Remove privileged_staff

Everything that was done through this setting, can now be set by giving the proper privileges to the roles.
This commit is contained in:
Ilja 2022-05-26 14:51:53 +02:00
parent b1ff5241c2
commit 5a65e2dac5
8 changed files with 4 additions and 120 deletions

View file

@ -17,8 +17,6 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
- `activeMonth` and `activeHalfyear` fields in NodeInfo usage.users object - `activeMonth` and `activeHalfyear` fields in NodeInfo usage.users object
- Experimental support for Finch. Put `config :tesla, :adapter, {Tesla.Adapter.Finch, name: MyFinch}` in your secrets file to use it. Reverse Proxy will still use Hackney. - Experimental support for Finch. Put `config :tesla, :adapter, {Tesla.Adapter.Finch, name: MyFinch}` in your secrets file to use it. Reverse Proxy will still use Hackney.
- `ForceMentionsInPostContent` MRF policy - `ForceMentionsInPostContent` MRF policy
- AdminAPI: allow moderators to manage reports, users, invites, and custom emojis
- AdminAPI: restrict moderators to access sensitive data: change user credentials, get password reset token, read private statuses and chats, etc
- PleromaAPI: Add remote follow API endpoint at `POST /api/v1/pleroma/remote_interaction` - PleromaAPI: Add remote follow API endpoint at `POST /api/v1/pleroma/remote_interaction`
- MastoAPI: Add `GET /api/v1/accounts/lookup` - MastoAPI: Add `GET /api/v1/accounts/lookup`
- MastoAPI: Profile Directory support - MastoAPI: Profile Directory support

View file

@ -256,8 +256,7 @@ config :pleroma, :instance,
show_reactions: true, show_reactions: true,
password_reset_token_validity: 60 * 60 * 24, password_reset_token_validity: 60 * 60 * 24,
profile_directory: true, profile_directory: true,
privileged_staff: false, admin_privileges: [:user_deletion, :user_credentials, :statuses_read],
admin_privileges: [:user_deletion, :user_credentials],
moderator_privileges: [], moderator_privileges: [],
max_endorsed_users: 20, max_endorsed_users: 20,
birthday_required: false, birthday_required: false,

View file

@ -960,23 +960,17 @@ config :pleroma, :config_description, [
type: :boolean, type: :boolean,
description: "Enable profile directory." description: "Enable profile directory."
}, },
%{
key: :privileged_staff,
type: :boolean,
description:
"Let moderators access sensitive data (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
},
%{ %{
key: :admin_privileges, key: :admin_privileges,
type: {:list, :atom}, type: {:list, :atom},
suggestions: [:user_deletion, :user_credentials], suggestions: [:user_deletion, :user_credentials, :statuses_read],
description: description:
"What extra priviledges to allow admins (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)" "What extra priviledges to allow admins (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
}, },
%{ %{
key: :moderator_privileges, key: :moderator_privileges,
type: {:list, :atom}, type: {:list, :atom},
suggestions: [:user_deletion, :user_credentials], suggestions: [:user_deletion, :user_credentials, :statuses_read],
description: description:
"What extra priviledges to allow moderators (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)" "What extra priviledges to allow moderators (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
}, },

View file

@ -47,7 +47,6 @@ defmodule Pleroma.Web.MastodonAPI.InstanceView do
federation: federation(), federation: federation(),
fields_limits: fields_limits(), fields_limits: fields_limits(),
post_formats: Config.get([:instance, :allowed_post_formats]), post_formats: Config.get([:instance, :allowed_post_formats]),
privileged_staff: Config.get([:instance, :privileged_staff]),
birthday_required: Config.get([:instance, :birthday_required]), birthday_required: Config.get([:instance, :birthday_required]),
birthday_min_age: Config.get([:instance, :birthday_min_age]) birthday_min_age: Config.get([:instance, :birthday_min_age])
}, },

View file

@ -69,8 +69,7 @@ defmodule Pleroma.Web.Nodeinfo.Nodeinfo do
mailerEnabled: Config.get([Pleroma.Emails.Mailer, :enabled], false), mailerEnabled: Config.get([Pleroma.Emails.Mailer, :enabled], false),
features: features, features: features,
restrictedNicknames: Config.get([Pleroma.User, :restricted_nicknames]), restrictedNicknames: Config.get([Pleroma.User, :restricted_nicknames]),
skipThreadContainment: Config.get([:instance, :skip_thread_containment], false), skipThreadContainment: Config.get([:instance, :skip_thread_containment], false)
privilegedStaff: Config.get([:instance, :privileged_staff])
} }
} }
end end

View file

@ -1,36 +0,0 @@
# Pleroma: A lightweight social networking server
# Copyright © 2017-2022 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.Web.Plugs.EnsureStaffPrivilegedPlug do
@moduledoc """
Ensures staff are privileged enough to do certain tasks.
"""
import Pleroma.Web.TranslationHelpers
import Plug.Conn
alias Pleroma.Config
alias Pleroma.User
def init(options) do
options
end
def call(%{assigns: %{user: %User{is_admin: true}}} = conn, _), do: conn
def call(%{assigns: %{user: %User{is_moderator: true}}} = conn, _) do
if Config.get!([:instance, :privileged_staff]) do
conn
else
conn
|> render_error(:forbidden, "User is not an admin.")
|> halt()
end
end
def call(conn, _) do
conn
|> render_error(:forbidden, "User is not a staff member.")
|> halt()
end
end

View file

@ -101,10 +101,6 @@ defmodule Pleroma.Web.Router do
plug(Pleroma.Web.Plugs.IdempotencyPlug) plug(Pleroma.Web.Plugs.IdempotencyPlug)
end end
pipeline :require_privileged_staff do
plug(Pleroma.Web.Plugs.EnsureStaffPrivilegedPlug)
end
pipeline :require_admin do pipeline :require_admin do
plug(Pleroma.Web.Plugs.UserIsAdminPlug) plug(Pleroma.Web.Plugs.UserIsAdminPlug)
end end
@ -273,11 +269,6 @@ defmodule Pleroma.Web.Router do
get("/chats/:id/messages", ChatController, :messages) get("/chats/:id/messages", ChatController, :messages)
end end
# AdminAPI: admins and mods (staff) can perform these actions (if enabled by config)
scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
pipe_through([:admin_api, :require_privileged_staff])
end
# AdminAPI: admins and mods (staff) can perform these actions # AdminAPI: admins and mods (staff) can perform these actions
scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
pipe_through(:admin_api) pipe_through(:admin_api)

View file

@ -1,60 +0,0 @@
# Pleroma: A lightweight social networking server
# Copyright © 2017-2022 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.Web.Plugs.EnsureStaffPrivilegedPlugTest do
use Pleroma.Web.ConnCase, async: true
alias Pleroma.Web.Plugs.EnsureStaffPrivilegedPlug
import Pleroma.Factory
test "accepts a user that is an admin" do
user = insert(:user, is_admin: true)
conn = assign(build_conn(), :user, user)
ret_conn = EnsureStaffPrivilegedPlug.call(conn, %{})
assert conn == ret_conn
end
test "accepts a user that is a moderator when :privileged_staff is enabled" do
clear_config([:instance, :privileged_staff], true)
user = insert(:user, is_moderator: true)
conn = assign(build_conn(), :user, user)
ret_conn = EnsureStaffPrivilegedPlug.call(conn, %{})
assert conn == ret_conn
end
test "denies a user that is a moderator when :privileged_staff is disabled" do
clear_config([:instance, :privileged_staff], false)
user = insert(:user, is_moderator: true)
conn =
build_conn()
|> assign(:user, user)
|> EnsureStaffPrivilegedPlug.call(%{})
assert conn.status == 403
end
test "denies a user that isn't a staff member" do
user = insert(:user)
conn =
build_conn()
|> assign(:user, user)
|> EnsureStaffPrivilegedPlug.call(%{})
assert conn.status == 403
end
test "denies when a user isn't set" do
conn = EnsureStaffPrivilegedPlug.call(build_conn(), %{})
assert conn.status == 403
end
end