diff options
| author | Ilja <ilja@ilja.space> | 2022-09-24 13:52:28 +0200 |
|---|---|---|
| committer | Ilja <ilja@ilja.space> | 2022-09-24 13:52:28 +0200 |
| commit | 2d7ea263a1f7dba8e0a7667a95ea8af110e9be27 (patch) | |
| tree | 02eee099b7061c33365ddc1b6f93034fb8299997 | |
| parent | b53cf7d4b3991bde21e05277d7fb2ee01bf57f46 (diff) | |
Add extra routes to :users_manage_credentials privilege
| -rw-r--r-- | lib/pleroma/web/router.ex | 13 | ||||
| -rw-r--r-- | test/pleroma/web/admin_api/controllers/admin_api_controller_test.exs | 59 |
2 files changed, 64 insertions, 8 deletions
diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex index f77513046..a50232422 100644 --- a/lib/pleroma/web/router.ex +++ b/lib/pleroma/web/router.ex @@ -233,8 +233,6 @@ defmodule Pleroma.Web.Router do scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do pipe_through([:admin_api, :require_admin]) - put("/users/disable_mfa", AdminAPIController, :disable_mfa) - get("/users/:nickname/permission_group", AdminAPIController, :right_get) get("/users/:nickname/permission_group/:permission_group", AdminAPIController, :right_get) @@ -265,16 +263,10 @@ defmodule Pleroma.Web.Router do post("/relay", RelayController, :follow) delete("/relay", RelayController, :unfollow) - patch("/users/force_password_reset", AdminAPIController, :force_password_reset) - get("/users/:nickname/credentials", AdminAPIController, :show_user_credentials) - get("/instance_document/:name", InstanceDocumentController, :show) patch("/instance_document/:name", InstanceDocumentController, :update) delete("/instance_document/:name", InstanceDocumentController, :delete) - patch("/users/confirm_email", AdminAPIController, :confirm_email) - patch("/users/resend_confirmation_email", AdminAPIController, :resend_confirmation_email) - get("/config", ConfigController, :show) post("/config", ConfigController, :update) get("/config/descriptions", ConfigController, :descriptions) @@ -319,7 +311,12 @@ defmodule Pleroma.Web.Router do pipe_through(:require_privileged_role_users_manage_credentials) get("/users/:nickname/password_reset", AdminAPIController, :get_password_reset) + get("/users/:nickname/credentials", AdminAPIController, :show_user_credentials) patch("/users/:nickname/credentials", AdminAPIController, :update_user_credentials) + put("/users/disable_mfa", AdminAPIController, :disable_mfa) + patch("/users/force_password_reset", AdminAPIController, :force_password_reset) + patch("/users/confirm_email", AdminAPIController, :confirm_email) + patch("/users/resend_confirmation_email", AdminAPIController, :resend_confirmation_email) end # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role) diff --git a/test/pleroma/web/admin_api/controllers/admin_api_controller_test.exs b/test/pleroma/web/admin_api/controllers/admin_api_controller_test.exs index 372f4fe63..e1ab50542 100644 --- a/test/pleroma/web/admin_api/controllers/admin_api_controller_test.exs +++ b/test/pleroma/web/admin_api/controllers/admin_api_controller_test.exs @@ -352,6 +352,8 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do describe "PUT disable_mfa" do test "returns 200 and disable 2fa", %{conn: conn} do + clear_config([:instance, :admin_privileges], [:users_manage_credentials]) + user = insert(:user, multi_factor_authentication_settings: %MFA.Settings{ @@ -373,6 +375,8 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do end test "returns 404 if user not found", %{conn: conn} do + clear_config([:instance, :admin_privileges], [:users_manage_credentials]) + response = conn |> put("/api/pleroma/admin/users/disable_mfa", %{nickname: "nickname"}) @@ -380,6 +384,16 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do assert response == %{"error" => "Not found"} end + + test "it requires privileged role :users_manage_credentials", %{conn: conn} do + clear_config([:instance, :admin_privileges], []) + + response = + conn + |> put("/api/pleroma/admin/users/disable_mfa", %{nickname: "nickname"}) + + assert json_response(response, :forbidden) + end end describe "GET /api/pleroma/admin/restart" do @@ -785,6 +799,7 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do describe "GET /users/:nickname/credentials" do test "gets the user credentials", %{conn: conn} do + clear_config([:instance, :admin_privileges], [:users_manage_credentials]) user = insert(:user) conn = get(conn, "/api/pleroma/admin/users/#{user.nickname}/credentials") @@ -793,6 +808,7 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do end test "returns 403 if requested by a non-admin" do + clear_config([:instance, :admin_privileges], [:users_manage_credentials]) user = insert(:user) conn = @@ -802,6 +818,16 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do assert json_response(conn, :forbidden) end + + test "it requires privileged role :users_manage_credentials", %{conn: conn} do + clear_config([:instance, :admin_privileges], []) + + response = + conn + |> get("/api/pleroma/admin/users/nickname/credentials") + + assert json_response(response, :forbidden) + end end describe "PATCH /users/:nickname/credentials" do @@ -896,6 +922,7 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do describe "PATCH /users/:nickname/force_password_reset" do test "sets password_reset_pending to true", %{conn: conn} do + clear_config([:instance, :admin_privileges], [:users_manage_credentials]) user = insert(:user) assert user.password_reset_pending == false @@ -908,10 +935,21 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do assert User.get_by_id(user.id).password_reset_pending == true end + + test "it requires privileged role :users_manage_credentials", %{conn: conn} do + clear_config([:instance, :admin_privileges], []) + + response = + conn + |> patch("/api/pleroma/admin/users/force_password_reset", %{nickname: "nickname"}) + + assert json_response(response, :forbidden) + end end describe "PATCH /confirm_email" do test "it confirms emails of two users", %{conn: conn, admin: admin} do + clear_config([:instance, :admin_privileges], [:users_manage_credentials]) [first_user, second_user] = insert_pair(:user, is_confirmed: false) refute first_user.is_confirmed @@ -938,10 +976,21 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do assert ModerationLog.get_log_entry_message(log_entry) == "@#{admin.nickname} confirmed email for users: @#{first_user.nickname}, @#{second_user.nickname}" end + + test "it requires privileged role :users_manage_credentials", %{conn: conn} do + clear_config([:instance, :admin_privileges], []) + + response = + conn + |> patch("/api/pleroma/admin/users/confirm_email", %{nicknames: ["nickname"]}) + + assert json_response(response, :forbidden) + end end describe "PATCH /resend_confirmation_email" do test "it resend emails for two users", %{conn: conn, admin: admin} do + clear_config([:instance, :admin_privileges], [:users_manage_credentials]) [first_user, second_user] = insert_pair(:user, is_confirmed: false) ret_conn = @@ -967,6 +1016,16 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do |> Swoosh.Email.put_private(:hackney_options, ssl_options: [versions: [:"tlsv1.2"]]) |> assert_email_sent() end + + test "it requires privileged role :users_manage_credentials", %{conn: conn} do + clear_config([:instance, :admin_privileges], []) + + response = + conn + |> patch("/api/pleroma/admin/users/resend_confirmation_email", %{nicknames: ["nickname"]}) + + assert json_response(response, :forbidden) + end end describe "/api/pleroma/admin/stats" do |