Add privileges for :user_invite

This commit is contained in:
Ilja 2022-05-28 08:51:49 +02:00
parent e102d25d23
commit 14e697a64f
5 changed files with 101 additions and 9 deletions

View file

@ -261,7 +261,8 @@ config :pleroma, :instance,
:user_credentials, :user_credentials,
:statuses_read, :statuses_read,
:user_tag, :user_tag,
:user_activation :user_activation,
:user_invite
], ],
moderator_privileges: [], moderator_privileges: [],
max_endorsed_users: 20, max_endorsed_users: 20,

View file

@ -968,7 +968,8 @@ config :pleroma, :config_description, [
:user_credentials, :user_credentials,
:statuses_read, :statuses_read,
:user_tag, :user_tag,
:user_activation :user_activation,
:user_invite
], ],
description: description:
"What extra priviledges to allow admins (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)" "What extra priviledges to allow admins (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
@ -981,7 +982,8 @@ config :pleroma, :config_description, [
:user_credentials, :user_credentials,
:statuses_read, :statuses_read,
:user_tag, :user_tag,
:user_activation :user_activation,
:user_invite
], ],
description: description:
"What extra priviledges to allow moderators (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)" "What extra priviledges to allow moderators (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"

View file

@ -130,6 +130,11 @@ defmodule Pleroma.Web.Router do
plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_activation) plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_activation)
end end
pipeline :require_privileged_role_user_invite do
plug(:admin_api)
plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_invite)
end
pipeline :pleroma_html do pipeline :pleroma_html do
plug(:browser) plug(:browser)
plug(:authenticate) plug(:authenticate)
@ -296,15 +301,20 @@ defmodule Pleroma.Web.Router do
patch("/users/deactivate", UserController, :deactivate) patch("/users/deactivate", UserController, :deactivate)
end end
# AdminAPI: admins and mods (staff) can perform these actions # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role)
scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
pipe_through(:admin_api) pipe_through(:require_privileged_role_user_invite)
patch("/users/approve", UserController, :approve) patch("/users/approve", UserController, :approve)
post("/users/invite_token", InviteController, :create) post("/users/invite_token", InviteController, :create)
get("/users/invites", InviteController, :index) get("/users/invites", InviteController, :index)
post("/users/revoke_invite", InviteController, :revoke) post("/users/revoke_invite", InviteController, :revoke)
post("/users/email_invite", InviteController, :email) post("/users/email_invite", InviteController, :email)
end
# AdminAPI: admins and mods (staff) can perform these actions
scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
pipe_through(:admin_api)
get("/users", UserController, :index) get("/users", UserController, :index)
get("/users/:nickname", UserController, :show) get("/users/:nickname", UserController, :show)

View file

@ -23,8 +23,25 @@ defmodule Pleroma.Web.AdminAPI.InviteControllerTest do
end end
describe "POST /api/pleroma/admin/users/email_invite, with valid config" do describe "POST /api/pleroma/admin/users/email_invite, with valid config" do
setup do: clear_config([:instance, :registrations_open], false) setup do
setup do: clear_config([:instance, :invites_enabled], true) clear_config([:instance, :registrations_open], false)
clear_config([:instance, :invites_enabled], true)
clear_config([:instance, :admin_privileges], [:user_invite])
end
test "returns 403 if not privileged with :user_invite", %{conn: conn} do
clear_config([:instance, :admin_privileges], [])
conn =
conn
|> put_req_header("content-type", "application/json;charset=utf-8")
|> post("/api/pleroma/admin/users/email_invite", %{
email: "foo@bar.com",
name: "J. D."
})
assert json_response(conn, :forbidden)
end
test "sends invitation and returns 204", %{admin: admin, conn: conn} do test "sends invitation and returns 204", %{admin: admin, conn: conn} do
recipient_email = "foo@bar.com" recipient_email = "foo@bar.com"
@ -114,8 +131,11 @@ defmodule Pleroma.Web.AdminAPI.InviteControllerTest do
end end
describe "POST /api/pleroma/admin/users/email_invite, with invalid config" do describe "POST /api/pleroma/admin/users/email_invite, with invalid config" do
setup do: clear_config([:instance, :registrations_open]) setup do
setup do: clear_config([:instance, :invites_enabled]) clear_config([:instance, :registrations_open])
clear_config([:instance, :invites_enabled])
clear_config([:instance, :admin_privileges], [:user_invite])
end
test "it returns 500 if `invites_enabled` is not enabled", %{conn: conn} do test "it returns 500 if `invites_enabled` is not enabled", %{conn: conn} do
clear_config([:instance, :registrations_open], false) clear_config([:instance, :registrations_open], false)
@ -157,6 +177,21 @@ defmodule Pleroma.Web.AdminAPI.InviteControllerTest do
end end
describe "POST /api/pleroma/admin/users/invite_token" do describe "POST /api/pleroma/admin/users/invite_token" do
setup do
clear_config([:instance, :admin_privileges], [:user_invite])
end
test "returns 403 if not privileged with :user_invite", %{conn: conn} do
clear_config([:instance, :admin_privileges], [])
conn =
conn
|> put_req_header("content-type", "application/json")
|> post("/api/pleroma/admin/users/invite_token")
assert json_response(conn, :forbidden)
end
test "without options", %{conn: conn} do test "without options", %{conn: conn} do
conn = conn =
conn conn
@ -221,6 +256,18 @@ defmodule Pleroma.Web.AdminAPI.InviteControllerTest do
end end
describe "GET /api/pleroma/admin/users/invites" do describe "GET /api/pleroma/admin/users/invites" do
setup do
clear_config([:instance, :admin_privileges], [:user_invite])
end
test "returns 403 if not privileged with :user_invite", %{conn: conn} do
clear_config([:instance, :admin_privileges], [])
conn = get(conn, "/api/pleroma/admin/users/invites")
assert json_response(conn, :forbidden)
end
test "no invites", %{conn: conn} do test "no invites", %{conn: conn} do
conn = get(conn, "/api/pleroma/admin/users/invites") conn = get(conn, "/api/pleroma/admin/users/invites")
@ -249,6 +296,21 @@ defmodule Pleroma.Web.AdminAPI.InviteControllerTest do
end end
describe "POST /api/pleroma/admin/users/revoke_invite" do describe "POST /api/pleroma/admin/users/revoke_invite" do
setup do
clear_config([:instance, :admin_privileges], [:user_invite])
end
test "returns 403 if not privileged with :user_invite", %{conn: conn} do
clear_config([:instance, :admin_privileges], [])
conn =
conn
|> put_req_header("content-type", "application/json")
|> post("/api/pleroma/admin/users/revoke_invite", %{"token" => "foo"})
assert json_response(conn, :forbidden)
end
test "with token", %{conn: conn} do test "with token", %{conn: conn} do
{:ok, invite} = UserInviteToken.create_invite() {:ok, invite} = UserInviteToken.create_invite()

View file

@ -825,6 +825,8 @@ defmodule Pleroma.Web.AdminAPI.UserControllerTest do
end end
test "PATCH /api/pleroma/admin/users/approve", %{admin: admin, conn: conn} do test "PATCH /api/pleroma/admin/users/approve", %{admin: admin, conn: conn} do
clear_config([:instance, :admin_privileges], [:user_invite])
user_one = insert(:user, is_approved: false) user_one = insert(:user, is_approved: false)
user_two = insert(:user, is_approved: false) user_two = insert(:user, is_approved: false)
@ -845,6 +847,21 @@ defmodule Pleroma.Web.AdminAPI.UserControllerTest do
"@#{admin.nickname} approved users: @#{user_one.nickname}, @#{user_two.nickname}" "@#{admin.nickname} approved users: @#{user_one.nickname}, @#{user_two.nickname}"
end end
test "PATCH /api/pleroma/admin/users/approve returns 403 if not privileged with :user_invite",
%{conn: conn} do
clear_config([:instance, :admin_privileges], [])
conn =
conn
|> put_req_header("content-type", "application/json")
|> patch(
"/api/pleroma/admin/users/approve",
%{nicknames: ["user_one.nickname", "user_two.nickname"]}
)
assert json_response(conn, :forbidden)
end
test "PATCH /api/pleroma/admin/users/suggest", %{admin: admin, conn: conn} do test "PATCH /api/pleroma/admin/users/suggest", %{admin: admin, conn: conn} do
user1 = insert(:user, is_suggested: false) user1 = insert(:user, is_suggested: false)
user2 = insert(:user, is_suggested: false) user2 = insert(:user, is_suggested: false)