4 files changed, 33 insertions, 7 deletions

diff --git a/config/config.exs b/config/config.exs
index 2d501e577..496a1d57a 100644
--- a/config/config.exs
+++ b/config/config.exs
@@ -257,7 +257,7 @@ config :pleroma, :instance,
   password_reset_token_validity: 60 * 60 * 24,
   profile_directory: true,
   privileged_staff: false,
-  admin_privileges: [],
+  admin_privileges: [:user_deletion],
   moderator_privileges: [],
   max_endorsed_users: 20,
   birthday_required: false,
diff --git a/config/description.exs b/config/description.exs
index b73b92c46..b45d416b1 100644
--- a/config/description.exs
+++ b/config/description.exs
@@ -969,14 +969,16 @@ config :pleroma, :config_description, [
       %{
         key: :admin_privileges,
         type: {:list, :atom},
-        suggestions: [],
-        description: "What extra priviledges to allow admins (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
+        suggestions: [:user_deletion],
+        description:
+          "What extra priviledges to allow admins (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
       },
       %{
         key: :moderator_privileges,
         type: {:list, :atom},
-        suggestions: [],
-        description: "What extra priviledges to allow moderators (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
+        suggestions: [:user_deletion],
+        description:
+          "What extra priviledges to allow moderators (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
       },
       %{
         key: :birthday_required,
diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex
index ceb6c3cfd..5012fbf9a 100644
--- a/lib/pleroma/web/router.ex
+++ b/lib/pleroma/web/router.ex
@@ -109,6 +109,11 @@ defmodule Pleroma.Web.Router do
     plug(Pleroma.Web.Plugs.UserIsAdminPlug)
   end
 
+  pipeline :require_privileged_role_user_deletion do
+    plug(:admin_api)
+    plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_deletion)
+  end
+
   pipeline :pleroma_html do
     plug(:browser)
     plug(:authenticate)
@@ -231,11 +236,16 @@ defmodule Pleroma.Web.Router do
     post("/backups", AdminAPIController, :create_backup)
   end
 
-  # AdminAPI: admins and mods (staff) can perform these actions (if enabled by config)
+  # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role)
   scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
-    pipe_through([:admin_api, :require_privileged_staff])
+    pipe_through([:admin_api, :require_privileged_role_user_deletion])
 
     delete("/users", UserController, :delete)
+  end
+
+  # AdminAPI: admins and mods (staff) can perform these actions (if enabled by config)
+  scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
+    pipe_through([:admin_api, :require_privileged_staff])
 
     get("/users/:nickname/password_reset", AdminAPIController, :get_password_reset)
     patch("/users/:nickname/credentials", AdminAPIController, :update_user_credentials)
diff --git a/test/pleroma/web/admin_api/controllers/user_controller_test.exs b/test/pleroma/web/admin_api/controllers/user_controller_test.exs
index 79971be06..54a9619e8 100644
--- a/test/pleroma/web/admin_api/controllers/user_controller_test.exs
+++ b/test/pleroma/web/admin_api/controllers/user_controller_test.exs
@@ -94,6 +94,7 @@ defmodule Pleroma.Web.AdminAPI.UserControllerTest do
   describe "DELETE /api/pleroma/admin/users" do
     test "single user", %{admin: admin, conn: conn} do
       clear_config([:instance, :federating], true)
+      clear_config([:instance, :admin_privileges], [:user_deletion])
 
       user =
         insert(:user,
@@ -149,6 +150,8 @@ defmodule Pleroma.Web.AdminAPI.UserControllerTest do
     end
 
     test "multiple users", %{admin: admin, conn: conn} do
+      clear_config([:instance, :admin_privileges], [:user_deletion])
+
       user_one = insert(:user)
       user_two = insert(:user)
 
@@ -168,6 +171,17 @@ defmodule Pleroma.Web.AdminAPI.UserControllerTest do
 
       assert response -- [user_one.nickname, user_two.nickname] == []
     end
+
+    test "Needs privileged role", %{conn: conn} do
+      clear_config([:instance, :admin_privileges], [])
+
+      response =
+        conn
+        |> put_req_header("accept", "application/json")
+        |> delete("/api/pleroma/admin/users?nickname=nickname")
+
+      assert json_response(response, :forbidden)
+    end
   end
 
   describe "/api/pleroma/admin/users" do