Add privileges for :user_tag

This commit is contained in:
Ilja 2022-05-26 16:25:28 +02:00
parent 5a65e2dac5
commit cb60cc4e02
4 changed files with 84 additions and 23 deletions

View file

@ -256,7 +256,7 @@ config :pleroma, :instance,
show_reactions: true, show_reactions: true,
password_reset_token_validity: 60 * 60 * 24, password_reset_token_validity: 60 * 60 * 24,
profile_directory: true, profile_directory: true,
admin_privileges: [:user_deletion, :user_credentials, :statuses_read], admin_privileges: [:user_deletion, :user_credentials, :statuses_read, :user_tag],
moderator_privileges: [], moderator_privileges: [],
max_endorsed_users: 20, max_endorsed_users: 20,
birthday_required: false, birthday_required: false,

View file

@ -963,14 +963,14 @@ config :pleroma, :config_description, [
%{ %{
key: :admin_privileges, key: :admin_privileges,
type: {:list, :atom}, type: {:list, :atom},
suggestions: [:user_deletion, :user_credentials, :statuses_read], suggestions: [:user_deletion, :user_credentials, :statuses_read, :user_tag],
description: description:
"What extra priviledges to allow admins (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)" "What extra priviledges to allow admins (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
}, },
%{ %{
key: :moderator_privileges, key: :moderator_privileges,
type: {:list, :atom}, type: {:list, :atom},
suggestions: [:user_deletion, :user_credentials, :statuses_read], suggestions: [:user_deletion, :user_credentials, :statuses_read, :user_tag],
description: description:
"What extra priviledges to allow moderators (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)" "What extra priviledges to allow moderators (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
}, },

View file

@ -120,6 +120,11 @@ defmodule Pleroma.Web.Router do
plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :statuses_read) plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :statuses_read)
end end
pipeline :require_privileged_role_user_tag do
plug(:admin_api)
plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_tag)
end
pipeline :pleroma_html do pipeline :pleroma_html do
plug(:browser) plug(:browser)
plug(:authenticate) plug(:authenticate)
@ -269,12 +274,17 @@ defmodule Pleroma.Web.Router do
get("/chats/:id/messages", ChatController, :messages) get("/chats/:id/messages", ChatController, :messages)
end end
# AdminAPI: admins and mods (staff) can perform these actions # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role)
scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
pipe_through(:admin_api) pipe_through(:require_privileged_role_user_tag)
put("/users/tag", AdminAPIController, :tag_users) put("/users/tag", AdminAPIController, :tag_users)
delete("/users/tag", AdminAPIController, :untag_users) delete("/users/tag", AdminAPIController, :untag_users)
end
# AdminAPI: admins and mods (staff) can perform these actions
scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
pipe_through(:admin_api)
patch("/users/:nickname/toggle_activation", UserController, :toggle_activation) patch("/users/:nickname/toggle_activation", UserController, :toggle_activation)
patch("/users/activate", UserController, :activate) patch("/users/activate", UserController, :activate)

View file

@ -92,18 +92,12 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
describe "PUT /api/pleroma/admin/users/tag" do describe "PUT /api/pleroma/admin/users/tag" do
setup %{conn: conn} do setup %{conn: conn} do
clear_config([:instance, :admin_privileges], [:user_tag])
user1 = insert(:user, %{tags: ["x"]}) user1 = insert(:user, %{tags: ["x"]})
user2 = insert(:user, %{tags: ["y"]}) user2 = insert(:user, %{tags: ["y"]})
user3 = insert(:user, %{tags: ["unchanged"]}) user3 = insert(:user, %{tags: ["unchanged"]})
conn =
conn
|> put_req_header("accept", "application/json")
|> put(
"/api/pleroma/admin/users/tag?nicknames[]=#{user1.nickname}&nicknames[]=" <>
"#{user2.nickname}&tags[]=foo&tags[]=bar"
)
%{conn: conn, user1: user1, user2: user2, user3: user3} %{conn: conn, user1: user1, user2: user2, user3: user3}
end end
@ -113,6 +107,14 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
user1: user1, user1: user1,
user2: user2 user2: user2
} do } do
conn =
conn
|> put_req_header("accept", "application/json")
|> put(
"/api/pleroma/admin/users/tag?nicknames[]=#{user1.nickname}&nicknames[]=" <>
"#{user2.nickname}&tags[]=foo&tags[]=bar"
)
assert empty_json_response(conn) assert empty_json_response(conn)
assert User.get_cached_by_id(user1.id).tags == ["x", "foo", "bar"] assert User.get_cached_by_id(user1.id).tags == ["x", "foo", "bar"]
assert User.get_cached_by_id(user2.id).tags == ["y", "foo", "bar"] assert User.get_cached_by_id(user2.id).tags == ["y", "foo", "bar"]
@ -130,26 +132,43 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
"@#{admin.nickname} added tags: #{tags} to users: #{users}" "@#{admin.nickname} added tags: #{tags} to users: #{users}"
end end
test "it does not modify tags of not specified users", %{conn: conn, user3: user3} do test "it does not modify tags of not specified users", %{
conn: conn,
user1: user1,
user2: user2,
user3: user3
} do
conn =
conn
|> put_req_header("accept", "application/json")
|> put(
"/api/pleroma/admin/users/tag?nicknames[]=#{user1.nickname}&nicknames[]=" <>
"#{user2.nickname}&tags[]=foo&tags[]=bar"
)
assert empty_json_response(conn) assert empty_json_response(conn)
assert User.get_cached_by_id(user3.id).tags == ["unchanged"] assert User.get_cached_by_id(user3.id).tags == ["unchanged"]
end end
test "it requires privileged role :user_tag", %{conn: conn} do
clear_config([:instance, :admin_privileges], [])
response =
conn
|> put_req_header("accept", "application/json")
|> put("/api/pleroma/admin/users/tag?nicknames[]=nickname&tags[]=foo&tags[]=bar")
assert json_response(response, :forbidden)
end
end end
describe "DELETE /api/pleroma/admin/users/tag" do describe "DELETE /api/pleroma/admin/users/tag" do
setup %{conn: conn} do setup %{conn: conn} do
clear_config([:instance, :admin_privileges], [:user_tag])
user1 = insert(:user, %{tags: ["x"]}) user1 = insert(:user, %{tags: ["x"]})
user2 = insert(:user, %{tags: ["y", "z"]}) user2 = insert(:user, %{tags: ["y", "z"]})
user3 = insert(:user, %{tags: ["unchanged"]}) user3 = insert(:user, %{tags: ["unchanged"]})
conn =
conn
|> put_req_header("accept", "application/json")
|> delete(
"/api/pleroma/admin/users/tag?nicknames[]=#{user1.nickname}&nicknames[]=" <>
"#{user2.nickname}&tags[]=x&tags[]=z"
)
%{conn: conn, user1: user1, user2: user2, user3: user3} %{conn: conn, user1: user1, user2: user2, user3: user3}
end end
@ -159,6 +178,14 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
user1: user1, user1: user1,
user2: user2 user2: user2
} do } do
conn =
conn
|> put_req_header("accept", "application/json")
|> delete(
"/api/pleroma/admin/users/tag?nicknames[]=#{user1.nickname}&nicknames[]=" <>
"#{user2.nickname}&tags[]=x&tags[]=z"
)
assert empty_json_response(conn) assert empty_json_response(conn)
assert User.get_cached_by_id(user1.id).tags == [] assert User.get_cached_by_id(user1.id).tags == []
assert User.get_cached_by_id(user2.id).tags == ["y"] assert User.get_cached_by_id(user2.id).tags == ["y"]
@ -176,10 +203,34 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
"@#{admin.nickname} removed tags: #{tags} from users: #{users}" "@#{admin.nickname} removed tags: #{tags} from users: #{users}"
end end
test "it does not modify tags of not specified users", %{conn: conn, user3: user3} do test "it does not modify tags of not specified users", %{
conn: conn,
user1: user1,
user2: user2,
user3: user3
} do
conn =
conn
|> put_req_header("accept", "application/json")
|> delete(
"/api/pleroma/admin/users/tag?nicknames[]=#{user1.nickname}&nicknames[]=" <>
"#{user2.nickname}&tags[]=x&tags[]=z"
)
assert empty_json_response(conn) assert empty_json_response(conn)
assert User.get_cached_by_id(user3.id).tags == ["unchanged"] assert User.get_cached_by_id(user3.id).tags == ["unchanged"]
end end
test "it requires privileged role :user_tag", %{conn: conn} do
clear_config([:instance, :admin_privileges], [])
response =
conn
|> put_req_header("accept", "application/json")
|> delete("/api/pleroma/admin/users/tag?nicknames[]=nickname&tags[]=foo&tags[]=bar")
assert json_response(response, :forbidden)
end
end end
describe "/api/pleroma/admin/users/:nickname/permission_group" do describe "/api/pleroma/admin/users/:nickname/permission_group" do