Add privilige :emoji_management

config/config.exs

@@ -265,7 +265,8 @@
     :user_invite,
     :report_handle,
     :user_read,
-    :status_delete
+    :status_delete,
+    :emoji_management
   ],
   moderator_privileges: [],
   max_endorsed_users: 20,

config/description.exs

@@ -972,7 +972,8 @@
           :user_invite,
           :report_handle,
           :user_read,
-          :status_delete
+          :status_delete,
+          :emoji_management
         ],
         description:
           "What extra priviledges to allow admins (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
@@ -989,7 +990,8 @@
           :user_invite,
           :report_handle,
           :user_read,
-          :status_delete
+          :status_delete,
+          :emoji_management
         ],
         description:
           "What extra priviledges to allow moderators (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"

lib/pleroma/web/router.ex

@@ -150,6 +150,11 @@ defmodule Pleroma.Web.Router do
     plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :status_delete)
   end
 
+  pipeline :require_privileged_role_emoji_management do
+    plug(:admin_api)
+    plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :emoji_management)
+  end
+
   pipeline :pleroma_html do
     plug(:browser)
     plug(:authenticate)
@@ -360,6 +365,13 @@ defmodule Pleroma.Web.Router do
     delete("/chats/:id/messages/:message_id", ChatController, :delete_message)
   end
 
+  # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role)
+  scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
+    pipe_through(:require_privileged_role_emoji_management)
+
+    post("/reload_emoji", AdminAPIController, :reload_emoji)
+  end
+
   # AdminAPI: admins and mods (staff) can perform these actions
   scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
     pipe_through(:admin_api)
@@ -368,13 +380,12 @@ defmodule Pleroma.Web.Router do
 
     get("/moderation_log", AdminAPIController, :list_log)
 
-    post("/reload_emoji", AdminAPIController, :reload_emoji)
     get("/stats", AdminAPIController, :stats)
   end
 
   scope "/api/v1/pleroma/emoji", Pleroma.Web.PleromaAPI do
     scope "/pack" do
-      pipe_through(:admin_api)
+      pipe_through(:require_privileged_role_emoji_management)
 
       post("/", EmojiPackController, :create)
       patch("/", EmojiPackController, :update)
@@ -389,7 +400,7 @@ defmodule Pleroma.Web.Router do
 
     # Modifying packs
     scope "/packs" do
-      pipe_through(:admin_api)
+      pipe_through(:require_privileged_role_emoji_management)
 
       get("/import", EmojiPackController, :import_from_filesystem)
       get("/remote", EmojiPackController, :remote)

test/pleroma/web/admin_api/controllers/admin_api_controller_test.exs

@@ -1060,6 +1060,34 @@ test "it doesn't limit admins", %{conn: conn} do
       assert Repo.aggregate(Pleroma.User.Backup, :count) == 2
     end
   end
+
+  describe "POST /api/v1/pleroma/admin/reload_emoji" do
+    setup do
+      clear_config([:instance, :admin_privileges], [:emoji_management])
+
+      admin = insert(:user, is_admin: true)
+      token = insert(:oauth_admin_token, user: admin)
+
+      conn =
+        build_conn()
+        |> assign(:user, admin)
+        |> assign(:token, token)
+
+      {:ok, %{conn: conn, admin: admin}}
+    end
+
+    test "it requires privileged role :emoji_management", %{conn: conn} do
+      assert conn
+             |> post("/api/v1/pleroma/admin/reload_emoji")
+             |> json_response(200)
+
+      clear_config([:instance, :admin_privileges], [])
+
+      assert conn
+             |> post("/api/v1/pleroma/admin/reload_emoji")
+             |> json_response(:forbidden)
+    end
+  end
 end
 
 # Needed for testing

test/pleroma/web/pleroma_api/controllers/emoji_file_controller_test.exs

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: AGPL-3.0-only
 
 defmodule Pleroma.Web.PleromaAPI.EmojiFileControllerTest do
-  use Pleroma.Web.ConnCase
+  use Pleroma.Web.ConnCase, async: false
 
   import Mock
   import Tesla.Mock
@@ -30,6 +30,7 @@ defmodule Pleroma.Web.PleromaAPI.EmojiFileControllerTest do
 
   describe "POST/PATCH/DELETE /api/pleroma/emoji/packs/files?name=:name" do
     setup do
+      clear_config([:instance, :admin_privileges], [:emoji_management])
       pack_file = "#{@emoji_path}/test_pack/pack.json"
       original_content = File.read!(pack_file)
 
@@ -377,5 +378,32 @@ test "update with empty shortcode", %{admin_conn: admin_conn} do
                })
                |> json_response_and_validate_schema(:bad_request)
     end
+
+    test "it requires privileged role :emoji_management", %{admin_conn: admin_conn} do
+      clear_config([:instance, :admin_privileges], [])
+
+      assert admin_conn
+             |> put_req_header("content-type", "multipart/form-data")
+             |> post("/api/pleroma/emoji/packs/files?name=test_pack", %{
+               file: %Plug.Upload{
+                 filename: "shortcode.png",
+                 path: "#{Pleroma.Config.get([:instance, :static_dir])}/add/shortcode.png"
+               }
+             })
+             |> json_response(:forbidden)
+
+      assert admin_conn
+             |> put_req_header("content-type", "multipart/form-data")
+             |> patch("/api/pleroma/emoji/packs/files?name=test_pack", %{
+               shortcode: "blank",
+               new_filename: "dir_2/blank_3.png"
+             })
+             |> json_response(:forbidden)
+
+      assert admin_conn
+             |> put_req_header("content-type", "multipart/form-data")
+             |> delete("/api/pleroma/emoji/packs/files?name=test_pack&shortcode=blank3")
+             |> json_response(:forbidden)
+    end
   end
 end

test/pleroma/web/pleroma_api/controllers/emoji_pack_controller_test.exs

@@ -99,6 +99,10 @@ test "GET /api/pleroma/emoji/packs", %{conn: conn} do
   end
 
   describe "GET /api/pleroma/emoji/packs/remote" do
+    setup do
+      clear_config([:instance, :admin_privileges], [:emoji_management])
+    end
+
     test "shareable instance", %{admin_conn: admin_conn, conn: conn} do
       resp =
         conn
@@ -136,6 +140,14 @@ test "non shareable instance", %{admin_conn: admin_conn} do
                "error" => "The requested instance does not support sharing emoji packs"
              }
     end
+
+    test "it requires privileged role :emoji_management", %{admin_conn: admin_conn} do
+      clear_config([:instance, :admin_privileges], [])
+
+      assert admin_conn
+             |> get("/api/pleroma/emoji/packs/remote?url=https://example.com")
+             |> json_response(:forbidden)
+    end
   end
 
   describe "GET /api/pleroma/emoji/packs/archive?name=:name" do
@@ -170,6 +182,10 @@ test "non downloadable pack", %{conn: conn} do
   end
 
   describe "POST /api/pleroma/emoji/packs/download" do
+    setup do
+      clear_config([:instance, :admin_privileges], [:emoji_management])
+    end
+
     test "shared pack from remote and non shared from fallback-src", %{
       admin_conn: admin_conn,
       conn: conn
@@ -344,10 +360,24 @@ test "other error", %{admin_conn: admin_conn} do
                  "The pack was not set as shared and there is no fallback src to download from"
              }
     end
+
+    test "it requires privileged role :emoji_management", %{admin_conn: conn} do
+      clear_config([:instance, :admin_privileges], [])
+
+      assert conn
+             |> put_req_header("content-type", "multipart/form-data")
+             |> post("/api/pleroma/emoji/packs/download", %{
+               url: "https://example.com",
+               name: "test_pack",
+               as: "test_pack2"
+             })
+             |> json_response(:forbidden)
+    end
   end
 
   describe "PATCH/update /api/pleroma/emoji/pack?name=:name" do
     setup do
+      clear_config([:instance, :admin_privileges], [:emoji_management])
       pack_file = "#{@emoji_path}/test_pack/pack.json"
       original_content = File.read!(pack_file)
 
@@ -435,9 +465,22 @@ test "when the fallback source doesn't have all the files", ctx do
                "error" => "The fallback archive does not have all files specified in pack.json"
              }
     end
+
+    test "it requires privileged role :emoji_management", %{admin_conn: conn, new_data: new_data} do
+      clear_config([:instance, :admin_privileges], [])
+
+      assert conn
+             |> put_req_header("content-type", "multipart/form-data")
+             |> patch("/api/pleroma/emoji/pack?name=test_pack", %{metadata: new_data})
+             |> json_response(:forbidden)
+    end
   end
 
   describe "POST/DELETE /api/pleroma/emoji/pack?name=:name" do
+    setup do
+      clear_config([:instance, :admin_privileges], [:emoji_management])
+    end
+
     test "returns an error on creates pack when file system not writable", %{
       admin_conn: admin_conn
     } do
@@ -520,6 +563,18 @@ test "with empty name", %{admin_conn: admin_conn} do
                "error" => "pack name cannot be empty"
              }
     end
+
+    test "it requires privileged role :emoji_management", %{admin_conn: admin_conn} do
+      clear_config([:instance, :admin_privileges], [])
+
+      assert admin_conn
+             |> post("/api/pleroma/emoji/pack?name= ")
+             |> json_response(:forbidden)
+
+      assert admin_conn
+             |> delete("/api/pleroma/emoji/pack?name= ")
+             |> json_response(:forbidden)
+    end
   end
 
   test "deleting nonexisting pack", %{admin_conn: admin_conn} do
@@ -578,6 +633,12 @@ test "filesystem import", %{admin_conn: admin_conn, conn: conn} do
              "blank2" => "blank.png",
              "foo" => "blank.png"
            }
+
+    clear_config([:instance, :admin_privileges], [])
+
+    assert admin_conn
+           |> get("/api/pleroma/emoji/packs/import")
+           |> json_response(:forbidden)
   end
 
   describe "GET /api/pleroma/emoji/pack?name=:name" do