From e102d25d2385761077c08e0b280359392f0592cb Mon Sep 17 00:00:00 2001 From: Ilja Date: Thu, 26 May 2022 16:41:48 +0200 Subject: [PATCH] Add privileges for :user_activation --- config/config.exs | 8 +- config/description.exs | 16 +- lib/pleroma/web/router.ex | 16 +- .../controllers/user_controller_test.exs | 159 ++++++++++++------ 4 files changed, 137 insertions(+), 62 deletions(-) diff --git a/config/config.exs b/config/config.exs index f2001eef0..53c0cc329 100644 --- a/config/config.exs +++ b/config/config.exs @@ -256,7 +256,13 @@ show_reactions: true, password_reset_token_validity: 60 * 60 * 24, profile_directory: true, - admin_privileges: [:user_deletion, :user_credentials, :statuses_read, :user_tag], + admin_privileges: [ + :user_deletion, + :user_credentials, + :statuses_read, + :user_tag, + :user_activation + ], moderator_privileges: [], max_endorsed_users: 20, birthday_required: false, diff --git a/config/description.exs b/config/description.exs index f455a2e46..51d3ad8aa 100644 --- a/config/description.exs +++ b/config/description.exs @@ -963,14 +963,26 @@ %{ key: :admin_privileges, type: {:list, :atom}, - suggestions: [:user_deletion, :user_credentials, :statuses_read, :user_tag], + suggestions: [ + :user_deletion, + :user_credentials, + :statuses_read, + :user_tag, + :user_activation + ], description: "What extra priviledges to allow admins (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)" }, %{ key: :moderator_privileges, type: {:list, :atom}, - suggestions: [:user_deletion, :user_credentials, :statuses_read, :user_tag], + suggestions: [ + :user_deletion, + :user_credentials, + :statuses_read, + :user_tag, + :user_activation + ], description: "What extra priviledges to allow moderators (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)" }, diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex index b5b9e7d07..bfe5c7b90 100644 --- a/lib/pleroma/web/router.ex +++ b/lib/pleroma/web/router.ex @@ -125,6 +125,11 @@ defmodule Pleroma.Web.Router do plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_tag) end + pipeline :require_privileged_role_user_activation do + plug(:admin_api) + plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_activation) + end + pipeline :pleroma_html do plug(:browser) plug(:authenticate) @@ -282,15 +287,20 @@ defmodule Pleroma.Web.Router do delete("/users/tag", AdminAPIController, :untag_users) end - # AdminAPI: admins and mods (staff) can perform these actions + # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role) scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do - pipe_through(:admin_api) + pipe_through(:require_privileged_role_user_activation) patch("/users/:nickname/toggle_activation", UserController, :toggle_activation) patch("/users/activate", UserController, :activate) patch("/users/deactivate", UserController, :deactivate) - patch("/users/approve", UserController, :approve) + end + # AdminAPI: admins and mods (staff) can perform these actions + scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do + pipe_through(:admin_api) + + patch("/users/approve", UserController, :approve) post("/users/invite_token", InviteController, :create) get("/users/invites", InviteController, :index) post("/users/revoke_invite", InviteController, :revoke) diff --git a/test/pleroma/web/admin_api/controllers/user_controller_test.exs b/test/pleroma/web/admin_api/controllers/user_controller_test.exs index 54a9619e8..ea28863f3 100644 --- a/test/pleroma/web/admin_api/controllers/user_controller_test.exs +++ b/test/pleroma/web/admin_api/controllers/user_controller_test.exs @@ -824,48 +824,6 @@ test "it omits relay user", %{admin: admin, conn: conn} do end end - test "PATCH /api/pleroma/admin/users/activate", %{admin: admin, conn: conn} do - user_one = insert(:user, is_active: false) - user_two = insert(:user, is_active: false) - - conn = - conn - |> put_req_header("content-type", "application/json") - |> patch( - "/api/pleroma/admin/users/activate", - %{nicknames: [user_one.nickname, user_two.nickname]} - ) - - response = json_response_and_validate_schema(conn, 200) - assert Enum.map(response["users"], & &1["is_active"]) == [true, true] - - log_entry = Repo.one(ModerationLog) - - assert ModerationLog.get_log_entry_message(log_entry) == - "@#{admin.nickname} activated users: @#{user_one.nickname}, @#{user_two.nickname}" - end - - test "PATCH /api/pleroma/admin/users/deactivate", %{admin: admin, conn: conn} do - user_one = insert(:user, is_active: true) - user_two = insert(:user, is_active: true) - - conn = - conn - |> put_req_header("content-type", "application/json") - |> patch( - "/api/pleroma/admin/users/deactivate", - %{nicknames: [user_one.nickname, user_two.nickname]} - ) - - response = json_response_and_validate_schema(conn, 200) - assert Enum.map(response["users"], & &1["is_active"]) == [false, false] - - log_entry = Repo.one(ModerationLog) - - assert ModerationLog.get_log_entry_message(log_entry) == - "@#{admin.nickname} deactivated users: @#{user_one.nickname}, @#{user_two.nickname}" - end - test "PATCH /api/pleroma/admin/users/approve", %{admin: admin, conn: conn} do user_one = insert(:user, is_approved: false) user_two = insert(:user, is_approved: false) @@ -937,24 +895,113 @@ test "PATCH /api/pleroma/admin/users/unsuggest", %{admin: admin, conn: conn} do "@#{admin.nickname} removed suggested users: @#{user1.nickname}, @#{user2.nickname}" end - test "PATCH /api/pleroma/admin/users/:nickname/toggle_activation", %{admin: admin, conn: conn} do - user = insert(:user) + describe "user activation" do + test "PATCH /api/pleroma/admin/users/activate", %{admin: admin, conn: conn} do + clear_config([:instance, :admin_privileges], [:user_activation]) - conn = - conn - |> put_req_header("content-type", "application/json") - |> patch("/api/pleroma/admin/users/#{user.nickname}/toggle_activation") + user_one = insert(:user, is_active: false) + user_two = insert(:user, is_active: false) - assert json_response_and_validate_schema(conn, 200) == - user_response( - user, - %{"is_active" => !user.is_active} - ) + conn = + conn + |> put_req_header("content-type", "application/json") + |> patch( + "/api/pleroma/admin/users/activate", + %{nicknames: [user_one.nickname, user_two.nickname]} + ) - log_entry = Repo.one(ModerationLog) + response = json_response_and_validate_schema(conn, 200) + assert Enum.map(response["users"], & &1["is_active"]) == [true, true] - assert ModerationLog.get_log_entry_message(log_entry) == - "@#{admin.nickname} deactivated users: @#{user.nickname}" + log_entry = Repo.one(ModerationLog) + + assert ModerationLog.get_log_entry_message(log_entry) == + "@#{admin.nickname} activated users: @#{user_one.nickname}, @#{user_two.nickname}" + end + + test "PATCH /api/pleroma/admin/users/deactivate", %{admin: admin, conn: conn} do + clear_config([:instance, :admin_privileges], [:user_activation]) + + user_one = insert(:user, is_active: true) + user_two = insert(:user, is_active: true) + + conn = + conn + |> put_req_header("content-type", "application/json") + |> patch( + "/api/pleroma/admin/users/deactivate", + %{nicknames: [user_one.nickname, user_two.nickname]} + ) + + response = json_response_and_validate_schema(conn, 200) + assert Enum.map(response["users"], & &1["is_active"]) == [false, false] + + log_entry = Repo.one(ModerationLog) + + assert ModerationLog.get_log_entry_message(log_entry) == + "@#{admin.nickname} deactivated users: @#{user_one.nickname}, @#{user_two.nickname}" + end + + test "PATCH /api/pleroma/admin/users/:nickname/toggle_activation", %{admin: admin, conn: conn} do + clear_config([:instance, :admin_privileges], [:user_activation]) + + user = insert(:user) + + conn = + conn + |> put_req_header("content-type", "application/json") + |> patch("/api/pleroma/admin/users/#{user.nickname}/toggle_activation") + + assert json_response_and_validate_schema(conn, 200) == + user_response( + user, + %{"is_active" => !user.is_active} + ) + + log_entry = Repo.one(ModerationLog) + + assert ModerationLog.get_log_entry_message(log_entry) == + "@#{admin.nickname} deactivated users: @#{user.nickname}" + end + + test "it requires privileged role :statuses_activation to activate", %{conn: conn} do + clear_config([:instance, :admin_privileges], []) + + conn = + conn + |> put_req_header("content-type", "application/json") + |> patch( + "/api/pleroma/admin/users/activate", + %{nicknames: ["user_one.nickname", "user_two.nickname"]} + ) + + assert json_response(conn, :forbidden) + end + + test "it requires privileged role :statuses_activation to deactivate", %{conn: conn} do + clear_config([:instance, :admin_privileges], []) + + conn = + conn + |> put_req_header("content-type", "application/json") + |> patch( + "/api/pleroma/admin/users/deactivate", + %{nicknames: ["user_one.nickname", "user_two.nickname"]} + ) + + assert json_response(conn, :forbidden) + end + + test "it requires privileged role :statuses_activation to toggle activation", %{conn: conn} do + clear_config([:instance, :admin_privileges], []) + + conn = + conn + |> put_req_header("content-type", "application/json") + |> patch("/api/pleroma/admin/users/user.nickname/toggle_activation") + + assert json_response(conn, :forbidden) + end end defp user_response(user, attrs \\ %{}) do