From 9bc1e79c5675efb70e45b63f6530194888b182de Mon Sep 17 00:00:00 2001 From: Alex Gleason Date: Mon, 12 Jul 2021 21:57:52 -0500 Subject: [PATCH 1/2] Moderators: add UserIsStaffPlug --- lib/pleroma/web/plugs/user_is_staff_plug.ex | 23 +++++++++ .../web/plugs/user_is_staff_plug_test.exs | 47 +++++++++++++++++++ 2 files changed, 70 insertions(+) create mode 100644 lib/pleroma/web/plugs/user_is_staff_plug.ex create mode 100644 test/pleroma/web/plugs/user_is_staff_plug_test.exs diff --git a/lib/pleroma/web/plugs/user_is_staff_plug.ex b/lib/pleroma/web/plugs/user_is_staff_plug.ex new file mode 100644 index 000000000..49c2d9cca --- /dev/null +++ b/lib/pleroma/web/plugs/user_is_staff_plug.ex @@ -0,0 +1,23 @@ +# Pleroma: A lightweight social networking server +# Copyright © 2017-2021 Pleroma Authors +# SPDX-License-Identifier: AGPL-3.0-only + +defmodule Pleroma.Web.Plugs.UserIsStaffPlug do + import Pleroma.Web.TranslationHelpers + import Plug.Conn + + alias Pleroma.User + + def init(options) do + options + end + + def call(%{assigns: %{user: %User{is_admin: true}}} = conn, _), do: conn + def call(%{assigns: %{user: %User{is_moderator: true}}} = conn, _), do: conn + + def call(conn, _) do + conn + |> render_error(:forbidden, "User is not a staff member.") + |> halt() + end +end diff --git a/test/pleroma/web/plugs/user_is_staff_plug_test.exs b/test/pleroma/web/plugs/user_is_staff_plug_test.exs new file mode 100644 index 000000000..a0c4061db --- /dev/null +++ b/test/pleroma/web/plugs/user_is_staff_plug_test.exs @@ -0,0 +1,47 @@ +# Pleroma: A lightweight social networking server +# Copyright © 2017-2021 Pleroma Authors +# SPDX-License-Identifier: AGPL-3.0-only + +defmodule Pleroma.Web.Plugs.UserIsStaffPlugTest do + use Pleroma.Web.ConnCase, async: true + + alias Pleroma.Web.Plugs.UserIsStaffPlug + import Pleroma.Factory + + test "accepts a user that is an admin" do + user = insert(:user, is_admin: true) + + conn = assign(build_conn(), :user, user) + + ret_conn = UserIsStaffPlug.call(conn, %{}) + + assert conn == ret_conn + end + + test "accepts a user that is a moderator" do + user = insert(:user, is_moderator: true) + + conn = assign(build_conn(), :user, user) + + ret_conn = UserIsStaffPlug.call(conn, %{}) + + assert conn == ret_conn + end + + test "denies a user that isn't a staff member" do + user = insert(:user) + + conn = + build_conn() + |> assign(:user, user) + |> UserIsStaffPlug.call(%{}) + + assert conn.status == 403 + end + + test "denies when a user isn't set" do + conn = UserIsStaffPlug.call(build_conn(), %{}) + + assert conn.status == 403 + end +end From 1f093cb216ed0d6b0d23b05e1ffbbf55dc72bbee Mon Sep 17 00:00:00 2001 From: Alex Gleason Date: Mon, 12 Jul 2021 22:00:44 -0500 Subject: [PATCH 2/2] Moderators: reorganize :admin_api pipeline in Router --- lib/pleroma/web/router.ex | 12 ++++++++---- .../admin_api/controllers/report_controller_test.exs | 2 +- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex index 72ad14f05..919f4f510 100644 --- a/lib/pleroma/web/router.ex +++ b/lib/pleroma/web/router.ex @@ -96,10 +96,14 @@ defmodule Pleroma.Web.Router do plug(Pleroma.Web.Plugs.AdminSecretAuthenticationPlug) plug(:after_auth) plug(Pleroma.Web.Plugs.EnsureAuthenticatedPlug) - plug(Pleroma.Web.Plugs.UserIsAdminPlug) + plug(Pleroma.Web.Plugs.UserIsStaffPlug) plug(Pleroma.Web.Plugs.IdempotencyPlug) end + pipeline :require_admin do + plug(Pleroma.Web.Plugs.UserIsAdminPlug) + end + pipeline :mastodon_html do plug(:browser) plug(:authenticate) @@ -156,7 +160,7 @@ defmodule Pleroma.Web.Router do end scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do - pipe_through(:admin_api) + pipe_through([:admin_api, :require_admin]) put("/users/disable_mfa", AdminAPIController, :disable_mfa) put("/users/tag", AdminAPIController, :tag_users) @@ -261,7 +265,7 @@ defmodule Pleroma.Web.Router do scope "/api/v1/pleroma/emoji", Pleroma.Web.PleromaAPI do scope "/pack" do - pipe_through(:admin_api) + pipe_through([:admin_api, :require_admin]) post("/", EmojiPackController, :create) patch("/", EmojiPackController, :update) @@ -276,7 +280,7 @@ defmodule Pleroma.Web.Router do # Modifying packs scope "/packs" do - pipe_through(:admin_api) + pipe_through([:admin_api, :require_admin]) get("/import", EmojiPackController, :import_from_filesystem) get("/remote", EmojiPackController, :remote) diff --git a/test/pleroma/web/admin_api/controllers/report_controller_test.exs b/test/pleroma/web/admin_api/controllers/report_controller_test.exs index 6a2986b5f..8102845d5 100644 --- a/test/pleroma/web/admin_api/controllers/report_controller_test.exs +++ b/test/pleroma/web/admin_api/controllers/report_controller_test.exs @@ -305,7 +305,7 @@ defmodule Pleroma.Web.AdminAPI.ReportControllerTest do |> get("/api/pleroma/admin/reports") assert json_response(conn, :forbidden) == - %{"error" => "User is not an admin."} + %{"error" => "User is not a staff member."} end test "returns 403 when requested by anonymous" do