From cb60cc4e02af270fcccdcd552df4fa3ff858d67f Mon Sep 17 00:00:00 2001
From: Ilja <ilja@ilja.space>
Date: Thu, 26 May 2022 16:25:28 +0200
Subject: [PATCH] Add privileges for :user_tag

---
 config/config.exs                             |  2 +-
 config/description.exs                        |  4 +-
 lib/pleroma/web/router.ex                     | 14 ++-
 .../controllers/admin_api_controller_test.exs | 87 +++++++++++++++----
 4 files changed, 84 insertions(+), 23 deletions(-)

diff --git a/config/config.exs b/config/config.exs
index 4cdc90c7a..f2001eef0 100644
--- a/config/config.exs
+++ b/config/config.exs
@@ -256,7 +256,7 @@
   show_reactions: true,
   password_reset_token_validity: 60 * 60 * 24,
   profile_directory: true,
-  admin_privileges: [:user_deletion, :user_credentials, :statuses_read],
+  admin_privileges: [:user_deletion, :user_credentials, :statuses_read, :user_tag],
   moderator_privileges: [],
   max_endorsed_users: 20,
   birthday_required: false,
diff --git a/config/description.exs b/config/description.exs
index b0b8ecd88..f455a2e46 100644
--- a/config/description.exs
+++ b/config/description.exs
@@ -963,14 +963,14 @@
       %{
         key: :admin_privileges,
         type: {:list, :atom},
-        suggestions: [:user_deletion, :user_credentials, :statuses_read],
+        suggestions: [:user_deletion, :user_credentials, :statuses_read, :user_tag],
         description:
           "What extra priviledges to allow admins (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
       },
       %{
         key: :moderator_privileges,
         type: {:list, :atom},
-        suggestions: [:user_deletion, :user_credentials, :statuses_read],
+        suggestions: [:user_deletion, :user_credentials, :statuses_read, :user_tag],
         description:
           "What extra priviledges to allow moderators (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
       },
diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex
index 21b77b624..b5b9e7d07 100644
--- a/lib/pleroma/web/router.ex
+++ b/lib/pleroma/web/router.ex
@@ -120,6 +120,11 @@ defmodule Pleroma.Web.Router do
     plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :statuses_read)
   end
 
+  pipeline :require_privileged_role_user_tag do
+    plug(:admin_api)
+    plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_tag)
+  end
+
   pipeline :pleroma_html do
     plug(:browser)
     plug(:authenticate)
@@ -269,12 +274,17 @@ defmodule Pleroma.Web.Router do
     get("/chats/:id/messages", ChatController, :messages)
   end
 
-  # AdminAPI: admins and mods (staff) can perform these actions
+  # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role)
   scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
-    pipe_through(:admin_api)
+    pipe_through(:require_privileged_role_user_tag)
 
     put("/users/tag", AdminAPIController, :tag_users)
     delete("/users/tag", AdminAPIController, :untag_users)
+  end
+
+  # AdminAPI: admins and mods (staff) can perform these actions
+  scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
+    pipe_through(:admin_api)
 
     patch("/users/:nickname/toggle_activation", UserController, :toggle_activation)
     patch("/users/activate", UserController, :activate)
diff --git a/test/pleroma/web/admin_api/controllers/admin_api_controller_test.exs b/test/pleroma/web/admin_api/controllers/admin_api_controller_test.exs
index c630ee31b..178e0e88a 100644
--- a/test/pleroma/web/admin_api/controllers/admin_api_controller_test.exs
+++ b/test/pleroma/web/admin_api/controllers/admin_api_controller_test.exs
@@ -92,18 +92,12 @@ test "GET /api/pleroma/admin/users/:nickname requires admin:read:accounts or bro
 
   describe "PUT /api/pleroma/admin/users/tag" do
     setup %{conn: conn} do
+      clear_config([:instance, :admin_privileges], [:user_tag])
+
       user1 = insert(:user, %{tags: ["x"]})
       user2 = insert(:user, %{tags: ["y"]})
       user3 = insert(:user, %{tags: ["unchanged"]})
 
-      conn =
-        conn
-        |> put_req_header("accept", "application/json")
-        |> put(
-          "/api/pleroma/admin/users/tag?nicknames[]=#{user1.nickname}&nicknames[]=" <>
-            "#{user2.nickname}&tags[]=foo&tags[]=bar"
-        )
-
       %{conn: conn, user1: user1, user2: user2, user3: user3}
     end
 
@@ -113,6 +107,14 @@ test "it appends specified tags to users with specified nicknames", %{
       user1: user1,
       user2: user2
     } do
+      conn =
+        conn
+        |> put_req_header("accept", "application/json")
+        |> put(
+          "/api/pleroma/admin/users/tag?nicknames[]=#{user1.nickname}&nicknames[]=" <>
+            "#{user2.nickname}&tags[]=foo&tags[]=bar"
+        )
+
       assert empty_json_response(conn)
       assert User.get_cached_by_id(user1.id).tags == ["x", "foo", "bar"]
       assert User.get_cached_by_id(user2.id).tags == ["y", "foo", "bar"]
@@ -130,26 +132,43 @@ test "it appends specified tags to users with specified nicknames", %{
                "@#{admin.nickname} added tags: #{tags} to users: #{users}"
     end
 
-    test "it does not modify tags of not specified users", %{conn: conn, user3: user3} do
+    test "it does not modify tags of not specified users", %{
+      conn: conn,
+      user1: user1,
+      user2: user2,
+      user3: user3
+    } do
+      conn =
+        conn
+        |> put_req_header("accept", "application/json")
+        |> put(
+          "/api/pleroma/admin/users/tag?nicknames[]=#{user1.nickname}&nicknames[]=" <>
+            "#{user2.nickname}&tags[]=foo&tags[]=bar"
+        )
+
       assert empty_json_response(conn)
       assert User.get_cached_by_id(user3.id).tags == ["unchanged"]
     end
+
+    test "it requires privileged role :user_tag", %{conn: conn} do
+      clear_config([:instance, :admin_privileges], [])
+
+      response =
+        conn
+        |> put_req_header("accept", "application/json")
+        |> put("/api/pleroma/admin/users/tag?nicknames[]=nickname&tags[]=foo&tags[]=bar")
+
+      assert json_response(response, :forbidden)
+    end
   end
 
   describe "DELETE /api/pleroma/admin/users/tag" do
     setup %{conn: conn} do
+      clear_config([:instance, :admin_privileges], [:user_tag])
       user1 = insert(:user, %{tags: ["x"]})
       user2 = insert(:user, %{tags: ["y", "z"]})
       user3 = insert(:user, %{tags: ["unchanged"]})
 
-      conn =
-        conn
-        |> put_req_header("accept", "application/json")
-        |> delete(
-          "/api/pleroma/admin/users/tag?nicknames[]=#{user1.nickname}&nicknames[]=" <>
-            "#{user2.nickname}&tags[]=x&tags[]=z"
-        )
-
       %{conn: conn, user1: user1, user2: user2, user3: user3}
     end
 
@@ -159,6 +178,14 @@ test "it removes specified tags from users with specified nicknames", %{
       user1: user1,
       user2: user2
     } do
+      conn =
+        conn
+        |> put_req_header("accept", "application/json")
+        |> delete(
+          "/api/pleroma/admin/users/tag?nicknames[]=#{user1.nickname}&nicknames[]=" <>
+            "#{user2.nickname}&tags[]=x&tags[]=z"
+        )
+
       assert empty_json_response(conn)
       assert User.get_cached_by_id(user1.id).tags == []
       assert User.get_cached_by_id(user2.id).tags == ["y"]
@@ -176,10 +203,34 @@ test "it removes specified tags from users with specified nicknames", %{
                "@#{admin.nickname} removed tags: #{tags} from users: #{users}"
     end
 
-    test "it does not modify tags of not specified users", %{conn: conn, user3: user3} do
+    test "it does not modify tags of not specified users", %{
+      conn: conn,
+      user1: user1,
+      user2: user2,
+      user3: user3
+    } do
+      conn =
+        conn
+        |> put_req_header("accept", "application/json")
+        |> delete(
+          "/api/pleroma/admin/users/tag?nicknames[]=#{user1.nickname}&nicknames[]=" <>
+            "#{user2.nickname}&tags[]=x&tags[]=z"
+        )
+
       assert empty_json_response(conn)
       assert User.get_cached_by_id(user3.id).tags == ["unchanged"]
     end
+
+    test "it requires privileged role :user_tag", %{conn: conn} do
+      clear_config([:instance, :admin_privileges], [])
+
+      response =
+        conn
+        |> put_req_header("accept", "application/json")
+        |> delete("/api/pleroma/admin/users/tag?nicknames[]=nickname&tags[]=foo&tags[]=bar")
+
+      assert json_response(response, :forbidden)
+    end
   end
 
   describe "/api/pleroma/admin/users/:nickname/permission_group" do