summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--lib/pleroma/web/activity_pub/object_validators/common_validations.ex6
-rw-r--r--lib/pleroma/web/activity_pub/object_validators/delete_validator.ex2
-rw-r--r--test/pleroma/web/activity_pub/object_validators/delete_validation_test.exs17
3 files changed, 17 insertions, 8 deletions
diff --git a/lib/pleroma/web/activity_pub/object_validators/common_validations.ex b/lib/pleroma/web/activity_pub/object_validators/common_validations.ex
index 704b3abc9..1c5b1a059 100644
--- a/lib/pleroma/web/activity_pub/object_validators/common_validations.ex
+++ b/lib/pleroma/web/activity_pub/object_validators/common_validations.ex
@@ -136,11 +136,11 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidators.CommonValidations do
# This figures out if a user is able to create, delete or modify something
# based on the domain and superuser status
- @spec validate_modification_rights(Ecto.Changeset.t()) :: Ecto.Changeset.t()
- def validate_modification_rights(cng) do
+ @spec validate_modification_rights(Ecto.Changeset.t(), atom()) :: Ecto.Changeset.t()
+ def validate_modification_rights(cng, privilege) do
actor = User.get_cached_by_ap_id(get_field(cng, :actor))
- if User.superuser?(actor) || same_domain?(cng) do
+ if User.privileged?(actor, privilege) || same_domain?(cng) do
cng
else
cng
diff --git a/lib/pleroma/web/activity_pub/object_validators/delete_validator.ex b/lib/pleroma/web/activity_pub/object_validators/delete_validator.ex
index 035fd5bc9..6e4208167 100644
--- a/lib/pleroma/web/activity_pub/object_validators/delete_validator.ex
+++ b/lib/pleroma/web/activity_pub/object_validators/delete_validator.ex
@@ -61,7 +61,7 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidators.DeleteValidator do
|> validate_required([:id, :type, :actor, :to, :cc, :object])
|> validate_inclusion(:type, ["Delete"])
|> validate_delete_actor(:actor)
- |> validate_modification_rights()
+ |> validate_modification_rights(:status_delete)
|> validate_object_or_user_presence(allowed_types: @deletable_types)
|> add_deleted_activity_id()
end
diff --git a/test/pleroma/web/activity_pub/object_validators/delete_validation_test.exs b/test/pleroma/web/activity_pub/object_validators/delete_validation_test.exs
index ea4664859..ba137604b 100644
--- a/test/pleroma/web/activity_pub/object_validators/delete_validation_test.exs
+++ b/test/pleroma/web/activity_pub/object_validators/delete_validation_test.exs
@@ -3,7 +3,7 @@
# SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.Web.ActivityPub.ObjectValidators.DeleteValidationTest do
- use Pleroma.DataCase, async: true
+ use Pleroma.DataCase, async: false
alias Pleroma.Object
alias Pleroma.Web.ActivityPub.Builder
@@ -90,17 +90,26 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidators.DeleteValidationTest do
assert {:actor, {"is not allowed to modify object", []}} in cng.errors
end
- test "it's valid if the actor of the object is a local superuser",
+ test "it's only valid if the actor of the object is a privileged local user",
%{valid_post_delete: valid_post_delete} do
+ clear_config([:instance, :moderator_privileges], [:status_delete])
+
user =
insert(:user, local: true, is_moderator: true, ap_id: "https://gensokyo.2hu/users/raymoo")
- valid_other_actor =
+ post_delete_with_moderator_actor =
valid_post_delete
|> Map.put("actor", user.ap_id)
- {:ok, _, meta} = ObjectValidator.validate(valid_other_actor, [])
+ {:ok, _, meta} = ObjectValidator.validate(post_delete_with_moderator_actor, [])
+
assert meta[:do_not_federate]
+
+ clear_config([:instance, :moderator_privileges], [])
+
+ {:error, cng} = ObjectValidator.validate(post_delete_with_moderator_actor, [])
+
+ assert {:actor, {"is not allowed to modify object", []}} in cng.errors
end
end
end
generated by cgit v1.2.3 (git 2.25.1) at 2025-11-04 01:33:04 +0000