Add priviledges for :user_credentials

I only moved the ones from the :require_privileged_staff block for now
This commit is contained in:
Ilja 2022-05-26 13:27:06 +02:00
parent 9f6c364759
commit 8a9144ca8b
4 changed files with 53 additions and 14 deletions

View File

@ -257,7 +257,7 @@ config :pleroma, :instance,
password_reset_token_validity: 60 * 60 * 24, password_reset_token_validity: 60 * 60 * 24,
profile_directory: true, profile_directory: true,
privileged_staff: false, privileged_staff: false,
admin_privileges: [:user_deletion], admin_privileges: [:user_deletion, :user_credentials],
moderator_privileges: [], moderator_privileges: [],
max_endorsed_users: 20, max_endorsed_users: 20,
birthday_required: false, birthday_required: false,

View File

@ -969,14 +969,14 @@ config :pleroma, :config_description, [
%{ %{
key: :admin_privileges, key: :admin_privileges,
type: {:list, :atom}, type: {:list, :atom},
suggestions: [:user_deletion], suggestions: [:user_deletion, :user_credentials],
description: description:
"What extra priviledges to allow admins (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)" "What extra priviledges to allow admins (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
}, },
%{ %{
key: :moderator_privileges, key: :moderator_privileges,
type: {:list, :atom}, type: {:list, :atom},
suggestions: [:user_deletion], suggestions: [:user_deletion, :user_credentials],
description: description:
"What extra priviledges to allow moderators (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)" "What extra priviledges to allow moderators (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
}, },

View File

@ -114,6 +114,11 @@ defmodule Pleroma.Web.Router do
plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_deletion) plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_deletion)
end end
pipeline :require_privileged_role_user_credentials do
plug(:admin_api)
plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_credentials)
end
pipeline :pleroma_html do pipeline :pleroma_html do
plug(:browser) plug(:browser)
plug(:authenticate) plug(:authenticate)
@ -206,7 +211,6 @@ defmodule Pleroma.Web.Router do
patch("/users/force_password_reset", AdminAPIController, :force_password_reset) patch("/users/force_password_reset", AdminAPIController, :force_password_reset)
get("/users/:nickname/credentials", AdminAPIController, :show_user_credentials) get("/users/:nickname/credentials", AdminAPIController, :show_user_credentials)
patch("/users/:nickname/credentials", AdminAPIController, :update_user_credentials)
get("/instance_document/:name", InstanceDocumentController, :show) get("/instance_document/:name", InstanceDocumentController, :show)
patch("/instance_document/:name", InstanceDocumentController, :update) patch("/instance_document/:name", InstanceDocumentController, :update)
@ -243,12 +247,17 @@ defmodule Pleroma.Web.Router do
delete("/users", UserController, :delete) delete("/users", UserController, :delete)
end end
# AdminAPI: admins and mods (staff) can perform these actions (if enabled by config) # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role)
scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
pipe_through([:admin_api, :require_privileged_staff]) pipe_through([:admin_api, :require_privileged_role_user_credentials])
get("/users/:nickname/password_reset", AdminAPIController, :get_password_reset) get("/users/:nickname/password_reset", AdminAPIController, :get_password_reset)
patch("/users/:nickname/credentials", AdminAPIController, :update_user_credentials) patch("/users/:nickname/credentials", AdminAPIController, :update_user_credentials)
end
# AdminAPI: admins and mods (staff) can perform these actions (if enabled by config)
scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
pipe_through([:admin_api, :require_privileged_staff])
get("/users/:nickname/statuses", AdminAPIController, :list_user_statuses) get("/users/:nickname/statuses", AdminAPIController, :list_user_statuses)
get("/users/:nickname/chats", AdminAPIController, :list_user_chats) get("/users/:nickname/chats", AdminAPIController, :list_user_chats)

View File

@ -271,7 +271,10 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
end end
end end
test "/api/pleroma/admin/users/:nickname/password_reset", %{conn: conn} do describe "/api/pleroma/admin/users/:nickname/password_reset" do
test "it returns a password reset link", %{conn: conn} do
clear_config([:instance, :admin_privileges], [:user_credentials])
user = insert(:user) user = insert(:user)
conn = conn =
@ -284,6 +287,18 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
assert Regex.match?(~r/(http:\/\/|https:\/\/)/, resp["link"]) assert Regex.match?(~r/(http:\/\/|https:\/\/)/, resp["link"])
end end
test "it requires privileged role :user_credentials", %{conn: conn} do
clear_config([:instance, :admin_privileges], [])
response =
conn
|> put_req_header("accept", "application/json")
|> get("/api/pleroma/admin/users/nickname/password_reset")
assert json_response(response, :forbidden)
end
end
describe "PUT disable_mfa" do describe "PUT disable_mfa" do
test "returns 200 and disable 2fa", %{conn: conn} do test "returns 200 and disable 2fa", %{conn: conn} do
user = user =
@ -714,6 +729,8 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
end end
test "changes password and email", %{conn: conn, admin: admin, user: user} do test "changes password and email", %{conn: conn, admin: admin, user: user} do
clear_config([:instance, :admin_privileges], [:user_credentials])
assert user.password_reset_pending == false assert user.password_reset_pending == false
conn = conn =
@ -756,6 +773,19 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
assert json_response(conn, :forbidden) assert json_response(conn, :forbidden)
end end
test "returns 403 if not privileged with :user_credentials", %{conn: conn, user: user} do
clear_config([:instance, :admin_privileges], [])
conn =
patch(conn, "/api/pleroma/admin/users/#{user.nickname}/credentials", %{
"password" => "new_password",
"email" => "new_email@example.com",
"name" => "new_name"
})
assert json_response(conn, :forbidden)
end
test "changes actor type from permitted list", %{conn: conn, user: user} do test "changes actor type from permitted list", %{conn: conn, user: user} do
assert user.actor_type == "Person" assert user.actor_type == "Person"