From 5b19543f0afaaad7f8fc302946547ae5c18e8bb3 Mon Sep 17 00:00:00 2001 From: Ilja Date: Sat, 21 May 2022 18:48:21 +0200 Subject: Add new setting and Plug to allow for privilege settings for staff --- lib/pleroma/web/plugs/ensure_privileged_plug.ex | 44 +++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 lib/pleroma/web/plugs/ensure_privileged_plug.ex (limited to 'lib') diff --git a/lib/pleroma/web/plugs/ensure_privileged_plug.ex b/lib/pleroma/web/plugs/ensure_privileged_plug.ex new file mode 100644 index 000000000..be09f3d81 --- /dev/null +++ b/lib/pleroma/web/plugs/ensure_privileged_plug.ex @@ -0,0 +1,44 @@ +# Pleroma: A lightweight social networking server +# Copyright © 2017-2022 Pleroma Authors +# SPDX-License-Identifier: AGPL-3.0-only + +defmodule Pleroma.Web.Plugs.EnsurePrivilegedPlug do + @moduledoc """ + Ensures staff are privileged enough to do certain tasks. + """ + import Pleroma.Web.TranslationHelpers + import Plug.Conn + + alias Pleroma.Config + alias Pleroma.User + + def init(options) do + options + end + + def call(%{assigns: %{user: %User{is_admin: false, is_moderator: false}}} = conn, _) do + conn + |> render_error(:forbidden, "User isn't privileged.") + |> halt() + end + + def call( + %{assigns: %{user: %User{is_admin: is_admin, is_moderator: is_moderator}}} = conn, + priviledge + ) do + if (is_admin and priviledge in Config.get([:instance, :admin_privileges])) or + (is_moderator and priviledge in Config.get([:instance, :moderator_privileges])) do + conn + else + conn + |> render_error(:forbidden, "User isn't privileged.") + |> halt() + end + end + + def call(conn, _) do + conn + |> render_error(:forbidden, "User isn't privileged.") + |> halt() + end +end -- cgit v1.2.3 From 9f6c36475914bfd1b8c02035341765b4d1bd4395 Mon Sep 17 00:00:00 2001 From: Ilja Date: Thu, 26 May 2022 12:49:09 +0200 Subject: Add privilege :user_deletion --- lib/pleroma/web/router.ex | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'lib') diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex index ceb6c3cfd..5012fbf9a 100644 --- a/lib/pleroma/web/router.ex +++ b/lib/pleroma/web/router.ex @@ -109,6 +109,11 @@ defmodule Pleroma.Web.Router do plug(Pleroma.Web.Plugs.UserIsAdminPlug) end + pipeline :require_privileged_role_user_deletion do + plug(:admin_api) + plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_deletion) + end + pipeline :pleroma_html do plug(:browser) plug(:authenticate) @@ -231,11 +236,16 @@ defmodule Pleroma.Web.Router do post("/backups", AdminAPIController, :create_backup) end - # AdminAPI: admins and mods (staff) can perform these actions (if enabled by config) + # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role) scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do - pipe_through([:admin_api, :require_privileged_staff]) + pipe_through([:admin_api, :require_privileged_role_user_deletion]) delete("/users", UserController, :delete) + end + + # AdminAPI: admins and mods (staff) can perform these actions (if enabled by config) + scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do + pipe_through([:admin_api, :require_privileged_staff]) get("/users/:nickname/password_reset", AdminAPIController, :get_password_reset) patch("/users/:nickname/credentials", AdminAPIController, :update_user_credentials) -- cgit v1.2.3 From 8a9144ca8b8e17df509dc8ac3934656b7dac8d77 Mon Sep 17 00:00:00 2001 From: Ilja Date: Thu, 26 May 2022 13:27:06 +0200 Subject: Add priviledges for :user_credentials I only moved the ones from the :require_privileged_staff block for now --- lib/pleroma/web/router.ex | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) (limited to 'lib') diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex index 5012fbf9a..24928ffb5 100644 --- a/lib/pleroma/web/router.ex +++ b/lib/pleroma/web/router.ex @@ -114,6 +114,11 @@ defmodule Pleroma.Web.Router do plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_deletion) end + pipeline :require_privileged_role_user_credentials do + plug(:admin_api) + plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_credentials) + end + pipeline :pleroma_html do plug(:browser) plug(:authenticate) @@ -206,7 +211,6 @@ defmodule Pleroma.Web.Router do patch("/users/force_password_reset", AdminAPIController, :force_password_reset) get("/users/:nickname/credentials", AdminAPIController, :show_user_credentials) - patch("/users/:nickname/credentials", AdminAPIController, :update_user_credentials) get("/instance_document/:name", InstanceDocumentController, :show) patch("/instance_document/:name", InstanceDocumentController, :update) @@ -243,12 +247,17 @@ defmodule Pleroma.Web.Router do delete("/users", UserController, :delete) end - # AdminAPI: admins and mods (staff) can perform these actions (if enabled by config) + # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role) scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do - pipe_through([:admin_api, :require_privileged_staff]) + pipe_through([:admin_api, :require_privileged_role_user_credentials]) get("/users/:nickname/password_reset", AdminAPIController, :get_password_reset) patch("/users/:nickname/credentials", AdminAPIController, :update_user_credentials) + end + + # AdminAPI: admins and mods (staff) can perform these actions (if enabled by config) + scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do + pipe_through([:admin_api, :require_privileged_staff]) get("/users/:nickname/statuses", AdminAPIController, :list_user_statuses) get("/users/:nickname/chats", AdminAPIController, :list_user_chats) -- cgit v1.2.3 From b1ff5241c21dac58ec1f9171de26772debfdb283 Mon Sep 17 00:00:00 2001 From: Ilja Date: Thu, 26 May 2022 14:21:14 +0200 Subject: Add priviledges for :statuses_read This was the last in :require_privileged_staff. I'll remove that in the next commit --- lib/pleroma/web/router.ex | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) (limited to 'lib') diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex index 24928ffb5..4696b4007 100644 --- a/lib/pleroma/web/router.ex +++ b/lib/pleroma/web/router.ex @@ -119,6 +119,11 @@ defmodule Pleroma.Web.Router do plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_credentials) end + pipeline :require_privileged_role_statuses_read do + plug(:admin_api) + plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :statuses_read) + end + pipeline :pleroma_html do plug(:browser) plug(:authenticate) @@ -242,22 +247,22 @@ defmodule Pleroma.Web.Router do # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role) scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do - pipe_through([:admin_api, :require_privileged_role_user_deletion]) + pipe_through(:require_privileged_role_user_deletion) delete("/users", UserController, :delete) end # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role) scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do - pipe_through([:admin_api, :require_privileged_role_user_credentials]) + pipe_through(:require_privileged_role_user_credentials) get("/users/:nickname/password_reset", AdminAPIController, :get_password_reset) patch("/users/:nickname/credentials", AdminAPIController, :update_user_credentials) end - # AdminAPI: admins and mods (staff) can perform these actions (if enabled by config) + # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role) scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do - pipe_through([:admin_api, :require_privileged_staff]) + pipe_through(:require_privileged_role_statuses_read) get("/users/:nickname/statuses", AdminAPIController, :list_user_statuses) get("/users/:nickname/chats", AdminAPIController, :list_user_chats) @@ -268,6 +273,11 @@ defmodule Pleroma.Web.Router do get("/chats/:id/messages", ChatController, :messages) end + # AdminAPI: admins and mods (staff) can perform these actions (if enabled by config) + scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do + pipe_through([:admin_api, :require_privileged_staff]) + end + # AdminAPI: admins and mods (staff) can perform these actions scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do pipe_through(:admin_api) -- cgit v1.2.3 From 5a65e2dac5e689b8067e37817bbfe4a6fe1a0426 Mon Sep 17 00:00:00 2001 From: Ilja Date: Thu, 26 May 2022 14:51:53 +0200 Subject: Remove privileged_staff Everything that was done through this setting, can now be set by giving the proper privileges to the roles. --- .../web/mastodon_api/views/instance_view.ex | 1 - lib/pleroma/web/nodeinfo/nodeinfo.ex | 3 +- .../web/plugs/ensure_staff_privileged_plug.ex | 36 ---------------------- lib/pleroma/web/router.ex | 9 ------ 4 files changed, 1 insertion(+), 48 deletions(-) delete mode 100644 lib/pleroma/web/plugs/ensure_staff_privileged_plug.ex (limited to 'lib') diff --git a/lib/pleroma/web/mastodon_api/views/instance_view.ex b/lib/pleroma/web/mastodon_api/views/instance_view.ex index ee52475d5..f89c95a1c 100644 --- a/lib/pleroma/web/mastodon_api/views/instance_view.ex +++ b/lib/pleroma/web/mastodon_api/views/instance_view.ex @@ -47,7 +47,6 @@ defmodule Pleroma.Web.MastodonAPI.InstanceView do federation: federation(), fields_limits: fields_limits(), post_formats: Config.get([:instance, :allowed_post_formats]), - privileged_staff: Config.get([:instance, :privileged_staff]), birthday_required: Config.get([:instance, :birthday_required]), birthday_min_age: Config.get([:instance, :birthday_min_age]) }, diff --git a/lib/pleroma/web/nodeinfo/nodeinfo.ex b/lib/pleroma/web/nodeinfo/nodeinfo.ex index 62d445f34..c7b9ab2de 100644 --- a/lib/pleroma/web/nodeinfo/nodeinfo.ex +++ b/lib/pleroma/web/nodeinfo/nodeinfo.ex @@ -69,8 +69,7 @@ defmodule Pleroma.Web.Nodeinfo.Nodeinfo do mailerEnabled: Config.get([Pleroma.Emails.Mailer, :enabled], false), features: features, restrictedNicknames: Config.get([Pleroma.User, :restricted_nicknames]), - skipThreadContainment: Config.get([:instance, :skip_thread_containment], false), - privilegedStaff: Config.get([:instance, :privileged_staff]) + skipThreadContainment: Config.get([:instance, :skip_thread_containment], false) } } end diff --git a/lib/pleroma/web/plugs/ensure_staff_privileged_plug.ex b/lib/pleroma/web/plugs/ensure_staff_privileged_plug.ex deleted file mode 100644 index 3c2109496..000000000 --- a/lib/pleroma/web/plugs/ensure_staff_privileged_plug.ex +++ /dev/null @@ -1,36 +0,0 @@ -# Pleroma: A lightweight social networking server -# Copyright © 2017-2022 Pleroma Authors -# SPDX-License-Identifier: AGPL-3.0-only - -defmodule Pleroma.Web.Plugs.EnsureStaffPrivilegedPlug do - @moduledoc """ - Ensures staff are privileged enough to do certain tasks. - """ - import Pleroma.Web.TranslationHelpers - import Plug.Conn - - alias Pleroma.Config - alias Pleroma.User - - def init(options) do - options - end - - def call(%{assigns: %{user: %User{is_admin: true}}} = conn, _), do: conn - - def call(%{assigns: %{user: %User{is_moderator: true}}} = conn, _) do - if Config.get!([:instance, :privileged_staff]) do - conn - else - conn - |> render_error(:forbidden, "User is not an admin.") - |> halt() - end - end - - def call(conn, _) do - conn - |> render_error(:forbidden, "User is not a staff member.") - |> halt() - end -end diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex index 4696b4007..21b77b624 100644 --- a/lib/pleroma/web/router.ex +++ b/lib/pleroma/web/router.ex @@ -101,10 +101,6 @@ defmodule Pleroma.Web.Router do plug(Pleroma.Web.Plugs.IdempotencyPlug) end - pipeline :require_privileged_staff do - plug(Pleroma.Web.Plugs.EnsureStaffPrivilegedPlug) - end - pipeline :require_admin do plug(Pleroma.Web.Plugs.UserIsAdminPlug) end @@ -273,11 +269,6 @@ defmodule Pleroma.Web.Router do get("/chats/:id/messages", ChatController, :messages) end - # AdminAPI: admins and mods (staff) can perform these actions (if enabled by config) - scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do - pipe_through([:admin_api, :require_privileged_staff]) - end - # AdminAPI: admins and mods (staff) can perform these actions scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do pipe_through(:admin_api) -- cgit v1.2.3 From cb60cc4e02af270fcccdcd552df4fa3ff858d67f Mon Sep 17 00:00:00 2001 From: Ilja Date: Thu, 26 May 2022 16:25:28 +0200 Subject: Add privileges for :user_tag --- lib/pleroma/web/router.ex | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'lib') diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex index 21b77b624..b5b9e7d07 100644 --- a/lib/pleroma/web/router.ex +++ b/lib/pleroma/web/router.ex @@ -120,6 +120,11 @@ defmodule Pleroma.Web.Router do plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :statuses_read) end + pipeline :require_privileged_role_user_tag do + plug(:admin_api) + plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_tag) + end + pipeline :pleroma_html do plug(:browser) plug(:authenticate) @@ -269,12 +274,17 @@ defmodule Pleroma.Web.Router do get("/chats/:id/messages", ChatController, :messages) end - # AdminAPI: admins and mods (staff) can perform these actions + # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role) scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do - pipe_through(:admin_api) + pipe_through(:require_privileged_role_user_tag) put("/users/tag", AdminAPIController, :tag_users) delete("/users/tag", AdminAPIController, :untag_users) + end + + # AdminAPI: admins and mods (staff) can perform these actions + scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do + pipe_through(:admin_api) patch("/users/:nickname/toggle_activation", UserController, :toggle_activation) patch("/users/activate", UserController, :activate) -- cgit v1.2.3 From e102d25d2385761077c08e0b280359392f0592cb Mon Sep 17 00:00:00 2001 From: Ilja Date: Thu, 26 May 2022 16:41:48 +0200 Subject: Add privileges for :user_activation --- lib/pleroma/web/router.ex | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) (limited to 'lib') diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex index b5b9e7d07..bfe5c7b90 100644 --- a/lib/pleroma/web/router.ex +++ b/lib/pleroma/web/router.ex @@ -125,6 +125,11 @@ defmodule Pleroma.Web.Router do plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_tag) end + pipeline :require_privileged_role_user_activation do + plug(:admin_api) + plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_activation) + end + pipeline :pleroma_html do plug(:browser) plug(:authenticate) @@ -282,15 +287,20 @@ defmodule Pleroma.Web.Router do delete("/users/tag", AdminAPIController, :untag_users) end - # AdminAPI: admins and mods (staff) can perform these actions + # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role) scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do - pipe_through(:admin_api) + pipe_through(:require_privileged_role_user_activation) patch("/users/:nickname/toggle_activation", UserController, :toggle_activation) patch("/users/activate", UserController, :activate) patch("/users/deactivate", UserController, :deactivate) - patch("/users/approve", UserController, :approve) + end + + # AdminAPI: admins and mods (staff) can perform these actions + scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do + pipe_through(:admin_api) + patch("/users/approve", UserController, :approve) post("/users/invite_token", InviteController, :create) get("/users/invites", InviteController, :index) post("/users/revoke_invite", InviteController, :revoke) -- cgit v1.2.3 From 14e697a64fe2613649634d46a71acf4d9a7d7bd6 Mon Sep 17 00:00:00 2001 From: Ilja Date: Sat, 28 May 2022 08:51:49 +0200 Subject: Add privileges for :user_invite --- lib/pleroma/web/router.ex | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'lib') diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex index bfe5c7b90..87e564488 100644 --- a/lib/pleroma/web/router.ex +++ b/lib/pleroma/web/router.ex @@ -130,6 +130,11 @@ defmodule Pleroma.Web.Router do plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_activation) end + pipeline :require_privileged_role_user_invite do + plug(:admin_api) + plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_invite) + end + pipeline :pleroma_html do plug(:browser) plug(:authenticate) @@ -296,15 +301,20 @@ defmodule Pleroma.Web.Router do patch("/users/deactivate", UserController, :deactivate) end - # AdminAPI: admins and mods (staff) can perform these actions + # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role) scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do - pipe_through(:admin_api) + pipe_through(:require_privileged_role_user_invite) patch("/users/approve", UserController, :approve) post("/users/invite_token", InviteController, :create) get("/users/invites", InviteController, :index) post("/users/revoke_invite", InviteController, :revoke) post("/users/email_invite", InviteController, :email) + end + + # AdminAPI: admins and mods (staff) can perform these actions + scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do + pipe_through(:admin_api) get("/users", UserController, :index) get("/users/:nickname", UserController, :show) -- cgit v1.2.3 From 3f26f1b30fe605635e3faf610f813f3ae3ad43ec Mon Sep 17 00:00:00 2001 From: Ilja Date: Sat, 28 May 2022 09:43:57 +0200 Subject: Add privileges for :report_handle --- lib/pleroma/web/router.ex | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) (limited to 'lib') diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex index 87e564488..dbcd6f399 100644 --- a/lib/pleroma/web/router.ex +++ b/lib/pleroma/web/router.ex @@ -135,6 +135,11 @@ defmodule Pleroma.Web.Router do plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_invite) end + pipeline :require_privileged_role_report_handle do + plug(:admin_api) + plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :report_handle) + end + pipeline :pleroma_html do plug(:browser) plug(:authenticate) @@ -312,6 +317,17 @@ defmodule Pleroma.Web.Router do post("/users/email_invite", InviteController, :email) end + # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role) + scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do + pipe_through(:require_privileged_role_report_handle) + + get("/reports", ReportController, :index) + get("/reports/:id", ReportController, :show) + patch("/reports", ReportController, :update) + post("/reports/:id/notes", ReportController, :notes_create) + delete("/reports/:report_id/notes/:id", ReportController, :notes_delete) + end + # AdminAPI: admins and mods (staff) can perform these actions scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do pipe_through(:admin_api) @@ -322,12 +338,6 @@ defmodule Pleroma.Web.Router do get("/instances/:instance/statuses", InstanceController, :list_statuses) delete("/instances/:instance", InstanceController, :delete) - get("/reports", ReportController, :index) - get("/reports/:id", ReportController, :show) - patch("/reports", ReportController, :update) - post("/reports/:id/notes", ReportController, :notes_create) - delete("/reports/:report_id/notes/:id", ReportController, :notes_delete) - get("/statuses/:id", StatusController, :show) put("/statuses/:id", StatusController, :update) delete("/statuses/:id", StatusController, :delete) -- cgit v1.2.3 From cbb26262a5957d3a72bef383a394bb3b2ad0215d Mon Sep 17 00:00:00 2001 From: Ilja Date: Sat, 28 May 2022 12:15:36 +0200 Subject: Add privileges for :user_read --- lib/pleroma/web/router.ex | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'lib') diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex index dbcd6f399..68719c570 100644 --- a/lib/pleroma/web/router.ex +++ b/lib/pleroma/web/router.ex @@ -140,6 +140,11 @@ defmodule Pleroma.Web.Router do plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :report_handle) end + pipeline :require_privileged_role_user_read do + plug(:admin_api) + plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_read) + end + pipeline :pleroma_html do plug(:browser) plug(:authenticate) @@ -328,12 +333,17 @@ defmodule Pleroma.Web.Router do delete("/reports/:report_id/notes/:id", ReportController, :notes_delete) end - # AdminAPI: admins and mods (staff) can perform these actions + # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role) scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do - pipe_through(:admin_api) + pipe_through(:require_privileged_role_user_read) get("/users", UserController, :index) get("/users/:nickname", UserController, :show) + end + + # AdminAPI: admins and mods (staff) can perform these actions + scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do + pipe_through(:admin_api) get("/instances/:instance/statuses", InstanceController, :list_statuses) delete("/instances/:instance", InstanceController, :delete) -- cgit v1.2.3 From 34a98990dba1e021a75a23b225cff22af23f5ca2 Mon Sep 17 00:00:00 2001 From: Ilja Date: Sat, 11 Jun 2022 09:38:43 +0200 Subject: last off :statuses_read From the endpoints left to do, I believe these should be under :statuses_read. These should be the last for that privilege for this MR --- lib/pleroma/web/router.ex | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'lib') diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex index 68719c570..13e8141e4 100644 --- a/lib/pleroma/web/router.ex +++ b/lib/pleroma/web/router.ex @@ -292,6 +292,10 @@ defmodule Pleroma.Web.Router do get("/chats/:id", ChatController, :show) get("/chats/:id/messages", ChatController, :messages) + + get("/instances/:instance/statuses", InstanceController, :list_statuses) + + get("/statuses/:id", StatusController, :show) end # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role) @@ -345,10 +349,8 @@ defmodule Pleroma.Web.Router do scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do pipe_through(:admin_api) - get("/instances/:instance/statuses", InstanceController, :list_statuses) delete("/instances/:instance", InstanceController, :delete) - get("/statuses/:id", StatusController, :show) put("/statuses/:id", StatusController, :update) delete("/statuses/:id", StatusController, :delete) -- cgit v1.2.3 From 0ee8f33250f649c7807fd161b9d6588757f5dc94 Mon Sep 17 00:00:00 2001 From: Ilja Date: Sat, 11 Jun 2022 13:08:40 +0200 Subject: Add privilige :status_delete It also allows to update a message, so it's not just deleting. I need a better name... --- lib/pleroma/web/router.ex | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) (limited to 'lib') diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex index 13e8141e4..50a0ea7fc 100644 --- a/lib/pleroma/web/router.ex +++ b/lib/pleroma/web/router.ex @@ -145,6 +145,11 @@ defmodule Pleroma.Web.Router do plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_read) end + pipeline :require_privileged_role_status_delete do + plug(:admin_api) + plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :status_delete) + end + pipeline :pleroma_html do plug(:browser) plug(:authenticate) @@ -345,21 +350,26 @@ defmodule Pleroma.Web.Router do get("/users/:nickname", UserController, :show) end + # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role) + scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do + pipe_through(:require_privileged_role_status_delete) + + put("/statuses/:id", StatusController, :update) + delete("/statuses/:id", StatusController, :delete) + + delete("/chats/:id/messages/:message_id", ChatController, :delete_message) + end + # AdminAPI: admins and mods (staff) can perform these actions scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do pipe_through(:admin_api) delete("/instances/:instance", InstanceController, :delete) - put("/statuses/:id", StatusController, :update) - delete("/statuses/:id", StatusController, :delete) - get("/moderation_log", AdminAPIController, :list_log) post("/reload_emoji", AdminAPIController, :reload_emoji) get("/stats", AdminAPIController, :stats) - - delete("/chats/:id/messages/:message_id", ChatController, :delete_message) end scope "/api/v1/pleroma/emoji", Pleroma.Web.PleromaAPI do -- cgit v1.2.3 From ecd42a2ce112489bb09cadcffc3661314a37a7fa Mon Sep 17 00:00:00 2001 From: Ilja Date: Sat, 11 Jun 2022 22:18:21 +0200 Subject: Add privilige :emoji_management --- lib/pleroma/web/router.ex | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) (limited to 'lib') diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex index 50a0ea7fc..46f128672 100644 --- a/lib/pleroma/web/router.ex +++ b/lib/pleroma/web/router.ex @@ -150,6 +150,11 @@ defmodule Pleroma.Web.Router do plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :status_delete) end + pipeline :require_privileged_role_emoji_management do + plug(:admin_api) + plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :emoji_management) + end + pipeline :pleroma_html do plug(:browser) plug(:authenticate) @@ -360,6 +365,13 @@ defmodule Pleroma.Web.Router do delete("/chats/:id/messages/:message_id", ChatController, :delete_message) end + # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role) + scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do + pipe_through(:require_privileged_role_emoji_management) + + post("/reload_emoji", AdminAPIController, :reload_emoji) + end + # AdminAPI: admins and mods (staff) can perform these actions scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do pipe_through(:admin_api) @@ -368,13 +380,12 @@ defmodule Pleroma.Web.Router do get("/moderation_log", AdminAPIController, :list_log) - post("/reload_emoji", AdminAPIController, :reload_emoji) get("/stats", AdminAPIController, :stats) end scope "/api/v1/pleroma/emoji", Pleroma.Web.PleromaAPI do scope "/pack" do - pipe_through(:admin_api) + pipe_through(:require_privileged_role_emoji_management) post("/", EmojiPackController, :create) patch("/", EmojiPackController, :update) @@ -389,7 +400,7 @@ defmodule Pleroma.Web.Router do # Modifying packs scope "/packs" do - pipe_through(:admin_api) + pipe_through(:require_privileged_role_emoji_management) get("/import", EmojiPackController, :import_from_filesystem) get("/remote", EmojiPackController, :remote) -- cgit v1.2.3 From c842e6267545dfa88cf97cef69337296c3cb77d5 Mon Sep 17 00:00:00 2001 From: Ilja Date: Sun, 12 Jun 2022 10:07:33 +0200 Subject: Add last priviliges I still had three endpoints I didn't really know what to do with them. I added them under separate tags * :instance_delete * :moderation_log_read * :stats_read I also checked and these are the last changes done by MR https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3480/diffs this is trying to fix --- lib/pleroma/web/router.ex | 29 +++++++++++++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) (limited to 'lib') diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex index 46f128672..f680c8353 100644 --- a/lib/pleroma/web/router.ex +++ b/lib/pleroma/web/router.ex @@ -155,6 +155,21 @@ defmodule Pleroma.Web.Router do plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :emoji_management) end + pipeline :require_privileged_role_instance_delete do + plug(:admin_api) + plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :instance_delete) + end + + pipeline :require_privileged_role_moderation_log_read do + plug(:admin_api) + plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :moderation_log_read) + end + + pipeline :require_privileged_role_stats_read do + plug(:admin_api) + plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :stats_read) + end + pipeline :pleroma_html do plug(:browser) plug(:authenticate) @@ -372,13 +387,23 @@ defmodule Pleroma.Web.Router do post("/reload_emoji", AdminAPIController, :reload_emoji) end - # AdminAPI: admins and mods (staff) can perform these actions + # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role) scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do - pipe_through(:admin_api) + pipe_through(:require_privileged_role_instance_delete) delete("/instances/:instance", InstanceController, :delete) + end + + # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role) + scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do + pipe_through(:require_privileged_role_moderation_log_read) get("/moderation_log", AdminAPIController, :list_log) + end + + # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role) + scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do + pipe_through(:require_privileged_role_stats_read) get("/stats", AdminAPIController, :stats) end -- cgit v1.2.3 From 7adfc2e0f429f84eb7eb2712529e9a3486354d01 Mon Sep 17 00:00:00 2001 From: Ilja Date: Mon, 13 Jun 2022 09:58:50 +0200 Subject: Add Pleroma.User.privileged?/2 This should eventually replace Pleroma.User.superuser?/1 --- lib/pleroma/user.ex | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'lib') diff --git a/lib/pleroma/user.ex b/lib/pleroma/user.ex index 747a83e8d..b93ce9c2c 100644 --- a/lib/pleroma/user.ex +++ b/lib/pleroma/user.ex @@ -353,6 +353,24 @@ defmodule Pleroma.User do end end + @spec privileged?(User.t(), atom()) :: boolean() + def privileged?(%User{is_admin: false, is_moderator: false}, _), do: false + + def privileged?( + %User{local: true, is_admin: is_admin, is_moderator: is_moderator}, + privilege_tag + ), + do: + privileged_for?(privilege_tag, is_admin, :admin_privileges) or + privileged_for?(privilege_tag, is_moderator, :moderator_privileges) + + def privileged?(_, _), do: false + + defp privileged_for?(privilege_tag, true, config_role_key), + do: privilege_tag in Config.get([:instance, config_role_key]) + + defp privileged_for?(_, _, _), do: false + @spec superuser?(User.t()) :: boolean() def superuser?(%User{local: true, is_admin: true}), do: true def superuser?(%User{local: true, is_moderator: true}), do: true -- cgit v1.2.3 From 7cf473c50076f31bb01bad92501a8c2353874b96 Mon Sep 17 00:00:00 2001 From: Ilja Date: Mon, 13 Jun 2022 11:00:49 +0200 Subject: delete statusses is now privileged by :status_delete Instead of superusers, you now need a role with privilige :status_delete to delete other users statusses I also cleaned up some other stuff I saw --- lib/pleroma/web/common_api.ex | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/pleroma/web/common_api.ex b/lib/pleroma/web/common_api.ex index 1b95ee89c..ce1d5a7cc 100644 --- a/lib/pleroma/web/common_api.ex +++ b/lib/pleroma/web/common_api.ex @@ -144,7 +144,7 @@ defmodule Pleroma.Web.CommonAPI do {:find_activity, Activity.get_by_id(activity_id)}, {_, %Object{} = object, _} <- {:find_object, Object.normalize(activity, fetch: false), activity}, - true <- User.superuser?(user) || user.ap_id == object.data["actor"], + true <- User.privileged?(user, :status_delete) || user.ap_id == object.data["actor"], {:ok, delete_data, _} <- Builder.delete(user, object.data["id"]), {:ok, delete, _} <- Pipeline.common_pipeline(delete_data, local: true) do {:ok, delete} -- cgit v1.2.3 From bb61cfee8dc27c658215f05cce3ea58fca5b3db3 Mon Sep 17 00:00:00 2001 From: Ilja Date: Mon, 13 Jun 2022 13:58:26 +0200 Subject: Validator for deleting statusses is now done with priviledge instead of superuser --- .../web/activity_pub/object_validators/common_validations.ex | 6 +++--- lib/pleroma/web/activity_pub/object_validators/delete_validator.ex | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'lib') diff --git a/lib/pleroma/web/activity_pub/object_validators/common_validations.ex b/lib/pleroma/web/activity_pub/object_validators/common_validations.ex index 704b3abc9..1c5b1a059 100644 --- a/lib/pleroma/web/activity_pub/object_validators/common_validations.ex +++ b/lib/pleroma/web/activity_pub/object_validators/common_validations.ex @@ -136,11 +136,11 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidators.CommonValidations do # This figures out if a user is able to create, delete or modify something # based on the domain and superuser status - @spec validate_modification_rights(Ecto.Changeset.t()) :: Ecto.Changeset.t() - def validate_modification_rights(cng) do + @spec validate_modification_rights(Ecto.Changeset.t(), atom()) :: Ecto.Changeset.t() + def validate_modification_rights(cng, privilege) do actor = User.get_cached_by_ap_id(get_field(cng, :actor)) - if User.superuser?(actor) || same_domain?(cng) do + if User.privileged?(actor, privilege) || same_domain?(cng) do cng else cng diff --git a/lib/pleroma/web/activity_pub/object_validators/delete_validator.ex b/lib/pleroma/web/activity_pub/object_validators/delete_validator.ex index 035fd5bc9..6e4208167 100644 --- a/lib/pleroma/web/activity_pub/object_validators/delete_validator.ex +++ b/lib/pleroma/web/activity_pub/object_validators/delete_validator.ex @@ -61,7 +61,7 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidators.DeleteValidator do |> validate_required([:id, :type, :actor, :to, :cc, :object]) |> validate_inclusion(:type, ["Delete"]) |> validate_delete_actor(:actor) - |> validate_modification_rights() + |> validate_modification_rights(:status_delete) |> validate_object_or_user_presence(allowed_types: @deletable_types) |> add_deleted_activity_id() end -- cgit v1.2.3 From edf0013ff38ae2d7bc84431d1d1384e5fc45bc0e Mon Sep 17 00:00:00 2001 From: Ilja Date: Sat, 18 Jun 2022 08:32:05 +0200 Subject: User.visible_for/2 According to the tests, this was only used for unconfirmed accounts. So this just needed to be restricted to users with privilege :user_activation --- lib/pleroma/user.ex | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/pleroma/user.ex b/lib/pleroma/user.ex index b93ce9c2c..7dfc6ce7b 100644 --- a/lib/pleroma/user.ex +++ b/lib/pleroma/user.ex @@ -326,7 +326,7 @@ defmodule Pleroma.User do end def visible_for(%User{} = user, for_user) do - if superuser?(for_user) do + if privileged?(for_user, :user_activation) do :visible else visible_account_status(user) -- cgit v1.2.3 From e45faddb38311c799b2276cb952ac7715e2cbfab Mon Sep 17 00:00:00 2001 From: Ilja Date: Sat, 18 Jun 2022 08:38:00 +0200 Subject: Revert "Delete report notifs when demoting from superuser" This reverts commit 89667189b840fc79d85336739e6b2512684d7be0 and cdc5bbe8369d4fc66d642bb3e845a237d11e34d7. This is a side effect when changing user role. The goal was to not have report notifications when someone isn't admin or moderator any more. But this won't be triggered when we change the privilege tags for a role, so we can't use this sollution any more. There was another solution to filter out report notifications during fetch. It wasn't merged because this seemed 'cleaner' at the time, but now it seems the better sollution. I'll add it in the next commit. --- lib/pleroma/notification.ex | 8 -------- lib/pleroma/user.ex | 16 +--------------- 2 files changed, 1 insertion(+), 23 deletions(-) (limited to 'lib') diff --git a/lib/pleroma/notification.ex b/lib/pleroma/notification.ex index 52fd2656b..41385884b 100644 --- a/lib/pleroma/notification.ex +++ b/lib/pleroma/notification.ex @@ -341,14 +341,6 @@ defmodule Pleroma.Notification do |> Repo.delete_all() end - def destroy_multiple_from_types(%{id: user_id}, types) do - from(n in Notification, - where: n.user_id == ^user_id, - where: n.type in ^types - ) - |> Repo.delete_all() - end - def dismiss(%Pleroma.Activity{} = activity) do Notification |> where([n], n.activity_id == ^activity.id) diff --git a/lib/pleroma/user.ex b/lib/pleroma/user.ex index 7dfc6ce7b..b68d5cf9a 100644 --- a/lib/pleroma/user.ex +++ b/lib/pleroma/user.ex @@ -1147,24 +1147,10 @@ defmodule Pleroma.User do |> update_and_set_cache() end - def update_and_set_cache(%{data: %Pleroma.User{} = user} = changeset) do - was_superuser_before_update = User.superuser?(user) - + def update_and_set_cache(changeset) do with {:ok, user} <- Repo.update(changeset, stale_error_field: :id) do set_cache(user) end - |> maybe_remove_report_notifications(was_superuser_before_update) - end - - defp maybe_remove_report_notifications({:ok, %Pleroma.User{} = user} = result, true) do - if not User.superuser?(user), - do: user |> Notification.destroy_multiple_from_types(["pleroma:report"]) - - result - end - - defp maybe_remove_report_notifications(result, _) do - result end def get_user_friends_ap_ids(user) do -- cgit v1.2.3 From eab13fed3e6ba7edd7847fd00581b45dc4292af0 Mon Sep 17 00:00:00 2001 From: Ilja Date: Wed, 2 Mar 2022 18:05:50 +0100 Subject: Hide pleroma:report for non-privileged users Before we deleted the notifications, but that was a side effect and didn't always trigger any more. Now we just hide them when an unprivileged user asks them. --- lib/pleroma/web/mastodon_api/mastodon_api.ex | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/pleroma/web/mastodon_api/mastodon_api.ex b/lib/pleroma/web/mastodon_api/mastodon_api.ex index 5e32b9611..21ee5f0d4 100644 --- a/lib/pleroma/web/mastodon_api/mastodon_api.ex +++ b/lib/pleroma/web/mastodon_api/mastodon_api.ex @@ -61,7 +61,18 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPI do end def get_notifications(user, params \\ %{}) do - options = cast_params(params) + options = + cast_params(params) |> Map.update(:include_types, [], fn include_types -> include_types end) + + options = + if "pleroma:report" not in options.include_types or User.privileged?(user, :report_handle) do + options + else + options + |> Map.update(:exclude_types, ["pleroma:report"], fn current_exclude_types -> + current_exclude_types ++ ["pleroma:report"] + end) + end user |> Notification.for_user_query(options) -- cgit v1.2.3 From a1c8aa4721de8f5edd7d69dcd745586df23f5a31 Mon Sep 17 00:00:00 2001 From: Ilja Date: Sat, 18 Jun 2022 10:55:45 +0200 Subject: Remove function superuser? Everything now happens with privileged?/2 --- lib/pleroma/user.ex | 5 ----- 1 file changed, 5 deletions(-) (limited to 'lib') diff --git a/lib/pleroma/user.ex b/lib/pleroma/user.ex index b68d5cf9a..af29f85b5 100644 --- a/lib/pleroma/user.ex +++ b/lib/pleroma/user.ex @@ -371,11 +371,6 @@ defmodule Pleroma.User do defp privileged_for?(_, _, _), do: false - @spec superuser?(User.t()) :: boolean() - def superuser?(%User{local: true, is_admin: true}), do: true - def superuser?(%User{local: true, is_moderator: true}), do: true - def superuser?(_), do: false - @spec invisible?(User.t()) :: boolean() def invisible?(%User{invisible: true}), do: true def invisible?(_), do: false -- cgit v1.2.3 From 34adea8d28cec91f03047989cbbaaf0b402c3a55 Mon Sep 17 00:00:00 2001 From: Ilja Date: Sun, 19 Jun 2022 11:05:09 +0200 Subject: Add Pleroma.User.all_users_with_privilege/1 This should eventually replace the Pleroma.User.all_superusers/0 function * I added a new param `is_privileged` in User.query * Now we can fetch all users with a specified privilege --- lib/pleroma/user.ex | 5 +++++ lib/pleroma/user/query.ex | 39 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+) (limited to 'lib') diff --git a/lib/pleroma/user.ex b/lib/pleroma/user.ex index af29f85b5..16438e524 100644 --- a/lib/pleroma/user.ex +++ b/lib/pleroma/user.ex @@ -2205,6 +2205,11 @@ defmodule Pleroma.User do |> Repo.all() end + @spec all_users_with_privilege(atom()) :: [User.t()] + def all_users_with_privilege(privilege) do + User.Query.build(%{is_privileged: privilege}) |> Repo.all() + end + def muting_reblogs?(%User{} = user, %User{} = target) do UserRelationship.reblog_mute_exists?(user, target) end diff --git a/lib/pleroma/user/query.ex b/lib/pleroma/user/query.ex index 20bc1ea61..3e090cac0 100644 --- a/lib/pleroma/user/query.ex +++ b/lib/pleroma/user/query.ex @@ -29,6 +29,7 @@ defmodule Pleroma.User.Query do import Ecto.Query import Pleroma.Web.Utils.Guards, only: [not_empty_string: 1] + alias Pleroma.Config alias Pleroma.FollowingRelationship alias Pleroma.User @@ -49,6 +50,7 @@ defmodule Pleroma.User.Query do is_suggested: boolean(), is_discoverable: boolean(), super_users: boolean(), + is_privileged: atom(), invisible: boolean(), internal: boolean(), followers: User.t(), @@ -136,6 +138,43 @@ defmodule Pleroma.User.Query do ) end + defp compose_query({:is_privileged, privilege}, query) do + moderator_privileged = privilege in Config.get([:instance, :moderator_privileges]) + admin_privileged = privilege in Config.get([:instance, :admin_privileges]) + + query = compose_query({:active, true}, query) + query = compose_query({:local, true}, query) + + case {admin_privileged, moderator_privileged} do + {false, false} -> + where( + query, + false + ) + + {true, true} -> + where( + query, + [u], + u.is_admin or u.is_moderator + ) + + {true, false} -> + where( + query, + [u], + u.is_admin + ) + + {false, true} -> + where( + query, + [u], + u.is_moderator + ) + end + end + defp compose_query({:local, _}, query), do: location_query(query, true) defp compose_query({:external, _}, query), do: location_query(query, false) -- cgit v1.2.3 From e21ef5aef389f7cef9ba53525d2d38bb29f5e257 Mon Sep 17 00:00:00 2001 From: Ilja Date: Sun, 19 Jun 2022 16:26:56 +0200 Subject: report notifications for privileged users Instead of `Pleroma.User.all_superusers()` we now use `Pleroma.User.all_superusers(:report_handle)` I also changed it for sending emails, but there were no tests. --- lib/pleroma/notification.ex | 3 ++- lib/pleroma/web/activity_pub/activity_pub.ex | 6 +++--- 2 files changed, 5 insertions(+), 4 deletions(-) (limited to 'lib') diff --git a/lib/pleroma/notification.ex b/lib/pleroma/notification.ex index 41385884b..9a3ffc0c2 100644 --- a/lib/pleroma/notification.ex +++ b/lib/pleroma/notification.ex @@ -542,7 +542,8 @@ defmodule Pleroma.Notification do end def get_potential_receiver_ap_ids(%{data: %{"type" => "Flag", "actor" => actor}}) do - (User.all_superusers() |> Enum.map(fn user -> user.ap_id end)) -- [actor] + (User.all_users_with_privilege(:report_handle) |> Enum.map(fn user -> user.ap_id end)) -- + [actor] end def get_potential_receiver_ap_ids(activity) do diff --git a/lib/pleroma/web/activity_pub/activity_pub.ex b/lib/pleroma/web/activity_pub/activity_pub.ex index 064f93b22..68cd818b9 100644 --- a/lib/pleroma/web/activity_pub/activity_pub.ex +++ b/lib/pleroma/web/activity_pub/activity_pub.ex @@ -392,11 +392,11 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do _ <- notify_and_stream(activity), :ok <- maybe_federate(stripped_activity) do - User.all_superusers() + User.all_users_with_privilege(:report_handle) |> Enum.filter(fn user -> user.ap_id != actor end) |> Enum.filter(fn user -> not is_nil(user.email) end) - |> Enum.each(fn superuser -> - superuser + |> Enum.each(fn privileged_user -> + privileged_user |> Pleroma.Emails.AdminEmail.report(actor, account, statuses, content) |> Pleroma.Emails.Mailer.deliver_async() end) -- cgit v1.2.3 From 143ea7b80a228d9bd23a77354fe214553ca2b8cc Mon Sep 17 00:00:00 2001 From: Ilja Date: Tue, 21 Jun 2022 09:21:45 +0200 Subject: Add deactivated status for privileged users Deactivated users are only visible to users privileged with :user_activation since fc317f3b17 Here we also make sure the users who are deactivated get the status deactivated for users who are allowed to see these users --- lib/pleroma/web/mastodon_api/views/account_view.ex | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'lib') diff --git a/lib/pleroma/web/mastodon_api/views/account_view.ex b/lib/pleroma/web/mastodon_api/views/account_view.ex index 988eedbb1..d3f2245e2 100644 --- a/lib/pleroma/web/mastodon_api/views/account_view.ex +++ b/lib/pleroma/web/mastodon_api/views/account_view.ex @@ -398,12 +398,12 @@ defmodule Pleroma.Web.MastodonAPI.AccountView do defp maybe_put_allow_following_move(data, _, _), do: data - defp maybe_put_activation_status(data, user, %User{is_admin: true}) do - Kernel.put_in(data, [:pleroma, :deactivated], !user.is_active) + defp maybe_put_activation_status(data, user, user_for) do + if User.privileged?(user_for, :user_activation), + do: Kernel.put_in(data, [:pleroma, :deactivated], !user.is_active), + else: data end - defp maybe_put_activation_status(data, _, _), do: data - defp maybe_put_unread_conversation_count(data, %User{id: user_id} = user, %User{id: user_id}) do data |> Kernel.put_in( -- cgit v1.2.3 From 211e561e2ad862c75a1b34f783d3210523dc211e Mon Sep 17 00:00:00 2001 From: Ilja Date: Tue, 21 Jun 2022 11:13:32 +0200 Subject: Show privileges to FE I added an extra key We already had is_admin and is_moderator, now we have an extra privileges key --- lib/pleroma/user.ex | 22 ++++++++++++++++++++++ lib/pleroma/web/mastodon_api/views/account_view.ex | 13 ++++++++----- 2 files changed, 30 insertions(+), 5 deletions(-) (limited to 'lib') diff --git a/lib/pleroma/user.ex b/lib/pleroma/user.ex index 16438e524..fb2fade42 100644 --- a/lib/pleroma/user.ex +++ b/lib/pleroma/user.ex @@ -371,6 +371,28 @@ defmodule Pleroma.User do defp privileged_for?(_, _, _), do: false + @spec privileges(User.t()) :: [atom()] + def privileges(%User{local: false}) do + [] + end + + def privileges(%User{is_moderator: false, is_admin: false}) do + [] + end + + def privileges(%User{local: true, is_moderator: true, is_admin: true}) do + (Config.get([:instance, :moderator_privileges]) ++ Config.get([:instance, :admin_privileges])) + |> Enum.uniq() + end + + def privileges(%User{local: true, is_moderator: true, is_admin: false}) do + Config.get([:instance, :moderator_privileges]) + end + + def privileges(%User{local: true, is_moderator: false, is_admin: true}) do + Config.get([:instance, :admin_privileges]) + end + @spec invisible?(User.t()) :: boolean() def invisible?(%User{invisible: true}), do: true def invisible?(_), do: false diff --git a/lib/pleroma/web/mastodon_api/views/account_view.ex b/lib/pleroma/web/mastodon_api/views/account_view.ex index d3f2245e2..a28ad9d85 100644 --- a/lib/pleroma/web/mastodon_api/views/account_view.ex +++ b/lib/pleroma/web/mastodon_api/views/account_view.ex @@ -369,19 +369,22 @@ defmodule Pleroma.Web.MastodonAPI.AccountView do defp maybe_put_chat_token(data, _, _, _), do: data defp maybe_put_role(data, %User{show_role: true} = user, _) do - data - |> Kernel.put_in([:pleroma, :is_admin], user.is_admin) - |> Kernel.put_in([:pleroma, :is_moderator], user.is_moderator) + put_role(data, user) end defp maybe_put_role(data, %User{id: user_id} = user, %User{id: user_id}) do + put_role(data, user) + end + + defp maybe_put_role(data, _, _), do: data + + defp put_role(data, user) do data |> Kernel.put_in([:pleroma, :is_admin], user.is_admin) |> Kernel.put_in([:pleroma, :is_moderator], user.is_moderator) + |> Kernel.put_in([:pleroma, :privileges], User.privileges(user)) end - defp maybe_put_role(data, _, _), do: data - defp maybe_put_notification_settings(data, %User{id: user_id} = user, %User{id: user_id}) do Kernel.put_in( data, -- cgit v1.2.3 From 4e4eb81749076ada5692b92061c77a72832a9cc8 Mon Sep 17 00:00:00 2001 From: Ilja Date: Tue, 21 Jun 2022 12:03:35 +0200 Subject: Add nodes and privileges to nodeinfo I didn't add it to /api/v1/instance I was wondering if I should, but since it e.g. also didn't show staff, it felt better not to --- lib/pleroma/web/nodeinfo/nodeinfo.ex | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'lib') diff --git a/lib/pleroma/web/nodeinfo/nodeinfo.ex b/lib/pleroma/web/nodeinfo/nodeinfo.ex index c7b9ab2de..9e27ac26c 100644 --- a/lib/pleroma/web/nodeinfo/nodeinfo.ex +++ b/lib/pleroma/web/nodeinfo/nodeinfo.ex @@ -49,6 +49,10 @@ defmodule Pleroma.Web.Nodeinfo.Nodeinfo do enabled: false }, staffAccounts: staff_accounts, + roles: %{ + admin: Config.get([:instance, :admin_privileges]), + moderator: Config.get([:instance, :moderator_privileges]) + }, federation: federation, pollLimits: Config.get([:instance, :poll_limits]), postFormats: Config.get([:instance, :allowed_post_formats]), -- cgit v1.2.3 From 37fdf148b0963b62ab746a8ece2aacf893ba8934 Mon Sep 17 00:00:00 2001 From: Ilja Date: Fri, 1 Jul 2022 09:54:05 +0200 Subject: Rename privilege tags I first focussed on getting things working Now that they do and we know what tags there are, I put some thought in providing better names I use the form _ :statuses_read => :messages_read :status_delete => :messages_delete :user_read => :users_read :user_deletion => :users_delete :user_activation => :users_manage_activation_state :user_invite => :users_manage_invites :user_tag => :users_manage_tags :user_credentials => :users_manage_credentials :report_handle => :reports_manage_reports :emoji_management => :emoji_manage_emoji --- lib/pleroma/notification.ex | 3 ++- lib/pleroma/user.ex | 2 +- lib/pleroma/web/activity_pub/activity_pub.ex | 2 +- .../object_validators/delete_validator.ex | 2 +- lib/pleroma/web/common_api.ex | 2 +- lib/pleroma/web/mastodon_api/mastodon_api.ex | 3 ++- lib/pleroma/web/mastodon_api/views/account_view.ex | 2 +- lib/pleroma/web/router.ex | 20 ++++++++++---------- 8 files changed, 19 insertions(+), 17 deletions(-) (limited to 'lib') diff --git a/lib/pleroma/notification.ex b/lib/pleroma/notification.ex index 9a3ffc0c2..cfc4bfca3 100644 --- a/lib/pleroma/notification.ex +++ b/lib/pleroma/notification.ex @@ -542,7 +542,8 @@ defmodule Pleroma.Notification do end def get_potential_receiver_ap_ids(%{data: %{"type" => "Flag", "actor" => actor}}) do - (User.all_users_with_privilege(:report_handle) |> Enum.map(fn user -> user.ap_id end)) -- + (User.all_users_with_privilege(:reports_manage_reports) + |> Enum.map(fn user -> user.ap_id end)) -- [actor] end diff --git a/lib/pleroma/user.ex b/lib/pleroma/user.ex index fb2fade42..11c4d0684 100644 --- a/lib/pleroma/user.ex +++ b/lib/pleroma/user.ex @@ -326,7 +326,7 @@ defmodule Pleroma.User do end def visible_for(%User{} = user, for_user) do - if privileged?(for_user, :user_activation) do + if privileged?(for_user, :users_manage_activation_state) do :visible else visible_account_status(user) diff --git a/lib/pleroma/web/activity_pub/activity_pub.ex b/lib/pleroma/web/activity_pub/activity_pub.ex index 68cd818b9..06c894efd 100644 --- a/lib/pleroma/web/activity_pub/activity_pub.ex +++ b/lib/pleroma/web/activity_pub/activity_pub.ex @@ -392,7 +392,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do _ <- notify_and_stream(activity), :ok <- maybe_federate(stripped_activity) do - User.all_users_with_privilege(:report_handle) + User.all_users_with_privilege(:reports_manage_reports) |> Enum.filter(fn user -> user.ap_id != actor end) |> Enum.filter(fn user -> not is_nil(user.email) end) |> Enum.each(fn privileged_user -> diff --git a/lib/pleroma/web/activity_pub/object_validators/delete_validator.ex b/lib/pleroma/web/activity_pub/object_validators/delete_validator.ex index 6e4208167..4d8502ada 100644 --- a/lib/pleroma/web/activity_pub/object_validators/delete_validator.ex +++ b/lib/pleroma/web/activity_pub/object_validators/delete_validator.ex @@ -61,7 +61,7 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidators.DeleteValidator do |> validate_required([:id, :type, :actor, :to, :cc, :object]) |> validate_inclusion(:type, ["Delete"]) |> validate_delete_actor(:actor) - |> validate_modification_rights(:status_delete) + |> validate_modification_rights(:messages_delete) |> validate_object_or_user_presence(allowed_types: @deletable_types) |> add_deleted_activity_id() end diff --git a/lib/pleroma/web/common_api.ex b/lib/pleroma/web/common_api.ex index ce1d5a7cc..4ac5df63f 100644 --- a/lib/pleroma/web/common_api.ex +++ b/lib/pleroma/web/common_api.ex @@ -144,7 +144,7 @@ defmodule Pleroma.Web.CommonAPI do {:find_activity, Activity.get_by_id(activity_id)}, {_, %Object{} = object, _} <- {:find_object, Object.normalize(activity, fetch: false), activity}, - true <- User.privileged?(user, :status_delete) || user.ap_id == object.data["actor"], + true <- User.privileged?(user, :messages_delete) || user.ap_id == object.data["actor"], {:ok, delete_data, _} <- Builder.delete(user, object.data["id"]), {:ok, delete, _} <- Pipeline.common_pipeline(delete_data, local: true) do {:ok, delete} diff --git a/lib/pleroma/web/mastodon_api/mastodon_api.ex b/lib/pleroma/web/mastodon_api/mastodon_api.ex index 21ee5f0d4..932e5d4eb 100644 --- a/lib/pleroma/web/mastodon_api/mastodon_api.ex +++ b/lib/pleroma/web/mastodon_api/mastodon_api.ex @@ -65,7 +65,8 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPI do cast_params(params) |> Map.update(:include_types, [], fn include_types -> include_types end) options = - if "pleroma:report" not in options.include_types or User.privileged?(user, :report_handle) do + if "pleroma:report" not in options.include_types or + User.privileged?(user, :reports_manage_reports) do options else options diff --git a/lib/pleroma/web/mastodon_api/views/account_view.ex b/lib/pleroma/web/mastodon_api/views/account_view.ex index a28ad9d85..34b34dc19 100644 --- a/lib/pleroma/web/mastodon_api/views/account_view.ex +++ b/lib/pleroma/web/mastodon_api/views/account_view.ex @@ -402,7 +402,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountView do defp maybe_put_allow_following_move(data, _, _), do: data defp maybe_put_activation_status(data, user, user_for) do - if User.privileged?(user_for, :user_activation), + if User.privileged?(user_for, :users_manage_activation_state), do: Kernel.put_in(data, [:pleroma, :deactivated], !user.is_active), else: data end diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex index f680c8353..cbb5ca55f 100644 --- a/lib/pleroma/web/router.ex +++ b/lib/pleroma/web/router.ex @@ -107,52 +107,52 @@ defmodule Pleroma.Web.Router do pipeline :require_privileged_role_user_deletion do plug(:admin_api) - plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_deletion) + plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :users_delete) end pipeline :require_privileged_role_user_credentials do plug(:admin_api) - plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_credentials) + plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :users_manage_credentials) end pipeline :require_privileged_role_statuses_read do plug(:admin_api) - plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :statuses_read) + plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :messages_read) end pipeline :require_privileged_role_user_tag do plug(:admin_api) - plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_tag) + plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :users_manage_tags) end pipeline :require_privileged_role_user_activation do plug(:admin_api) - plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_activation) + plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :users_manage_activation_state) end pipeline :require_privileged_role_user_invite do plug(:admin_api) - plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_invite) + plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :users_manage_invites) end pipeline :require_privileged_role_report_handle do plug(:admin_api) - plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :report_handle) + plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :reports_manage_reports) end pipeline :require_privileged_role_user_read do plug(:admin_api) - plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_read) + plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :users_read) end pipeline :require_privileged_role_status_delete do plug(:admin_api) - plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :status_delete) + plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :messages_delete) end pipeline :require_privileged_role_emoji_management do plug(:admin_api) - plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :emoji_management) + plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :emoji_manage_emoji) end pipeline :require_privileged_role_instance_delete do -- cgit v1.2.3 From c0e4b1b3e27a4a8f8f02ea6a33b76c6f2a386d95 Mon Sep 17 00:00:00 2001 From: Ilja Date: Sat, 2 Jul 2022 07:52:39 +0200 Subject: Fix typo's priviledge |-> privilege --- lib/pleroma/web/plugs/ensure_privileged_plug.ex | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'lib') diff --git a/lib/pleroma/web/plugs/ensure_privileged_plug.ex b/lib/pleroma/web/plugs/ensure_privileged_plug.ex index be09f3d81..f886c87ea 100644 --- a/lib/pleroma/web/plugs/ensure_privileged_plug.ex +++ b/lib/pleroma/web/plugs/ensure_privileged_plug.ex @@ -24,10 +24,10 @@ defmodule Pleroma.Web.Plugs.EnsurePrivilegedPlug do def call( %{assigns: %{user: %User{is_admin: is_admin, is_moderator: is_moderator}}} = conn, - priviledge + privilege ) do - if (is_admin and priviledge in Config.get([:instance, :admin_privileges])) or - (is_moderator and priviledge in Config.get([:instance, :moderator_privileges])) do + if (is_admin and privilege in Config.get([:instance, :admin_privileges])) or + (is_moderator and privilege in Config.get([:instance, :moderator_privileges])) do conn else conn -- cgit v1.2.3 From 42d4bd3a5d49a472b8fcb85e6cd413eb0d6dab3f Mon Sep 17 00:00:00 2001 From: Ilja Date: Sat, 2 Jul 2022 08:55:14 +0200 Subject: Rename pipelines and add forgotten tags I renamed some tags before, but forgot to rename the pipelines I also had some tags which I forgot to add to the config, description, etc. These have now been done/added --- lib/pleroma/web/router.ex | 56 +++++++++++++++++++++++------------------------ 1 file changed, 28 insertions(+), 28 deletions(-) (limited to 'lib') diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex index cbb5ca55f..e781d3673 100644 --- a/lib/pleroma/web/router.ex +++ b/lib/pleroma/web/router.ex @@ -105,59 +105,59 @@ defmodule Pleroma.Web.Router do plug(Pleroma.Web.Plugs.UserIsAdminPlug) end - pipeline :require_privileged_role_user_deletion do + pipeline :require_privileged_role_users_delete do plug(:admin_api) plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :users_delete) end - pipeline :require_privileged_role_user_credentials do + pipeline :require_privileged_role_users_manage_credentials do plug(:admin_api) plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :users_manage_credentials) end - pipeline :require_privileged_role_statuses_read do + pipeline :require_privileged_role_messages_read do plug(:admin_api) plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :messages_read) end - pipeline :require_privileged_role_user_tag do + pipeline :require_privileged_role_users_manage_tags do plug(:admin_api) plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :users_manage_tags) end - pipeline :require_privileged_role_user_activation do + pipeline :require_privileged_role_users_manage_activation_state do plug(:admin_api) plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :users_manage_activation_state) end - pipeline :require_privileged_role_user_invite do + pipeline :require_privileged_role_users_manage_invites do plug(:admin_api) plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :users_manage_invites) end - pipeline :require_privileged_role_report_handle do + pipeline :require_privileged_role_reports_manage_reports do plug(:admin_api) plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :reports_manage_reports) end - pipeline :require_privileged_role_user_read do + pipeline :require_privileged_role_users_read do plug(:admin_api) plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :users_read) end - pipeline :require_privileged_role_status_delete do + pipeline :require_privileged_role_messages_delete do plug(:admin_api) plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :messages_delete) end - pipeline :require_privileged_role_emoji_management do + pipeline :require_privileged_role_emoji_manage_emoji do plug(:admin_api) plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :emoji_manage_emoji) end - pipeline :require_privileged_role_instance_delete do + pipeline :require_privileged_role_instances_delete do plug(:admin_api) - plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :instance_delete) + plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :instances_delete) end pipeline :require_privileged_role_moderation_log_read do @@ -165,9 +165,9 @@ defmodule Pleroma.Web.Router do plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :moderation_log_read) end - pipeline :require_privileged_role_stats_read do + pipeline :require_privileged_role_statistics_read do plug(:admin_api) - plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :stats_read) + plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :statistics_read) end pipeline :pleroma_html do @@ -293,14 +293,14 @@ defmodule Pleroma.Web.Router do # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role) scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do - pipe_through(:require_privileged_role_user_deletion) + pipe_through(:require_privileged_role_users_delete) delete("/users", UserController, :delete) end # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role) scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do - pipe_through(:require_privileged_role_user_credentials) + pipe_through(:require_privileged_role_users_manage_credentials) get("/users/:nickname/password_reset", AdminAPIController, :get_password_reset) patch("/users/:nickname/credentials", AdminAPIController, :update_user_credentials) @@ -308,7 +308,7 @@ defmodule Pleroma.Web.Router do # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role) scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do - pipe_through(:require_privileged_role_statuses_read) + pipe_through(:require_privileged_role_messages_read) get("/users/:nickname/statuses", AdminAPIController, :list_user_statuses) get("/users/:nickname/chats", AdminAPIController, :list_user_chats) @@ -325,7 +325,7 @@ defmodule Pleroma.Web.Router do # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role) scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do - pipe_through(:require_privileged_role_user_tag) + pipe_through(:require_privileged_role_users_manage_tags) put("/users/tag", AdminAPIController, :tag_users) delete("/users/tag", AdminAPIController, :untag_users) @@ -333,7 +333,7 @@ defmodule Pleroma.Web.Router do # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role) scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do - pipe_through(:require_privileged_role_user_activation) + pipe_through(:require_privileged_role_users_manage_activation_state) patch("/users/:nickname/toggle_activation", UserController, :toggle_activation) patch("/users/activate", UserController, :activate) @@ -342,7 +342,7 @@ defmodule Pleroma.Web.Router do # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role) scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do - pipe_through(:require_privileged_role_user_invite) + pipe_through(:require_privileged_role_users_manage_invites) patch("/users/approve", UserController, :approve) post("/users/invite_token", InviteController, :create) @@ -353,7 +353,7 @@ defmodule Pleroma.Web.Router do # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role) scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do - pipe_through(:require_privileged_role_report_handle) + pipe_through(:require_privileged_role_reports_manage_reports) get("/reports", ReportController, :index) get("/reports/:id", ReportController, :show) @@ -364,7 +364,7 @@ defmodule Pleroma.Web.Router do # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role) scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do - pipe_through(:require_privileged_role_user_read) + pipe_through(:require_privileged_role_users_read) get("/users", UserController, :index) get("/users/:nickname", UserController, :show) @@ -372,7 +372,7 @@ defmodule Pleroma.Web.Router do # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role) scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do - pipe_through(:require_privileged_role_status_delete) + pipe_through(:require_privileged_role_messages_delete) put("/statuses/:id", StatusController, :update) delete("/statuses/:id", StatusController, :delete) @@ -382,14 +382,14 @@ defmodule Pleroma.Web.Router do # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role) scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do - pipe_through(:require_privileged_role_emoji_management) + pipe_through(:require_privileged_role_emoji_manage_emoji) post("/reload_emoji", AdminAPIController, :reload_emoji) end # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role) scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do - pipe_through(:require_privileged_role_instance_delete) + pipe_through(:require_privileged_role_instances_delete) delete("/instances/:instance", InstanceController, :delete) end @@ -403,14 +403,14 @@ defmodule Pleroma.Web.Router do # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role) scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do - pipe_through(:require_privileged_role_stats_read) + pipe_through(:require_privileged_role_statistics_read) get("/stats", AdminAPIController, :stats) end scope "/api/v1/pleroma/emoji", Pleroma.Web.PleromaAPI do scope "/pack" do - pipe_through(:require_privileged_role_emoji_management) + pipe_through(:require_privileged_role_emoji_manage_emoji) post("/", EmojiPackController, :create) patch("/", EmojiPackController, :update) @@ -425,7 +425,7 @@ defmodule Pleroma.Web.Router do # Modifying packs scope "/packs" do - pipe_through(:require_privileged_role_emoji_management) + pipe_through(:require_privileged_role_emoji_manage_emoji) get("/import", EmojiPackController, :import_from_filesystem) get("/remote", EmojiPackController, :remote) -- cgit v1.2.3 From c045a49909c2a1078864484d0327e03dac73687b Mon Sep 17 00:00:00 2001 From: Ilja Date: Thu, 14 Jul 2022 08:40:26 +0200 Subject: Add privilege for announcements --- lib/pleroma/web/router.ex | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'lib') diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex index e715aaa96..f77513046 100644 --- a/lib/pleroma/web/router.ex +++ b/lib/pleroma/web/router.ex @@ -170,6 +170,11 @@ defmodule Pleroma.Web.Router do plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :statistics_read) end + pipeline :require_privileged_role_announcements_manage_announcements do + plug(:admin_api) + plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :announcements_manage_announcements) + end + pipeline :pleroma_html do plug(:browser) plug(:authenticate) @@ -289,6 +294,11 @@ defmodule Pleroma.Web.Router do post("/frontends/install", FrontendController, :install) post("/backups", AdminAPIController, :create_backup) + end + + # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role) + scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do + pipe_through(:require_privileged_role_announcements_manage_announcements) get("/announcements", AnnouncementController, :index) post("/announcements", AnnouncementController, :create) -- cgit v1.2.3 From 2d7ea263a1f7dba8e0a7667a95ea8af110e9be27 Mon Sep 17 00:00:00 2001 From: Ilja Date: Sat, 24 Sep 2022 13:52:28 +0200 Subject: Add extra routes to :users_manage_credentials privilege --- lib/pleroma/web/router.ex | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) (limited to 'lib') diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex index f77513046..a50232422 100644 --- a/lib/pleroma/web/router.ex +++ b/lib/pleroma/web/router.ex @@ -233,8 +233,6 @@ defmodule Pleroma.Web.Router do scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do pipe_through([:admin_api, :require_admin]) - put("/users/disable_mfa", AdminAPIController, :disable_mfa) - get("/users/:nickname/permission_group", AdminAPIController, :right_get) get("/users/:nickname/permission_group/:permission_group", AdminAPIController, :right_get) @@ -265,16 +263,10 @@ defmodule Pleroma.Web.Router do post("/relay", RelayController, :follow) delete("/relay", RelayController, :unfollow) - patch("/users/force_password_reset", AdminAPIController, :force_password_reset) - get("/users/:nickname/credentials", AdminAPIController, :show_user_credentials) - get("/instance_document/:name", InstanceDocumentController, :show) patch("/instance_document/:name", InstanceDocumentController, :update) delete("/instance_document/:name", InstanceDocumentController, :delete) - patch("/users/confirm_email", AdminAPIController, :confirm_email) - patch("/users/resend_confirmation_email", AdminAPIController, :resend_confirmation_email) - get("/config", ConfigController, :show) post("/config", ConfigController, :update) get("/config/descriptions", ConfigController, :descriptions) @@ -319,7 +311,12 @@ defmodule Pleroma.Web.Router do pipe_through(:require_privileged_role_users_manage_credentials) get("/users/:nickname/password_reset", AdminAPIController, :get_password_reset) + get("/users/:nickname/credentials", AdminAPIController, :show_user_credentials) patch("/users/:nickname/credentials", AdminAPIController, :update_user_credentials) + put("/users/disable_mfa", AdminAPIController, :disable_mfa) + patch("/users/force_password_reset", AdminAPIController, :force_password_reset) + patch("/users/confirm_email", AdminAPIController, :confirm_email) + patch("/users/resend_confirmation_email", AdminAPIController, :resend_confirmation_email) end # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role) -- cgit v1.2.3 From c58eb873dd47ebd1b207c9f79ccffe2c3819949d Mon Sep 17 00:00:00 2001 From: Sean King Date: Sun, 18 Dec 2022 22:05:07 -0700 Subject: Fix CommonAPI delete function to use User.privileged? instead of User.superuser? --- lib/pleroma/web/common_api.ex | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/pleroma/web/common_api.ex b/lib/pleroma/web/common_api.ex index 97f2aec3b..89cc0d6fe 100644 --- a/lib/pleroma/web/common_api.ex +++ b/lib/pleroma/web/common_api.ex @@ -148,7 +148,7 @@ defmodule Pleroma.Web.CommonAPI do true <- User.privileged?(user, :messages_delete) || user.ap_id == object.data["actor"], {:ok, delete_data, _} <- Builder.delete(user, object.data["id"]), {:ok, delete, _} <- Pipeline.common_pipeline(delete_data, local: true) do - if User.superuser?(user) and user.ap_id != object.data["actor"] do + if User.privileged?(user, :messages_delete) and user.ap_id != object.data["actor"] do action = if object.data["type"] == "ChatMessage" do "chat_message_delete" -- cgit v1.2.3 From 351b5a9df406a8a093d10dec3cdfa3bb2d709efb Mon Sep 17 00:00:00 2001 From: Sean King Date: Wed, 21 Dec 2022 23:35:39 -0700 Subject: Use crazy hack to finally get pleroma:report notifications not visible after revoking privileges --- lib/pleroma/web/mastodon_api/mastodon_api.ex | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/pleroma/web/mastodon_api/mastodon_api.ex b/lib/pleroma/web/mastodon_api/mastodon_api.ex index c51230b92..98bf90af7 100644 --- a/lib/pleroma/web/mastodon_api/mastodon_api.ex +++ b/lib/pleroma/web/mastodon_api/mastodon_api.ex @@ -65,7 +65,8 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPI do cast_params(params) |> Map.update(:include_types, [], fn include_types -> include_types end) options = - if "pleroma:report" not in options.include_types or + if ("pleroma:report" not in options.include_types and + User.privileged?(user, :reports_manage_reports)) or User.privileged?(user, :reports_manage_reports) do options else -- cgit v1.2.3 From 90681c720d4c0530b67b0105db1204fff82835d8 Mon Sep 17 00:00:00 2001 From: Sean King Date: Wed, 21 Dec 2022 23:40:39 -0700 Subject: Make lint happy --- lib/pleroma/web/mastodon_api/mastodon_api.ex | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/pleroma/web/mastodon_api/mastodon_api.ex b/lib/pleroma/web/mastodon_api/mastodon_api.ex index 98bf90af7..467dc2fac 100644 --- a/lib/pleroma/web/mastodon_api/mastodon_api.ex +++ b/lib/pleroma/web/mastodon_api/mastodon_api.ex @@ -66,7 +66,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPI do options = if ("pleroma:report" not in options.include_types and - User.privileged?(user, :reports_manage_reports)) or + User.privileged?(user, :reports_manage_reports)) or User.privileged?(user, :reports_manage_reports) do options else -- cgit v1.2.3