diff --git a/config/config.exs b/config/config.exs index 496a1d57a..2a5770bf4 100644 --- a/config/config.exs +++ b/config/config.exs @@ -257,7 +257,7 @@ config :pleroma, :instance, password_reset_token_validity: 60 * 60 * 24, profile_directory: true, privileged_staff: false, - admin_privileges: [:user_deletion], + admin_privileges: [:user_deletion, :user_credentials], moderator_privileges: [], max_endorsed_users: 20, birthday_required: false, diff --git a/config/description.exs b/config/description.exs index b45d416b1..4986ccce6 100644 --- a/config/description.exs +++ b/config/description.exs @@ -969,14 +969,14 @@ config :pleroma, :config_description, [ %{ key: :admin_privileges, type: {:list, :atom}, - suggestions: [:user_deletion], + suggestions: [:user_deletion, :user_credentials], description: "What extra priviledges to allow admins (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)" }, %{ key: :moderator_privileges, type: {:list, :atom}, - suggestions: [:user_deletion], + suggestions: [:user_deletion, :user_credentials], description: "What extra priviledges to allow moderators (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)" }, diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex index 5012fbf9a..24928ffb5 100644 --- a/lib/pleroma/web/router.ex +++ b/lib/pleroma/web/router.ex @@ -114,6 +114,11 @@ defmodule Pleroma.Web.Router do plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_deletion) end + pipeline :require_privileged_role_user_credentials do + plug(:admin_api) + plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_credentials) + end + pipeline :pleroma_html do plug(:browser) plug(:authenticate) @@ -206,7 +211,6 @@ defmodule Pleroma.Web.Router do patch("/users/force_password_reset", AdminAPIController, :force_password_reset) get("/users/:nickname/credentials", AdminAPIController, :show_user_credentials) - patch("/users/:nickname/credentials", AdminAPIController, :update_user_credentials) get("/instance_document/:name", InstanceDocumentController, :show) patch("/instance_document/:name", InstanceDocumentController, :update) @@ -243,12 +247,17 @@ defmodule Pleroma.Web.Router do delete("/users", UserController, :delete) end - # AdminAPI: admins and mods (staff) can perform these actions (if enabled by config) + # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role) scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do - pipe_through([:admin_api, :require_privileged_staff]) + pipe_through([:admin_api, :require_privileged_role_user_credentials]) get("/users/:nickname/password_reset", AdminAPIController, :get_password_reset) patch("/users/:nickname/credentials", AdminAPIController, :update_user_credentials) + end + + # AdminAPI: admins and mods (staff) can perform these actions (if enabled by config) + scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do + pipe_through([:admin_api, :require_privileged_staff]) get("/users/:nickname/statuses", AdminAPIController, :list_user_statuses) get("/users/:nickname/chats", AdminAPIController, :list_user_chats) diff --git a/test/pleroma/web/admin_api/controllers/admin_api_controller_test.exs b/test/pleroma/web/admin_api/controllers/admin_api_controller_test.exs index d83f7f011..b9b3aed3b 100644 --- a/test/pleroma/web/admin_api/controllers/admin_api_controller_test.exs +++ b/test/pleroma/web/admin_api/controllers/admin_api_controller_test.exs @@ -271,17 +271,32 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do end end - test "/api/pleroma/admin/users/:nickname/password_reset", %{conn: conn} do - user = insert(:user) + describe "/api/pleroma/admin/users/:nickname/password_reset" do + test "it returns a password reset link", %{conn: conn} do + clear_config([:instance, :admin_privileges], [:user_credentials]) - conn = - conn - |> put_req_header("accept", "application/json") - |> get("/api/pleroma/admin/users/#{user.nickname}/password_reset") + user = insert(:user) - resp = json_response(conn, 200) + conn = + conn + |> put_req_header("accept", "application/json") + |> get("/api/pleroma/admin/users/#{user.nickname}/password_reset") - assert Regex.match?(~r/(http:\/\/|https:\/\/)/, resp["link"]) + resp = json_response(conn, 200) + + assert Regex.match?(~r/(http:\/\/|https:\/\/)/, resp["link"]) + end + + test "it requires privileged role :user_credentials", %{conn: conn} do + clear_config([:instance, :admin_privileges], []) + + response = + conn + |> put_req_header("accept", "application/json") + |> get("/api/pleroma/admin/users/nickname/password_reset") + + assert json_response(response, :forbidden) + end end describe "PUT disable_mfa" do @@ -714,6 +729,8 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do end test "changes password and email", %{conn: conn, admin: admin, user: user} do + clear_config([:instance, :admin_privileges], [:user_credentials]) + assert user.password_reset_pending == false conn = @@ -756,6 +773,19 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do assert json_response(conn, :forbidden) end + test "returns 403 if not privileged with :user_credentials", %{conn: conn, user: user} do + clear_config([:instance, :admin_privileges], []) + + conn = + patch(conn, "/api/pleroma/admin/users/#{user.nickname}/credentials", %{ + "password" => "new_password", + "email" => "new_email@example.com", + "name" => "new_name" + }) + + assert json_response(conn, :forbidden) + end + test "changes actor type from permitted list", %{conn: conn, user: user} do assert user.actor_type == "Person"