14 files changed, 325 insertions, 116 deletions

diff --git a/lib/pleroma/notification.ex b/lib/pleroma/notification.ex
index c2d4d86a3..aba6096bc 100644
--- a/lib/pleroma/notification.ex
+++ b/lib/pleroma/notification.ex
@@ -338,14 +338,6 @@ defmodule Pleroma.Notification do
     |> Repo.delete_all()
   end
 
-  def destroy_multiple_from_types(%{id: user_id}, types) do
-    from(n in Notification,
-      where: n.user_id == ^user_id,
-      where: n.type in ^types
-    )
-    |> Repo.delete_all()
-  end
-
   def dismiss(%Pleroma.Activity{} = activity) do
     Notification
     |> where([n], n.activity_id == ^activity.id)
@@ -559,7 +551,9 @@ defmodule Pleroma.Notification do
   end
 
   def get_potential_receiver_ap_ids(%{data: %{"type" => "Flag", "actor" => actor}}) do
-    (User.all_superusers() |> Enum.map(fn user -> user.ap_id end)) -- [actor]
+    (User.all_users_with_privilege(:reports_manage_reports)
+     |> Enum.map(fn user -> user.ap_id end)) --
+      [actor]
   end
 
   # Update activity: notify all who repeated this
diff --git a/lib/pleroma/user.ex b/lib/pleroma/user.ex
index 4f91b3ffc..f6e30555c 100644
--- a/lib/pleroma/user.ex
+++ b/lib/pleroma/user.ex
@@ -326,7 +326,7 @@ defmodule Pleroma.User do
   end
 
   def visible_for(%User{} = user, for_user) do
-    if superuser?(for_user) do
+    if privileged?(for_user, :users_manage_activation_state) do
       :visible
     else
       visible_account_status(user)
@@ -353,10 +353,45 @@ defmodule Pleroma.User do
     end
   end
 
-  @spec superuser?(User.t()) :: boolean()
-  def superuser?(%User{local: true, is_admin: true}), do: true
-  def superuser?(%User{local: true, is_moderator: true}), do: true
-  def superuser?(_), do: false
+  @spec privileged?(User.t(), atom()) :: boolean()
+  def privileged?(%User{is_admin: false, is_moderator: false}, _), do: false
+
+  def privileged?(
+        %User{local: true, is_admin: is_admin, is_moderator: is_moderator},
+        privilege_tag
+      ),
+      do:
+        privileged_for?(privilege_tag, is_admin, :admin_privileges) or
+          privileged_for?(privilege_tag, is_moderator, :moderator_privileges)
+
+  def privileged?(_, _), do: false
+
+  defp privileged_for?(privilege_tag, true, config_role_key),
+    do: privilege_tag in Config.get([:instance, config_role_key])
+
+  defp privileged_for?(_, _, _), do: false
+
+  @spec privileges(User.t()) :: [atom()]
+  def privileges(%User{local: false}) do
+    []
+  end
+
+  def privileges(%User{is_moderator: false, is_admin: false}) do
+    []
+  end
+
+  def privileges(%User{local: true, is_moderator: true, is_admin: true}) do
+    (Config.get([:instance, :moderator_privileges]) ++ Config.get([:instance, :admin_privileges]))
+    |> Enum.uniq()
+  end
+
+  def privileges(%User{local: true, is_moderator: true, is_admin: false}) do
+    Config.get([:instance, :moderator_privileges])
+  end
+
+  def privileges(%User{local: true, is_moderator: false, is_admin: true}) do
+    Config.get([:instance, :admin_privileges])
+  end
 
   @spec invisible?(User.t()) :: boolean()
   def invisible?(%User{invisible: true}), do: true
@@ -1167,24 +1202,10 @@ defmodule Pleroma.User do
     |> update_and_set_cache()
   end
 
-  def update_and_set_cache(%{data: %Pleroma.User{} = user} = changeset) do
-    was_superuser_before_update = User.superuser?(user)
-
+  def update_and_set_cache(changeset) do
     with {:ok, user} <- Repo.update(changeset, stale_error_field: :id) do
       set_cache(user)
     end
-    |> maybe_remove_report_notifications(was_superuser_before_update)
-  end
-
-  defp maybe_remove_report_notifications({:ok, %Pleroma.User{} = user} = result, true) do
-    if not User.superuser?(user),
-      do: user |> Notification.destroy_multiple_from_types(["pleroma:report"])
-
-    result
-  end
-
-  defp maybe_remove_report_notifications(result, _) do
-    result
   end
 
   def get_user_friends_ap_ids(user) do
@@ -2265,6 +2286,11 @@ defmodule Pleroma.User do
     |> Repo.all()
   end
 
+  @spec all_users_with_privilege(atom()) :: [User.t()]
+  def all_users_with_privilege(privilege) do
+    User.Query.build(%{is_privileged: privilege}) |> Repo.all()
+  end
+
   def muting_reblogs?(%User{} = user, %User{} = target) do
     UserRelationship.reblog_mute_exists?(user, target)
   end
diff --git a/lib/pleroma/user/query.ex b/lib/pleroma/user/query.ex
index 20bc1ea61..3e090cac0 100644
--- a/lib/pleroma/user/query.ex
+++ b/lib/pleroma/user/query.ex
@@ -29,6 +29,7 @@ defmodule Pleroma.User.Query do
   import Ecto.Query
   import Pleroma.Web.Utils.Guards, only: [not_empty_string: 1]
 
+  alias Pleroma.Config
   alias Pleroma.FollowingRelationship
   alias Pleroma.User
 
@@ -49,6 +50,7 @@ defmodule Pleroma.User.Query do
             is_suggested: boolean(),
             is_discoverable: boolean(),
             super_users: boolean(),
+            is_privileged: atom(),
             invisible: boolean(),
             internal: boolean(),
             followers: User.t(),
@@ -136,6 +138,43 @@ defmodule Pleroma.User.Query do
     )
   end
 
+  defp compose_query({:is_privileged, privilege}, query) do
+    moderator_privileged = privilege in Config.get([:instance, :moderator_privileges])
+    admin_privileged = privilege in Config.get([:instance, :admin_privileges])
+
+    query = compose_query({:active, true}, query)
+    query = compose_query({:local, true}, query)
+
+    case {admin_privileged, moderator_privileged} do
+      {false, false} ->
+        where(
+          query,
+          false
+        )
+
+      {true, true} ->
+        where(
+          query,
+          [u],
+          u.is_admin or u.is_moderator
+        )
+
+      {true, false} ->
+        where(
+          query,
+          [u],
+          u.is_admin
+        )
+
+      {false, true} ->
+        where(
+          query,
+          [u],
+          u.is_moderator
+        )
+    end
+  end
+
   defp compose_query({:local, _}, query), do: location_query(query, true)
 
   defp compose_query({:external, _}, query), do: location_query(query, false)
diff --git a/lib/pleroma/web/activity_pub/activity_pub.ex b/lib/pleroma/web/activity_pub/activity_pub.ex
index fa251394b..b9206b4da 100644
--- a/lib/pleroma/web/activity_pub/activity_pub.ex
+++ b/lib/pleroma/web/activity_pub/activity_pub.ex
@@ -401,11 +401,11 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
          _ <- notify_and_stream(activity),
          :ok <-
            maybe_federate(stripped_activity) do
-      User.all_superusers()
+      User.all_users_with_privilege(:reports_manage_reports)
       |> Enum.filter(fn user -> user.ap_id != actor end)
       |> Enum.filter(fn user -> not is_nil(user.email) end)
-      |> Enum.each(fn superuser ->
-        superuser
+      |> Enum.each(fn privileged_user ->
+        privileged_user
         |> Pleroma.Emails.AdminEmail.report(actor, account, statuses, content)
         |> Pleroma.Emails.Mailer.deliver_async()
       end)
diff --git a/lib/pleroma/web/activity_pub/object_validators/common_validations.ex b/lib/pleroma/web/activity_pub/object_validators/common_validations.ex
index 704b3abc9..1c5b1a059 100644
--- a/lib/pleroma/web/activity_pub/object_validators/common_validations.ex
+++ b/lib/pleroma/web/activity_pub/object_validators/common_validations.ex
@@ -136,11 +136,11 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidators.CommonValidations do
 
   # This figures out if a user is able to create, delete or modify something
   # based on the domain and superuser status
-  @spec validate_modification_rights(Ecto.Changeset.t()) :: Ecto.Changeset.t()
-  def validate_modification_rights(cng) do
+  @spec validate_modification_rights(Ecto.Changeset.t(), atom()) :: Ecto.Changeset.t()
+  def validate_modification_rights(cng, privilege) do
     actor = User.get_cached_by_ap_id(get_field(cng, :actor))
 
-    if User.superuser?(actor) || same_domain?(cng) do
+    if User.privileged?(actor, privilege) || same_domain?(cng) do
       cng
     else
       cng
diff --git a/lib/pleroma/web/activity_pub/object_validators/delete_validator.ex b/lib/pleroma/web/activity_pub/object_validators/delete_validator.ex
index 035fd5bc9..4d8502ada 100644
--- a/lib/pleroma/web/activity_pub/object_validators/delete_validator.ex
+++ b/lib/pleroma/web/activity_pub/object_validators/delete_validator.ex
@@ -61,7 +61,7 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidators.DeleteValidator do
     |> validate_required([:id, :type, :actor, :to, :cc, :object])
     |> validate_inclusion(:type, ["Delete"])
     |> validate_delete_actor(:actor)
-    |> validate_modification_rights()
+    |> validate_modification_rights(:messages_delete)
     |> validate_object_or_user_presence(allowed_types: @deletable_types)
     |> add_deleted_activity_id()
   end
diff --git a/lib/pleroma/web/common_api.ex b/lib/pleroma/web/common_api.ex
index 62ab6b69c..89cc0d6fe 100644
--- a/lib/pleroma/web/common_api.ex
+++ b/lib/pleroma/web/common_api.ex
@@ -145,10 +145,10 @@ defmodule Pleroma.Web.CommonAPI do
            {:find_activity, Activity.get_by_id(activity_id)},
          {_, %Object{} = object, _} <-
            {:find_object, Object.normalize(activity, fetch: false), activity},
-         true <- User.superuser?(user) || user.ap_id == object.data["actor"],
+         true <- User.privileged?(user, :messages_delete) || user.ap_id == object.data["actor"],
          {:ok, delete_data, _} <- Builder.delete(user, object.data["id"]),
          {:ok, delete, _} <- Pipeline.common_pipeline(delete_data, local: true) do
-      if User.superuser?(user) and user.ap_id != object.data["actor"] do
+      if User.privileged?(user, :messages_delete) and user.ap_id != object.data["actor"] do
         action =
           if object.data["type"] == "ChatMessage" do
             "chat_message_delete"
diff --git a/lib/pleroma/web/mastodon_api/mastodon_api.ex b/lib/pleroma/web/mastodon_api/mastodon_api.ex
index b4d092eed..c51230b92 100644
--- a/lib/pleroma/web/mastodon_api/mastodon_api.ex
+++ b/lib/pleroma/web/mastodon_api/mastodon_api.ex
@@ -61,7 +61,19 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPI do
   end
 
   def get_notifications(user, params \\ %{}) do
-    options = cast_params(params)
+    options =
+      cast_params(params) |> Map.update(:include_types, [], fn include_types -> include_types end)
+
+    options =
+      if "pleroma:report" not in options.include_types or
+           User.privileged?(user, :reports_manage_reports) do
+        options
+      else
+        options
+        |> Map.update(:exclude_types, ["pleroma:report"], fn current_exclude_types ->
+          current_exclude_types ++ ["pleroma:report"]
+        end)
+      end
 
     user
     |> Notification.for_user_query(options)
diff --git a/lib/pleroma/web/mastodon_api/views/account_view.ex b/lib/pleroma/web/mastodon_api/views/account_view.ex
index 2260bf5da..cc3e3582f 100644
--- a/lib/pleroma/web/mastodon_api/views/account_view.ex
+++ b/lib/pleroma/web/mastodon_api/views/account_view.ex
@@ -370,19 +370,22 @@ defmodule Pleroma.Web.MastodonAPI.AccountView do
   defp maybe_put_chat_token(data, _, _, _), do: data
 
   defp maybe_put_role(data, %User{show_role: true} = user, _) do
-    data
-    |> Kernel.put_in([:pleroma, :is_admin], user.is_admin)
-    |> Kernel.put_in([:pleroma, :is_moderator], user.is_moderator)
+    put_role(data, user)
   end
 
   defp maybe_put_role(data, %User{id: user_id} = user, %User{id: user_id}) do
+    put_role(data, user)
+  end
+
+  defp maybe_put_role(data, _, _), do: data
+
+  defp put_role(data, user) do
     data
     |> Kernel.put_in([:pleroma, :is_admin], user.is_admin)
     |> Kernel.put_in([:pleroma, :is_moderator], user.is_moderator)
+    |> Kernel.put_in([:pleroma, :privileges], User.privileges(user))
   end
 
-  defp maybe_put_role(data, _, _), do: data
-
   defp maybe_put_notification_settings(data, %User{id: user_id} = user, %User{id: user_id}) do
     Kernel.put_in(
       data,
@@ -399,12 +402,12 @@ defmodule Pleroma.Web.MastodonAPI.AccountView do
 
   defp maybe_put_allow_following_move(data, _, _), do: data
 
-  defp maybe_put_activation_status(data, user, %User{is_admin: true}) do
-    Kernel.put_in(data, [:pleroma, :deactivated], !user.is_active)
+  defp maybe_put_activation_status(data, user, user_for) do
+    if User.privileged?(user_for, :users_manage_activation_state),
+      do: Kernel.put_in(data, [:pleroma, :deactivated], !user.is_active),
+      else: data
   end
 
-  defp maybe_put_activation_status(data, _, _), do: data
-
   defp maybe_put_unread_conversation_count(data, %User{id: user_id} = user, %User{id: user_id}) do
     data
     |> Kernel.put_in(
diff --git a/lib/pleroma/web/mastodon_api/views/instance_view.ex b/lib/pleroma/web/mastodon_api/views/instance_view.ex
index 1cc230316..917725839 100644
--- a/lib/pleroma/web/mastodon_api/views/instance_view.ex
+++ b/lib/pleroma/web/mastodon_api/views/instance_view.ex
@@ -48,7 +48,6 @@ defmodule Pleroma.Web.MastodonAPI.InstanceView do
           federation: federation(),
           fields_limits: fields_limits(),
           post_formats: Config.get([:instance, :allowed_post_formats]),
-          privileged_staff: Config.get([:instance, :privileged_staff]),
           birthday_required: Config.get([:instance, :birthday_required]),
           birthday_min_age: Config.get([:instance, :birthday_min_age])
         },
diff --git a/lib/pleroma/web/nodeinfo/nodeinfo.ex b/lib/pleroma/web/nodeinfo/nodeinfo.ex
index 62d445f34..9e27ac26c 100644
--- a/lib/pleroma/web/nodeinfo/nodeinfo.ex
+++ b/lib/pleroma/web/nodeinfo/nodeinfo.ex
@@ -49,6 +49,10 @@ defmodule Pleroma.Web.Nodeinfo.Nodeinfo do
           enabled: false
         },
         staffAccounts: staff_accounts,
+        roles: %{
+          admin: Config.get([:instance, :admin_privileges]),
+          moderator: Config.get([:instance, :moderator_privileges])
+        },
         federation: federation,
         pollLimits: Config.get([:instance, :poll_limits]),
         postFormats: Config.get([:instance, :allowed_post_formats]),
@@ -69,8 +73,7 @@ defmodule Pleroma.Web.Nodeinfo.Nodeinfo do
         mailerEnabled: Config.get([Pleroma.Emails.Mailer, :enabled], false),
         features: features,
         restrictedNicknames: Config.get([Pleroma.User, :restricted_nicknames]),
-        skipThreadContainment: Config.get([:instance, :skip_thread_containment], false),
-        privilegedStaff: Config.get([:instance, :privileged_staff])
+        skipThreadContainment: Config.get([:instance, :skip_thread_containment], false)
       }
     }
   end
diff --git a/lib/pleroma/web/plugs/ensure_privileged_plug.ex b/lib/pleroma/web/plugs/ensure_privileged_plug.ex
new file mode 100644
index 000000000..f886c87ea
--- /dev/null
+++ b/lib/pleroma/web/plugs/ensure_privileged_plug.ex
@@ -0,0 +1,44 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2022 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Web.Plugs.EnsurePrivilegedPlug do
+  @moduledoc """
+  Ensures staff are privileged enough to do certain tasks.
+  """
+  import Pleroma.Web.TranslationHelpers
+  import Plug.Conn
+
+  alias Pleroma.Config
+  alias Pleroma.User
+
+  def init(options) do
+    options
+  end
+
+  def call(%{assigns: %{user: %User{is_admin: false, is_moderator: false}}} = conn, _) do
+    conn
+    |> render_error(:forbidden, "User isn't privileged.")
+    |> halt()
+  end
+
+  def call(
+        %{assigns: %{user: %User{is_admin: is_admin, is_moderator: is_moderator}}} = conn,
+        privilege
+      ) do
+    if (is_admin and privilege in Config.get([:instance, :admin_privileges])) or
+         (is_moderator and privilege in Config.get([:instance, :moderator_privileges])) do
+      conn
+    else
+      conn
+      |> render_error(:forbidden, "User isn't privileged.")
+      |> halt()
+    end
+  end
+
+  def call(conn, _) do
+    conn
+    |> render_error(:forbidden, "User isn't privileged.")
+    |> halt()
+  end
+end
diff --git a/lib/pleroma/web/plugs/ensure_staff_privileged_plug.ex b/lib/pleroma/web/plugs/ensure_staff_privileged_plug.ex
deleted file mode 100644
index 3c2109496..000000000
--- a/lib/pleroma/web/plugs/ensure_staff_privileged_plug.ex
+++ /dev/null
@@ -1,36 +0,0 @@
-# Pleroma: A lightweight social networking server
-# Copyright © 2017-2022 Pleroma Authors <https://pleroma.social/>
-# SPDX-License-Identifier: AGPL-3.0-only
-
-defmodule Pleroma.Web.Plugs.EnsureStaffPrivilegedPlug do
-  @moduledoc """
-  Ensures staff are privileged enough to do certain tasks.
-  """
-  import Pleroma.Web.TranslationHelpers
-  import Plug.Conn
-
-  alias Pleroma.Config
-  alias Pleroma.User
-
-  def init(options) do
-    options
-  end
-
-  def call(%{assigns: %{user: %User{is_admin: true}}} = conn, _), do: conn
-
-  def call(%{assigns: %{user: %User{is_moderator: true}}} = conn, _) do
-    if Config.get!([:instance, :privileged_staff]) do
-      conn
-    else
-      conn
-      |> render_error(:forbidden, "User is not an admin.")
-      |> halt()
-    end
-  end
-
-  def call(conn, _) do
-    conn
-    |> render_error(:forbidden, "User is not a staff member.")
-    |> halt()
-  end
-end
diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex
index 2ea3ea7c1..ba1d64ab2 100644
--- a/lib/pleroma/web/router.ex
+++ b/lib/pleroma/web/router.ex
@@ -101,14 +101,80 @@ defmodule Pleroma.Web.Router do
     plug(Pleroma.Web.Plugs.IdempotencyPlug)
   end
 
-  pipeline :require_privileged_staff do
-    plug(Pleroma.Web.Plugs.EnsureStaffPrivilegedPlug)
-  end
-
   pipeline :require_admin do
     plug(Pleroma.Web.Plugs.UserIsAdminPlug)
   end
 
+  pipeline :require_privileged_role_users_delete do
+    plug(:admin_api)
+    plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :users_delete)
+  end
+
+  pipeline :require_privileged_role_users_manage_credentials do
+    plug(:admin_api)
+    plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :users_manage_credentials)
+  end
+
+  pipeline :require_privileged_role_messages_read do
+    plug(:admin_api)
+    plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :messages_read)
+  end
+
+  pipeline :require_privileged_role_users_manage_tags do
+    plug(:admin_api)
+    plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :users_manage_tags)
+  end
+
+  pipeline :require_privileged_role_users_manage_activation_state do
+    plug(:admin_api)
+    plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :users_manage_activation_state)
+  end
+
+  pipeline :require_privileged_role_users_manage_invites do
+    plug(:admin_api)
+    plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :users_manage_invites)
+  end
+
+  pipeline :require_privileged_role_reports_manage_reports do
+    plug(:admin_api)
+    plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :reports_manage_reports)
+  end
+
+  pipeline :require_privileged_role_users_read do
+    plug(:admin_api)
+    plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :users_read)
+  end
+
+  pipeline :require_privileged_role_messages_delete do
+    plug(:admin_api)
+    plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :messages_delete)
+  end
+
+  pipeline :require_privileged_role_emoji_manage_emoji do
+    plug(:admin_api)
+    plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :emoji_manage_emoji)
+  end
+
+  pipeline :require_privileged_role_instances_delete do
+    plug(:admin_api)
+    plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :instances_delete)
+  end
+
+  pipeline :require_privileged_role_moderation_log_read do
+    plug(:admin_api)
+    plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :moderation_log_read)
+  end
+
+  pipeline :require_privileged_role_statistics_read do
+    plug(:admin_api)
+    plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :statistics_read)
+  end
+
+  pipeline :require_privileged_role_announcements_manage_announcements do
+    plug(:admin_api)
+    plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :announcements_manage_announcements)
+  end
+
   pipeline :pleroma_html do
     plug(:browser)
     plug(:authenticate)
@@ -167,8 +233,6 @@ defmodule Pleroma.Web.Router do
   scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
     pipe_through([:admin_api, :require_admin])
 
-    put("/users/disable_mfa", AdminAPIController, :disable_mfa)
-
     get("/users/:nickname/permission_group", AdminAPIController, :right_get)
     get("/users/:nickname/permission_group/:permission_group", AdminAPIController, :right_get)
 
@@ -199,17 +263,10 @@ defmodule Pleroma.Web.Router do
     post("/relay", RelayController, :follow)
     delete("/relay", RelayController, :unfollow)
 
-    patch("/users/force_password_reset", AdminAPIController, :force_password_reset)
-    get("/users/:nickname/credentials", AdminAPIController, :show_user_credentials)
-    patch("/users/:nickname/credentials", AdminAPIController, :update_user_credentials)
-
     get("/instance_document/:name", InstanceDocumentController, :show)
     patch("/instance_document/:name", InstanceDocumentController, :update)
     delete("/instance_document/:name", InstanceDocumentController, :delete)
 
-    patch("/users/confirm_email", AdminAPIController, :confirm_email)
-    patch("/users/resend_confirmation_email", AdminAPIController, :resend_confirmation_email)
-
     get("/config", ConfigController, :show)
     post("/config", ConfigController, :update)
     get("/config/descriptions", ConfigController, :descriptions)
@@ -229,6 +286,11 @@ defmodule Pleroma.Web.Router do
     post("/frontends/install", FrontendController, :install)
 
     post("/backups", AdminAPIController, :create_backup)
+  end
+
+  # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role)
+  scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
+    pipe_through(:require_privileged_role_announcements_manage_announcements)
 
     get("/announcements", AnnouncementController, :index)
     post("/announcements", AnnouncementController, :create)
@@ -237,14 +299,29 @@ defmodule Pleroma.Web.Router do
     delete("/announcements/:id", AnnouncementController, :delete)
   end
 
-  # AdminAPI: admins and mods (staff) can perform these actions (if enabled by config)
+  # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role)
   scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
-    pipe_through([:admin_api, :require_privileged_staff])
+    pipe_through(:require_privileged_role_users_delete)
 
     delete("/users", UserController, :delete)
+  end
+
+  # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role)
+  scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
+    pipe_through(:require_privileged_role_users_manage_credentials)
 
     get("/users/:nickname/password_reset", AdminAPIController, :get_password_reset)
+    get("/users/:nickname/credentials", AdminAPIController, :show_user_credentials)
     patch("/users/:nickname/credentials", AdminAPIController, :update_user_credentials)
+    put("/users/disable_mfa", AdminAPIController, :disable_mfa)
+    patch("/users/force_password_reset", AdminAPIController, :force_password_reset)
+    patch("/users/confirm_email", AdminAPIController, :confirm_email)
+    patch("/users/resend_confirmation_email", AdminAPIController, :resend_confirmation_email)
+  end
+
+  # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role)
+  scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
+    pipe_through(:require_privileged_role_messages_read)
 
     get("/users/:nickname/statuses", AdminAPIController, :list_user_statuses)
     get("/users/:nickname/chats", AdminAPIController, :list_user_chats)
@@ -253,52 +330,100 @@ defmodule Pleroma.Web.Router do
 
     get("/chats/:id", ChatController, :show)
     get("/chats/:id/messages", ChatController, :messages)
+
+    get("/instances/:instance/statuses", InstanceController, :list_statuses)
+
+    get("/statuses/:id", StatusController, :show)
   end
 
-  # AdminAPI: admins and mods (staff) can perform these actions
+  # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role)
   scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
-    pipe_through(:admin_api)
+    pipe_through(:require_privileged_role_users_manage_tags)
 
     put("/users/tag", AdminAPIController, :tag_users)
     delete("/users/tag", AdminAPIController, :untag_users)
+  end
+
+  # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role)
+  scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
+    pipe_through(:require_privileged_role_users_manage_activation_state)
 
     patch("/users/:nickname/toggle_activation", UserController, :toggle_activation)
     patch("/users/activate", UserController, :activate)
     patch("/users/deactivate", UserController, :deactivate)
-    patch("/users/approve", UserController, :approve)
+  end
 
+  # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role)
+  scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
+    pipe_through(:require_privileged_role_users_manage_invites)
+
+    patch("/users/approve", UserController, :approve)
     post("/users/invite_token", InviteController, :create)
     get("/users/invites", InviteController, :index)
     post("/users/revoke_invite", InviteController, :revoke)
     post("/users/email_invite", InviteController, :email)
+  end
 
-    get("/users", UserController, :index)
-    get("/users/:nickname", UserController, :show)
-
-    get("/instances/:instance/statuses", InstanceController, :list_statuses)
-    delete("/instances/:instance", InstanceController, :delete)
+  # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role)
+  scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
+    pipe_through(:require_privileged_role_reports_manage_reports)
 
     get("/reports", ReportController, :index)
     get("/reports/:id", ReportController, :show)
     patch("/reports", ReportController, :update)
     post("/reports/:id/notes", ReportController, :notes_create)
     delete("/reports/:report_id/notes/:id", ReportController, :notes_delete)
+  end
+
+  # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role)
+  scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
+    pipe_through(:require_privileged_role_users_read)
+
+    get("/users", UserController, :index)
+    get("/users/:nickname", UserController, :show)
+  end
+
+  # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role)
+  scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
+    pipe_through(:require_privileged_role_messages_delete)
 
-    get("/statuses/:id", StatusController, :show)
     put("/statuses/:id", StatusController, :update)
     delete("/statuses/:id", StatusController, :delete)
 
-    get("/moderation_log", AdminAPIController, :list_log)
+    delete("/chats/:id/messages/:message_id", ChatController, :delete_message)
+  end
+
+  # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role)
+  scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
+    pipe_through(:require_privileged_role_emoji_manage_emoji)
 
     post("/reload_emoji", AdminAPIController, :reload_emoji)
-    get("/stats", AdminAPIController, :stats)
+  end
 
-    delete("/chats/:id/messages/:message_id", ChatController, :delete_message)
+  # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role)
+  scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
+    pipe_through(:require_privileged_role_instances_delete)
+
+    delete("/instances/:instance", InstanceController, :delete)
+  end
+
+  # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role)
+  scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
+    pipe_through(:require_privileged_role_moderation_log_read)
+
+    get("/moderation_log", AdminAPIController, :list_log)
+  end
+
+  # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role)
+  scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
+    pipe_through(:require_privileged_role_statistics_read)
+
+    get("/stats", AdminAPIController, :stats)
   end
 
   scope "/api/v1/pleroma/emoji", Pleroma.Web.PleromaAPI do
     scope "/pack" do
-      pipe_through(:admin_api)
+      pipe_through(:require_privileged_role_emoji_manage_emoji)
 
       post("/", EmojiPackController, :create)
       patch("/", EmojiPackController, :update)
@@ -313,7 +438,7 @@ defmodule Pleroma.Web.Router do
 
     # Modifying packs
     scope "/packs" do
-      pipe_through(:admin_api)
+      pipe_through(:require_privileged_role_emoji_manage_emoji)
 
       get("/import", EmojiPackController, :import_from_filesystem)
       get("/remote", EmojiPackController, :remote)