summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
Diffstat (limited to 'lib')
-rw-r--r--lib/pleroma/web/admin_api/admin_api_controller.ex71
-rw-r--r--lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex23
2 files changed, 61 insertions, 33 deletions
diff --git a/lib/pleroma/web/admin_api/admin_api_controller.ex b/lib/pleroma/web/admin_api/admin_api_controller.ex
index 0a508d40e..fa69a23d9 100644
--- a/lib/pleroma/web/admin_api/admin_api_controller.ex
+++ b/lib/pleroma/web/admin_api/admin_api_controller.ex
@@ -24,38 +24,20 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIController do
require Logger
- plug(OAuthScopesPlug, %{scopes: ["read:statuses"]} when action == :list_user_statuses)
-
plug(
OAuthScopesPlug,
- %{scopes: ["write:statuses"]} when action in [:status_update, :status_delete]
+ %{scopes: ["admin:read:accounts", "read:accounts"]}
+ when action in [:list_users, :user_show, :right_get, :invites]
)
plug(
OAuthScopesPlug,
- %{scopes: ["read"]}
+ %{scopes: ["admin:write", "write:accounts"]}
when action in [
- :list_reports,
- :report_show,
- :right_get,
:get_invite_token,
- :invites,
+ :revoke_invite,
+ :email_invite,
:get_password_reset,
- :list_users,
- :user_show,
- :config_show,
- :migrate_to_db,
- :migrate_from_db,
- :list_log
- ]
- )
-
- plug(
- OAuthScopesPlug,
- %{scopes: ["write"]}
- when action in [
- :report_update_state,
- :report_respond,
:user_follow,
:user_unfollow,
:user_delete,
@@ -65,15 +47,44 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIController do
:untag_users,
:right_add,
:right_delete,
- :set_activation_status,
- :relay_follow,
- :relay_unfollow,
- :revoke_invite,
- :email_invite,
- :config_update
+ :set_activation_status
]
)
+ plug(
+ OAuthScopesPlug,
+ %{scopes: ["admin:read:reports", "read:reports"]} when action in [:list_reports, :report_show]
+ )
+
+ plug(
+ OAuthScopesPlug,
+ %{scopes: ["admin:write:reports", "write:reports"]}
+ when action in [:report_update_state, :report_respond]
+ )
+
+ plug(
+ OAuthScopesPlug,
+ %{scopes: ["admin:read:statuses", "read:statuses"]} when action == :list_user_statuses
+ )
+
+ plug(
+ OAuthScopesPlug,
+ %{scopes: ["admin:write:statuses", "write:statuses"]}
+ when action in [:status_update, :status_delete]
+ )
+
+ plug(
+ OAuthScopesPlug,
+ %{scopes: ["admin:read", "read"]}
+ when action in [:config_show, :migrate_to_db, :migrate_from_db, :list_log]
+ )
+
+ plug(
+ OAuthScopesPlug,
+ %{scopes: ["admin:write", "write"]}
+ when action in [:relay_follow, :relay_unfollow, :config_update]
+ )
+
@users_page_size 50
action_fallback(:errors)
@@ -451,7 +462,7 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIController do
end
end
- @doc "Get a account registeration invite token (base64 string)"
+ @doc "Get a account registration invite token (base64 string)"
def get_invite_token(conn, params) do
options = params["invite"] || %{}
{:ok, invite} = UserInviteToken.create_invite(options)
diff --git a/lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex b/lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex
index c5632bb5e..d7a83a2f5 100644
--- a/lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex
@@ -53,13 +53,13 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
require Logger
require Pleroma.Constants
- plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug when action != :index)
-
@unauthenticated_access %{fallback: :proceed_unauthenticated, scopes: []}
+ # Note: :index action handles attempt of unauthenticated access to private instance with redirect
plug(
OAuthScopesPlug,
- %{scopes: ["read"], skip_instance_privacy_check: true} when action == :index
+ Map.merge(@unauthenticated_access, %{scopes: ["read"], skip_instance_privacy_check: true})
+ when action == :index
)
plug(
@@ -220,6 +220,23 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
%{scopes: ["write:bookmarks"]} when action in [:bookmark_status, :unbookmark_status]
)
+ # An extra safety measure for possible actions not guarded by OAuth permissions specification
+ plug(
+ Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug
+ when action not in [
+ :account_register,
+ :create_app,
+ :index,
+ :login,
+ :logout,
+ :password_reset,
+ :account_confirmation_resend,
+ :masto_instance,
+ :peers,
+ :custom_emojis
+ ]
+ )
+
@rate_limited_relations_actions ~w(follow unfollow)a
@rate_limited_status_actions ~w(reblog_status unreblog_status fav_status unfav_status
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-31 03:45:46 +0000