From 0ee8f33250f649c7807fd161b9d6588757f5dc94 Mon Sep 17 00:00:00 2001 From: Ilja Date: Sat, 11 Jun 2022 13:08:40 +0200 Subject: [PATCH] Add privilige :status_delete It also allows to update a message, so it's not just deleting. I need a better name... --- config/config.exs | 3 ++- config/description.exs | 6 ++++-- lib/pleroma/web/router.ex | 20 ++++++++++++++----- .../controllers/chat_controller_test.exs | 14 ++++++++++++- .../controllers/status_controller_test.exs | 20 +++++++++++++++++++ 5 files changed, 54 insertions(+), 9 deletions(-) diff --git a/config/config.exs b/config/config.exs index 778e6bf21..ef2211426 100644 --- a/config/config.exs +++ b/config/config.exs @@ -264,7 +264,8 @@ :user_activation, :user_invite, :report_handle, - :user_read + :user_read, + :status_delete ], moderator_privileges: [], max_endorsed_users: 20, diff --git a/config/description.exs b/config/description.exs index 6d8cacace..8ef649e99 100644 --- a/config/description.exs +++ b/config/description.exs @@ -971,7 +971,8 @@ :user_activation, :user_invite, :report_handle, - :user_read + :user_read, + :status_delete ], description: "What extra priviledges to allow admins (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)" @@ -987,7 +988,8 @@ :user_activation, :user_invite, :report_handle, - :user_read + :user_read, + :status_delete ], description: "What extra priviledges to allow moderators (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)" diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex index 13e8141e4..50a0ea7fc 100644 --- a/lib/pleroma/web/router.ex +++ b/lib/pleroma/web/router.ex @@ -145,6 +145,11 @@ defmodule Pleroma.Web.Router do plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_read) end + pipeline :require_privileged_role_status_delete do + plug(:admin_api) + plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :status_delete) + end + pipeline :pleroma_html do plug(:browser) plug(:authenticate) @@ -345,21 +350,26 @@ defmodule Pleroma.Web.Router do get("/users/:nickname", UserController, :show) end + # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role) + scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do + pipe_through(:require_privileged_role_status_delete) + + put("/statuses/:id", StatusController, :update) + delete("/statuses/:id", StatusController, :delete) + + delete("/chats/:id/messages/:message_id", ChatController, :delete_message) + end + # AdminAPI: admins and mods (staff) can perform these actions scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do pipe_through(:admin_api) delete("/instances/:instance", InstanceController, :delete) - put("/statuses/:id", StatusController, :update) - delete("/statuses/:id", StatusController, :delete) - get("/moderation_log", AdminAPIController, :list_log) post("/reload_emoji", AdminAPIController, :reload_emoji) get("/stats", AdminAPIController, :stats) - - delete("/chats/:id/messages/:message_id", ChatController, :delete_message) end scope "/api/v1/pleroma/emoji", Pleroma.Web.PleromaAPI do diff --git a/test/pleroma/web/admin_api/controllers/chat_controller_test.exs b/test/pleroma/web/admin_api/controllers/chat_controller_test.exs index 3798083aa..e080cd225 100644 --- a/test/pleroma/web/admin_api/controllers/chat_controller_test.exs +++ b/test/pleroma/web/admin_api/controllers/chat_controller_test.exs @@ -27,7 +27,10 @@ defp admin_setup do end describe "DELETE /api/pleroma/admin/chats/:id/messages/:message_id" do - setup do: admin_setup() + setup do + clear_config([:instance, :admin_privileges], [:status_delete]) + admin_setup() + end test "it deletes a message from the chat", %{conn: conn, admin: admin} do user = insert(:user) @@ -60,6 +63,15 @@ test "it deletes a message from the chat", %{conn: conn, admin: admin} do refute MessageReference.get_by_id(recipient_cm_ref.id) assert %{data: %{"type" => "Tombstone"}} = Object.get_by_id(object.id) end + + test "it requires privileged role :status_delete", %{conn: conn} do + clear_config([:instance, :admin_privileges], []) + + assert conn + |> put_req_header("content-type", "application/json") + |> delete("/api/pleroma/admin/chats/some_id/messages/some_ref_id") + |> json_response(:forbidden) + end end describe "GET /api/pleroma/admin/chats/:id/messages" do diff --git a/test/pleroma/web/admin_api/controllers/status_controller_test.exs b/test/pleroma/web/admin_api/controllers/status_controller_test.exs index d18577961..2daf6a50d 100644 --- a/test/pleroma/web/admin_api/controllers/status_controller_test.exs +++ b/test/pleroma/web/admin_api/controllers/status_controller_test.exs @@ -64,6 +64,7 @@ test "denies reading activity when not privileged", %{conn: conn} do describe "PUT /api/pleroma/admin/statuses/:id" do setup do + clear_config([:instance, :admin_privileges], [:status_delete]) activity = insert(:note_activity) %{id: activity.id} @@ -132,10 +133,20 @@ test "returns 400 when visibility is unknown", %{conn: conn, id: id} do assert %{"error" => "test - Invalid value for enum."} = json_response_and_validate_schema(conn, :bad_request) end + + test "it requires privileged role :status_delete", %{conn: conn} do + clear_config([:instance, :admin_privileges], []) + + assert conn + |> put_req_header("content-type", "application/json") + |> put("/api/pleroma/admin/statuses/some_id", %{}) + |> json_response(:forbidden) + end end describe "DELETE /api/pleroma/admin/statuses/:id" do setup do + clear_config([:instance, :admin_privileges], [:status_delete]) activity = insert(:note_activity) %{id: activity.id} @@ -159,6 +170,15 @@ test "returns 404 when the status does not exist", %{conn: conn} do assert json_response_and_validate_schema(conn, :not_found) == %{"error" => "Not found"} end + + test "it requires privileged role :status_delete", %{conn: conn} do + clear_config([:instance, :admin_privileges], []) + + assert conn + |> put_req_header("content-type", "application/json") + |> delete("/api/pleroma/admin/statuses/some_id") + |> json_response(:forbidden) + end end describe "GET /api/pleroma/admin/statuses" do