopes: ["admin:write"]} when action == :install)
|
||||||
plug(OAuthScopesPlug, %{scopes: ["read"], admin: true} when action == :index)
|
plug(OAuthScopesPlug, %{scopes: ["admin:read"]} when action == :index)
|
||||||
action_fallback(Pleroma.Web.AdminAPI.FallbackController)
|
action_fallback(Pleroma.Web.AdminAPI.FallbackController)
|
||||||
|
|
||||||
defdelegate open_api_operation(action), to: Pleroma.Web.ApiSpec.Admin.FrontendOperation
|
defdelegate open_api_operation(action), to: Pleroma.Web.ApiSpec.Admin.FrontendOperation
|
||||||
|
|
|
@ -15,8 +15,8 @@ defmodule Pleroma.Web.AdminAPI.InstanceDocumentController do
|
||||||
|
|
||||||
defdelegate open_api_operation(action), to: Pleroma.Web.ApiSpec.Admin.InstanceDocumentOperation
|
defdelegate open_api_operation(action), to: Pleroma.Web.ApiSpec.Admin.InstanceDocumentOperation
|
||||||
|
|
||||||
plug(OAuthScopesPlug, %{scopes: ["read"], admin: true} when action == :show)
|
plug(OAuthScopesPlug, %{scopes: ["admin:read"]} when action == :show)
|
||||||
plug(OAuthScopesPlug, %{scopes: ["write"], admin: true} when action in [:update, :delete])
|
plug(OAuthScopesPlug, %{scopes: ["admin:write"]} when action in [:update, :delete])
|
||||||
|
|
||||||
def show(conn, %{name: document_name}) do
|
def show(conn, %{name: document_name}) do
|
||||||
with {:ok, url} <- InstanceDocument.get(document_name),
|
with {:ok, url} <- InstanceDocument.get(document_name),
|
||||||
|
|
|
@ -14,11 +14,11 @@ defmodule Pleroma.Web.AdminAPI.InviteController do
|
||||||
require Logger
|
require Logger
|
||||||
|
|
||||||
plug(Pleroma.Web.ApiSpec.CastAndValidate)
|
plug(Pleroma.Web.ApiSpec.CastAndValidate)
|
||||||
plug(OAuthScopesPlug, %{scopes: ["read:invites"], admin: true} when action == :index)
|
plug(OAuthScopesPlug, %{scopes: ["admin:read:invites"]} when action == :index)
|
||||||
|
|
||||||
plug(
|
plug(
|
||||||
OAuthScopesPlug,
|
OAuthScopesPlug,
|
||||||
%{scopes: ["write:invites"], admin: true} when action in [:create, :revoke, :email]
|
%{scopes: ["admin:write:invites"]} when action in [:create, :revoke, :email]
|
||||||
)
|
)
|
||||||
|
|
||||||
action_fallback(Pleroma.Web.AdminAPI.FallbackController)
|
action_fallback(Pleroma.Web.AdminAPI.FallbackController)
|
||||||
|
|
|
@ -15,12 +15,12 @@ defmodule Pleroma.Web.AdminAPI.MediaProxyCacheController do
|
||||||
|
|
||||||
plug(
|
plug(
|
||||||
OAuthScopesPlug,
|
OAuthScopesPlug,
|
||||||
%{scopes: ["read:media_proxy_caches"], admin: true} when action in [:index]
|
%{scopes: ["admin:read:media_proxy_caches"]} when action in [:index]
|
||||||
)
|
)
|
||||||
|
|
||||||
plug(
|
plug(
|
||||||
OAuthScopesPlug,
|
OAuthScopesPlug,
|
||||||
%{scopes: ["write:media_proxy_caches"], admin: true} when action in [:purge, :delete]
|
%{scopes: ["admin:write:media_proxy_caches"]} when action in [:purge, :delete]
|
||||||
)
|
)
|
||||||
|
|
||||||
action_fallback(Pleroma.Web.AdminAPI.FallbackController)
|
action_fallback(Pleroma.Web.AdminAPI.FallbackController)
|
||||||
|
|
|
@ -17,7 +17,7 @@ defmodule Pleroma.Web.AdminAPI.OAuthAppController do
|
||||||
|
|
||||||
plug(
|
plug(
|
||||||
OAuthScopesPlug,
|
OAuthScopesPlug,
|
||||||
%{scopes: ["write"], admin: true}
|
%{scopes: ["admin:write"]}
|
||||||
when action in [:create, :index, :update, :delete]
|
when action in [:create, :index, :update, :delete]
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
|
@ -15,11 +15,11 @@ defmodule Pleroma.Web.AdminAPI.RelayController do
|
||||||
|
|
||||||
plug(
|
plug(
|
||||||
OAuthScopesPlug,
|
OAuthScopesPlug,
|
||||||
%{scopes: ["write:follows"], admin: true}
|
%{scopes: ["admin:write:follows"]}
|
||||||
when action in [:follow, :unfollow]
|
when action in [:follow, :unfollow]
|
||||||
)
|
)
|
||||||
|
|
||||||
plug(OAuthScopesPlug, %{scopes: ["read"], admin: true} when action == :index)
|
plug(OAuthScopesPlug, %{scopes: ["admin:read"]} when action == :index)
|
||||||
|
|
||||||
action_fallback(Pleroma.Web.AdminAPI.FallbackController)
|
action_fallback(Pleroma.Web.AdminAPI.FallbackController)
|
||||||
|
|
||||||
|
|
|
@ -19,11 +19,11 @@ defmodule Pleroma.Web.AdminAPI.ReportController do
|
||||||
require Logger
|
require Logger
|
||||||
|
|
||||||
plug(Pleroma.Web.ApiSpec.CastAndValidate)
|
plug(Pleroma.Web.ApiSpec.CastAndValidate)
|
||||||
plug(OAuthScopesPlug, %{scopes: ["read:reports"], admin: true} when action in [:index, :show])
|
plug(OAuthScopesPlug, %{scopes: ["admin:read:reports"]} when action in [:index, :show])
|
||||||
|
|
||||||
plug(
|
plug(
|
||||||
OAuthScopesPlug,
|
OAuthScopesPlug,
|
||||||
%{scopes: ["write:reports"], admin: true}
|
%{scopes: ["admin:write:reports"]}
|
||||||
when action in [:update, :notes_create, :notes_delete]
|
when action in [:update, :notes_create, :notes_delete]
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
|
@ -15,11 +15,11 @@ defmodule Pleroma.Web.AdminAPI.StatusController do
|
||||||
require Logger
|
require Logger
|
||||||
|
|
||||||
plug(Pleroma.Web.ApiSpec.CastAndValidate)
|
plug(Pleroma.Web.ApiSpec.CastAndValidate)
|
||||||
plug(OAuthScopesPlug, %{scopes: ["read:statuses"], admin: true} when action in [:index, :show])
|
plug(OAuthScopesPlug, %{scopes: ["admin:read:statuses"]} when action in [:index, :show])
|
||||||
|
|
||||||
plug(
|
plug(
|
||||||
OAuthScopesPlug,
|
OAuthScopesPlug,
|
||||||
%{scopes: ["write:statuses"], admin: true} when action in [:update, :delete]
|
%{scopes: ["admin:write:statuses"]} when action in [:update, :delete]
|
||||||
)
|
)
|
||||||
|
|
||||||
action_fallback(Pleroma.Web.AdminAPI.FallbackController)
|
action_fallback(Pleroma.Web.AdminAPI.FallbackController)
|
||||||
|
|
|
@ -21,13 +21,13 @@ defmodule Pleroma.Web.AdminAPI.UserController do
|
||||||
|
|
||||||
plug(
|
plug(
|
||||||
OAuthScopesPlug,
|
OAuthScopesPlug,
|
||||||
%{scopes: ["read:accounts"], admin: true}
|
%{scopes: ["admin:read:accounts"]}
|
||||||
when action in [:list, :show]
|
when action in [:list, :show]
|
||||||
)
|
)
|
||||||
|
|
||||||
plug(
|
plug(
|
||||||
OAuthScopesPlug,
|
OAuthScopesPlug,
|
||||||
%{scopes: ["write:accounts"], admin: true}
|
%{scopes: ["admin:write:accounts"]}
|
||||||
when action in [
|
when action in [
|
||||||
:delete,
|
:delete,
|
||||||
:create,
|
:create,
|
||||||
|
@ -40,7 +40,7 @@ defmodule Pleroma.Web.AdminAPI.UserController do
|
||||||
|
|
||||||
plug(
|
plug(
|
||||||
OAuthScopesPlug,
|
OAuthScopesPlug,
|
||||||
%{scopes: ["write:follows"], admin: true}
|
%{scopes: ["admin:write:follows"]}
|
||||||
when action in [:follow, :unfollow]
|
when action in [:follow, :unfollow]
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@ defmodule Pleroma.Web.PleromaAPI.EmojiFileController do
|
||||||
|
|
||||||
plug(
|
plug(
|
||||||
Pleroma.Web.Plugs.OAuthScopesPlug,
|
Pleroma.Web.Plugs.OAuthScopesPlug,
|
||||||
%{scopes: ["write"], admin: true}
|
%{scopes: ["admin:write"]}
|
||||||
when action in [
|
when action in [
|
||||||
:create,
|
:create,
|
||||||
:update,
|
:update,
|
||||||
|
|
|
@ -11,7 +11,7 @@ defmodule Pleroma.Web.PleromaAPI.EmojiPackController do
|
||||||
|
|
||||||
plug(
|
plug(
|
||||||
Pleroma.Web.Plugs.OAuthScopesPlug,
|
Pleroma.Web.Plugs.OAuthScopesPlug,
|
||||||
%{scopes: ["write"], admin: true}
|
%{scopes: ["admin:write"]}
|
||||||
when action in [
|
when action in [
|
||||||
:import_from_filesystem,
|
:import_from_filesystem,
|
||||||
:remote,
|
:remote,
|
||||||
|
|
|
@ -6,7 +6,6 @@ defmodule Pleroma.Web.Plugs.OAuthScopesPlug do
|
||||||
import Plug.Conn
|
import Plug.Conn
|
||||||
import Pleroma.Web.Gettext
|
import Pleroma.Web.Gettext
|
||||||
|
|
||||||
alias Pleroma.Config
|
|
||||||
alias Pleroma.Helpers.AuthHelper
|
alias Pleroma.Helpers.AuthHelper
|
||||||
|
|
||||||
use Pleroma.Web, :plug
|
use Pleroma.Web, :plug
|
||||||
|
@ -18,7 +17,6 @@ def perform(%Plug.Conn{assigns: assigns} = conn, %{scopes: scopes} = options) do
|
||||||
op = options[:op] || :|
|
op = options[:op] || :|
|
||||||
token = assigns[:token]
|
token = assigns[:token]
|
||||||
|
|
||||||
scopes = transform_scopes(scopes, options)
|
|
||||||
matched_scopes = (token && filter_descendants(scopes, token.scopes)) || []
|
matched_scopes = (token && filter_descendants(scopes, token.scopes)) || []
|
||||||
|
|
||||||
cond do
|
cond do
|
||||||
|
@ -57,13 +55,4 @@ def filter_descendants(scopes, supported_scopes) do
|
||||||
end
|
end
|
||||||
)
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
@doc "Transforms scopes by applying supported options (e.g. :admin)"
|
|
||||||
def transform_scopes(scopes, options) do
|
|
||||||
if options[:admin] do
|
|
||||||
Config.oauth_admin_scopes(scopes)
|
|
||||||
else
|
|
||||||
scopes
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in a new issue