Add privileges for :user_activation

This commit is contained in:
Ilja 2022-05-26 16:41:48 +02:00
parent cb60cc4e02
commit e102d25d23
4 changed files with 137 additions and 62 deletions

View file

@ -256,7 +256,13 @@ config :pleroma, :instance,
show_reactions: true, show_reactions: true,
password_reset_token_validity: 60 * 60 * 24, password_reset_token_validity: 60 * 60 * 24,
profile_directory: true, profile_directory: true,
admin_privileges: [:user_deletion, :user_credentials, :statuses_read, :user_tag], admin_privileges: [
:user_deletion,
:user_credentials,
:statuses_read,
:user_tag,
:user_activation
],
moderator_privileges: [], moderator_privileges: [],
max_endorsed_users: 20, max_endorsed_users: 20,
birthday_required: false, birthday_required: false,

View file

@ -963,14 +963,26 @@ config :pleroma, :config_description, [
%{ %{
key: :admin_privileges, key: :admin_privileges,
type: {:list, :atom}, type: {:list, :atom},
suggestions: [:user_deletion, :user_credentials, :statuses_read, :user_tag], suggestions: [
:user_deletion,
:user_credentials,
:statuses_read,
:user_tag,
:user_activation
],
description: description:
"What extra priviledges to allow admins (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)" "What extra priviledges to allow admins (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
}, },
%{ %{
key: :moderator_privileges, key: :moderator_privileges,
type: {:list, :atom}, type: {:list, :atom},
suggestions: [:user_deletion, :user_credentials, :statuses_read, :user_tag], suggestions: [
:user_deletion,
:user_credentials,
:statuses_read,
:user_tag,
:user_activation
],
description: description:
"What extra priviledges to allow moderators (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)" "What extra priviledges to allow moderators (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
}, },

View file

@ -125,6 +125,11 @@ defmodule Pleroma.Web.Router do
plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_tag) plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_tag)
end end
pipeline :require_privileged_role_user_activation do
plug(:admin_api)
plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_activation)
end
pipeline :pleroma_html do pipeline :pleroma_html do
plug(:browser) plug(:browser)
plug(:authenticate) plug(:authenticate)
@ -282,15 +287,20 @@ defmodule Pleroma.Web.Router do
delete("/users/tag", AdminAPIController, :untag_users) delete("/users/tag", AdminAPIController, :untag_users)
end end
# AdminAPI: admins and mods (staff) can perform these actions # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role)
scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
pipe_through(:admin_api) pipe_through(:require_privileged_role_user_activation)
patch("/users/:nickname/toggle_activation", UserController, :toggle_activation) patch("/users/:nickname/toggle_activation", UserController, :toggle_activation)
patch("/users/activate", UserController, :activate) patch("/users/activate", UserController, :activate)
patch("/users/deactivate", UserController, :deactivate) patch("/users/deactivate", UserController, :deactivate)
patch("/users/approve", UserController, :approve) end
# AdminAPI: admins and mods (staff) can perform these actions
scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
pipe_through(:admin_api)
patch("/users/approve", UserController, :approve)
post("/users/invite_token", InviteController, :create) post("/users/invite_token", InviteController, :create)
get("/users/invites", InviteController, :index) get("/users/invites", InviteController, :index)
post("/users/revoke_invite", InviteController, :revoke) post("/users/revoke_invite", InviteController, :revoke)

View file

@ -824,48 +824,6 @@ defmodule Pleroma.Web.AdminAPI.UserControllerTest do
end end
end end
test "PATCH /api/pleroma/admin/users/activate", %{admin: admin, conn: conn} do
user_one = insert(:user, is_active: false)
user_two = insert(:user, is_active: false)
conn =
conn
|> put_req_header("content-type", "application/json")
|> patch(
"/api/pleroma/admin/users/activate",
%{nicknames: [user_one.nickname, user_two.nickname]}
)
response = json_response_and_validate_schema(conn, 200)
assert Enum.map(response["users"], & &1["is_active"]) == [true, true]
log_entry = Repo.one(ModerationLog)
assert ModerationLog.get_log_entry_message(log_entry) ==
"@#{admin.nickname} activated users: @#{user_one.nickname}, @#{user_two.nickname}"
end
test "PATCH /api/pleroma/admin/users/deactivate", %{admin: admin, conn: conn} do
user_one = insert(:user, is_active: true)
user_two = insert(:user, is_active: true)
conn =
conn
|> put_req_header("content-type", "application/json")
|> patch(
"/api/pleroma/admin/users/deactivate",
%{nicknames: [user_one.nickname, user_two.nickname]}
)
response = json_response_and_validate_schema(conn, 200)
assert Enum.map(response["users"], & &1["is_active"]) == [false, false]
log_entry = Repo.one(ModerationLog)
assert ModerationLog.get_log_entry_message(log_entry) ==
"@#{admin.nickname} deactivated users: @#{user_one.nickname}, @#{user_two.nickname}"
end
test "PATCH /api/pleroma/admin/users/approve", %{admin: admin, conn: conn} do test "PATCH /api/pleroma/admin/users/approve", %{admin: admin, conn: conn} do
user_one = insert(:user, is_approved: false) user_one = insert(:user, is_approved: false)
user_two = insert(:user, is_approved: false) user_two = insert(:user, is_approved: false)
@ -937,7 +895,56 @@ defmodule Pleroma.Web.AdminAPI.UserControllerTest do
"@#{admin.nickname} removed suggested users: @#{user1.nickname}, @#{user2.nickname}" "@#{admin.nickname} removed suggested users: @#{user1.nickname}, @#{user2.nickname}"
end end
describe "user activation" do
test "PATCH /api/pleroma/admin/users/activate", %{admin: admin, conn: conn} do
clear_config([:instance, :admin_privileges], [:user_activation])
user_one = insert(:user, is_active: false)
user_two = insert(:user, is_active: false)
conn =
conn
|> put_req_header("content-type", "application/json")
|> patch(
"/api/pleroma/admin/users/activate",
%{nicknames: [user_one.nickname, user_two.nickname]}
)
response = json_response_and_validate_schema(conn, 200)
assert Enum.map(response["users"], & &1["is_active"]) == [true, true]
log_entry = Repo.one(ModerationLog)
assert ModerationLog.get_log_entry_message(log_entry) ==
"@#{admin.nickname} activated users: @#{user_one.nickname}, @#{user_two.nickname}"
end
test "PATCH /api/pleroma/admin/users/deactivate", %{admin: admin, conn: conn} do
clear_config([:instance, :admin_privileges], [:user_activation])
user_one = insert(:user, is_active: true)
user_two = insert(:user, is_active: true)
conn =
conn
|> put_req_header("content-type", "application/json")
|> patch(
"/api/pleroma/admin/users/deactivate",
%{nicknames: [user_one.nickname, user_two.nickname]}
)
response = json_response_and_validate_schema(conn, 200)
assert Enum.map(response["users"], & &1["is_active"]) == [false, false]
log_entry = Repo.one(ModerationLog)
assert ModerationLog.get_log_entry_message(log_entry) ==
"@#{admin.nickname} deactivated users: @#{user_one.nickname}, @#{user_two.nickname}"
end
test "PATCH /api/pleroma/admin/users/:nickname/toggle_activation", %{admin: admin, conn: conn} do test "PATCH /api/pleroma/admin/users/:nickname/toggle_activation", %{admin: admin, conn: conn} do
clear_config([:instance, :admin_privileges], [:user_activation])
user = insert(:user) user = insert(:user)
conn = conn =
@ -957,6 +964,46 @@ defmodule Pleroma.Web.AdminAPI.UserControllerTest do
"@#{admin.nickname} deactivated users: @#{user.nickname}" "@#{admin.nickname} deactivated users: @#{user.nickname}"
end end
test "it requires privileged role :statuses_activation to activate", %{conn: conn} do
clear_config([:instance, :admin_privileges], [])
conn =
conn
|> put_req_header("content-type", "application/json")
|> patch(
"/api/pleroma/admin/users/activate",
%{nicknames: ["user_one.nickname", "user_two.nickname"]}
)
assert json_response(conn, :forbidden)
end
test "it requires privileged role :statuses_activation to deactivate", %{conn: conn} do
clear_config([:instance, :admin_privileges], [])
conn =
conn
|> put_req_header("content-type", "application/json")
|> patch(
"/api/pleroma/admin/users/deactivate",
%{nicknames: ["user_one.nickname", "user_two.nickname"]}
)
assert json_response(conn, :forbidden)
end
test "it requires privileged role :statuses_activation to toggle activation", %{conn: conn} do
clear_config([:instance, :admin_privileges], [])
conn =
conn
|> put_req_header("content-type", "application/json")
|> patch("/api/pleroma/admin/users/user.nickname/toggle_activation")
assert json_response(conn, :forbidden)
end
end
defp user_response(user, attrs \\ %{}) do defp user_response(user, attrs \\ %{}) do
%{ %{
"is_active" => user.is_active, "is_active" => user.is_active,