From c842e6267545dfa88cf97cef69337296c3cb77d5 Mon Sep 17 00:00:00 2001 From: Ilja Date: Sun, 12 Jun 2022 10:07:33 +0200 Subject: [PATCH] Add last priviliges I still had three endpoints I didn't really know what to do with them. I added them under separate tags * :instance_delete * :moderation_log_read * :stats_read I also checked and these are the last changes done by MR https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3480/diffs this is trying to fix --- lib/pleroma/web/router.ex | 29 +++++++++++++++++-- .../controllers/admin_api_controller_test.exs | 22 ++++++++++++++ .../controllers/instance_controller_test.exs | 8 +++++ 3 files changed, 57 insertions(+), 2 deletions(-) diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex index 46f128672..f680c8353 100644 --- a/lib/pleroma/web/router.ex +++ b/lib/pleroma/web/router.ex @@ -155,6 +155,21 @@ defmodule Pleroma.Web.Router do plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :emoji_management) end + pipeline :require_privileged_role_instance_delete do + plug(:admin_api) + plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :instance_delete) + end + + pipeline :require_privileged_role_moderation_log_read do + plug(:admin_api) + plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :moderation_log_read) + end + + pipeline :require_privileged_role_stats_read do + plug(:admin_api) + plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :stats_read) + end + pipeline :pleroma_html do plug(:browser) plug(:authenticate) @@ -372,13 +387,23 @@ defmodule Pleroma.Web.Router do post("/reload_emoji", AdminAPIController, :reload_emoji) end - # AdminAPI: admins and mods (staff) can perform these actions + # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role) scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do - pipe_through(:admin_api) + pipe_through(:require_privileged_role_instance_delete) delete("/instances/:instance", InstanceController, :delete) + end + + # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role) + scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do + pipe_through(:require_privileged_role_moderation_log_read) get("/moderation_log", AdminAPIController, :list_log) + end + + # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role) + scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do + pipe_through(:require_privileged_role_stats_read) get("/stats", AdminAPIController, :stats) end diff --git a/test/pleroma/web/admin_api/controllers/admin_api_controller_test.exs b/test/pleroma/web/admin_api/controllers/admin_api_controller_test.exs index 23c26d7db..180f6c83f 100644 --- a/test/pleroma/web/admin_api/controllers/admin_api_controller_test.exs +++ b/test/pleroma/web/admin_api/controllers/admin_api_controller_test.exs @@ -558,6 +558,7 @@ test "returns 403", %{conn: conn, user: user} do describe "GET /api/pleroma/admin/moderation_log" do setup do + clear_config([:instance, :admin_privileges], [:moderation_log_read]) moderator = insert(:user, is_moderator: true) %{moderator: moderator} @@ -762,6 +763,15 @@ test "returns log filtered by search", %{conn: conn, moderator: moderator} do assert get_in(first_entry, ["data", "message"]) == "@#{moderator.nickname} unfollowed relay: https://example.org/relay" end + + test "it requires privileged role :moderation_log_read", %{conn: conn} do + clear_config([:instance, :admin_privileges], []) + + assert conn + |> put_req_header("content-type", "multipart/form-data") + |> get("/api/pleroma/admin/moderation_log") + |> json_response(:forbidden) + end end test "gets a remote users when [:instance, :limit_to_local_content] is set to :unauthenticated", @@ -960,6 +970,10 @@ test "it resend emails for two users", %{conn: conn, admin: admin} do end describe "/api/pleroma/admin/stats" do + setup do + clear_config([:instance, :admin_privileges], [:stats_read]) + end + test "status visibility count", %{conn: conn} do user = insert(:user) CommonAPI.post(user, %{visibility: "public", status: "hey"}) @@ -992,6 +1006,14 @@ test "by instance", %{conn: conn} do assert %{"direct" => 0, "private" => 1, "public" => 0, "unlisted" => 1} = response["status_visibility"] end + + test "it requires privileged role :stats_read", %{conn: conn} do + clear_config([:instance, :admin_privileges], []) + + assert conn + |> get("/api/pleroma/admin/stats", instance: "lain.wired") + |> json_response(:forbidden) + end end describe "/api/pleroma/backups" do diff --git a/test/pleroma/web/admin_api/controllers/instance_controller_test.exs b/test/pleroma/web/admin_api/controllers/instance_controller_test.exs index 2ab32fed8..b757ce469 100644 --- a/test/pleroma/web/admin_api/controllers/instance_controller_test.exs +++ b/test/pleroma/web/admin_api/controllers/instance_controller_test.exs @@ -68,6 +68,7 @@ test "GET /instances/:instance/statuses", %{conn: conn} do end test "DELETE /instances/:instance", %{conn: conn} do + clear_config([:instance, :admin_privileges], [:instance_delete]) user = insert(:user, nickname: "lain@lain.com") post = insert(:note_activity, user: user) @@ -81,5 +82,12 @@ test "DELETE /instances/:instance", %{conn: conn} do assert response == "lain.com" refute Repo.reload(user).is_active refute Repo.reload(post) + + clear_config([:instance, :admin_privileges], []) + + response = + conn + |> delete("/api/pleroma/admin/instances/lain.com") + |> json_response(:forbidden) end end