delete statusses is now privileged by :status_delete

Instead of superusers, you now need a role with privilige :status_delete to delete other users statusses
I also cleaned up some other stuff I saw

3 files changed, 23 insertions, 32 deletions

diff --git a/test/pleroma/web/admin_api/controllers/instance_controller_test.exs b/test/pleroma/web/admin_api/controllers/instance_controller_test.exs
index b757ce469..e75222f99 100644
--- a/test/pleroma/web/admin_api/controllers/instance_controller_test.exs
+++ b/test/pleroma/web/admin_api/controllers/instance_controller_test.exs
@@ -85,9 +85,8 @@ defmodule Pleroma.Web.AdminAPI.InstanceControllerTest do
 
     clear_config([:instance, :admin_privileges], [])
 
-    response =
-      conn
-      |> delete("/api/pleroma/admin/instances/lain.com")
-      |> json_response(:forbidden)
+    conn
+    |> delete("/api/pleroma/admin/instances/lain.com")
+    |> json_response(:forbidden)
   end
 end
diff --git a/test/pleroma/web/common_api_test.exs b/test/pleroma/web/common_api_test.exs
index b502aaa03..4d960e945 100644
--- a/test/pleroma/web/common_api_test.exs
+++ b/test/pleroma/web/common_api_test.exs
@@ -4,7 +4,7 @@
 
 defmodule Pleroma.Web.CommonAPITest do
   use Oban.Testing, repo: Pleroma.Repo
-  use Pleroma.DataCase
+  use Pleroma.DataCase, async: false
 
   alias Pleroma.Activity
   alias Pleroma.Chat
@@ -321,7 +321,7 @@ defmodule Pleroma.Web.CommonAPITest do
       refute Activity.get_by_id(post.id)
     end
 
-    test "it does not allow a user to delete their posts" do
+    test "it does not allow a user to delete posts from another user" do
       user = insert(:user)
       other_user = insert(:user)
 
@@ -331,7 +331,8 @@ defmodule Pleroma.Web.CommonAPITest do
       assert Activity.get_by_id(post.id)
     end
 
-    test "it allows moderators to delete other user's posts" do
+    test "it allows privileged users to delete other user's posts" do
+      clear_config([:instance, :moderator_privileges], [:status_delete])
       user = insert(:user)
       moderator = insert(:user, is_moderator: true)
 
@@ -343,19 +344,20 @@ defmodule Pleroma.Web.CommonAPITest do
       refute Activity.get_by_id(post.id)
     end
 
-    test "it allows admins to delete other user's posts" do
+    test "it doesn't allow unprivileged mods or admins to delete other user's posts" do
+      clear_config([:instance, :admin_privileges], [])
+      clear_config([:instance, :moderator_privileges], [])
       user = insert(:user)
-      moderator = insert(:user, is_admin: true)
+      moderator = insert(:user, is_moderator: true, is_admin: true)
 
       {:ok, post} = CommonAPI.post(user, %{status: "namu amida butsu"})
 
-      assert {:ok, delete} = CommonAPI.delete(post.id, moderator)
-      assert delete.local
-
-      refute Activity.get_by_id(post.id)
+      assert {:error, "Could not delete"} = CommonAPI.delete(post.id, moderator)
+      assert Activity.get_by_id(post.id)
     end
 
-    test "superusers deleting non-local posts won't federate the delete" do
+    test "privileged users deleting non-local posts won't federate the delete" do
+      clear_config([:instance, :admin_privileges], [:status_delete])
       # This is the user of the ingested activity
       _user =
         insert(:user,
@@ -364,7 +366,7 @@ defmodule Pleroma.Web.CommonAPITest do
           last_refreshed_at: NaiveDateTime.utc_now()
         )
 
-      moderator = insert(:user, is_admin: true)
+      admin = insert(:user, is_admin: true)
 
       data =
         File.read!("test/fixtures/mastodon-post-activity.json")
@@ -374,7 +376,7 @@ defmodule Pleroma.Web.CommonAPITest do
 
       with_mock Pleroma.Web.Federator,
         publish: fn _ -> nil end do
-        assert {:ok, delete} = CommonAPI.delete(post.id, moderator)
+        assert {:ok, delete} = CommonAPI.delete(post.id, admin)
         assert delete.local
         refute called(Pleroma.Web.Federator.publish(:_))
       end
diff --git a/test/pleroma/web/mastodon_api/controllers/status_controller_test.exs b/test/pleroma/web/mastodon_api/controllers/status_controller_test.exs
index dc6912b7b..4ea92e329 100644
--- a/test/pleroma/web/mastodon_api/controllers/status_controller_test.exs
+++ b/test/pleroma/web/mastodon_api/controllers/status_controller_test.exs
@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: AGPL-3.0-only
 
 defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
-  use Pleroma.Web.ConnCase
+  use Pleroma.Web.ConnCase, async: false
   use Oban.Testing, repo: Pleroma.Repo
 
   alias Pleroma.Activity
@@ -968,30 +968,20 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
       assert Activity.get_by_id(activity.id) == activity
     end
 
-    test "when you're an admin or moderator", %{conn: conn} do
-      activity1 = insert(:note_activity)
-      activity2 = insert(:note_activity)
-      admin = insert(:user, is_admin: true)
+    test "when you're privileged to", %{conn: conn} do
+      clear_config([:instance, :moderator_privileges], [:status_delete])
+      activity = insert(:note_activity)
       moderator = insert(:user, is_moderator: true)
 
       res_conn =
         conn
-        |> assign(:user, admin)
-        |> assign(:token, insert(:oauth_token, user: admin, scopes: ["write:statuses"]))
-        |> delete("/api/v1/statuses/#{activity1.id}")
-
-      assert %{} = json_response_and_validate_schema(res_conn, 200)
-
-      res_conn =
-        conn
         |> assign(:user, moderator)
         |> assign(:token, insert(:oauth_token, user: moderator, scopes: ["write:statuses"]))
-        |> delete("/api/v1/statuses/#{activity2.id}")
+        |> delete("/api/v1/statuses/#{activity.id}")
 
       assert %{} = json_response_and_validate_schema(res_conn, 200)
 
-      refute Activity.get_by_id(activity1.id)
-      refute Activity.get_by_id(activity2.id)
+      refute Activity.get_by_id(activity.id)
     end
   end