diff options
| author | Haelwenn <contact+git.pleroma.social@hacktivis.me> | 2022-09-05 15:42:02 +0000 |
|---|---|---|
| committer | Haelwenn <contact+git.pleroma.social@hacktivis.me> | 2022-09-05 15:42:02 +0000 |
| commit | b8d6cb5845f4fd1c28b09d608684a7f988dc3e1a (patch) | |
| tree | 33cb90b93c84457f42e92164afaf31f00438a471 | |
| parent | 346c130ddca08a6927e9290a164212bf88463ca5 (diff) | |
| parent | 9874b4c985ea715a37cf2d2a5c8db2fb26e28f3a (diff) | |
Merge branch 'from/upstream-develop/tusooa/2892-backup-scope' into 'develop'
Make backups require its own scope
Closes #2892
See merge request pleroma/pleroma!3721
4 files changed, 6 insertions, 5 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index cf89bd70d..4bbbd0ea6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - **Breaking:** Elixir >=1.10 is now required (was >= 1.9) - Allow users to remove their emails if instance does not need email to register - Uploadfilter `Pleroma.Upload.Filter.Exiftool` has been renamed to `Pleroma.Upload.Filter.Exiftool.StripLocation` +- **Breaking**: `/api/v1/pleroma/backups` endpoints now requires `read:backups` scope instead of `read:accounts` - Updated the recommended pleroma.vcl configuration for Varnish to target Varnish 7.0+ ### Added diff --git a/lib/pleroma/web/api_spec/operations/pleroma_backup_operation.ex b/lib/pleroma/web/api_spec/operations/pleroma_backup_operation.ex index 82ec1e7bb..45fa2b058 100644 --- a/lib/pleroma/web/api_spec/operations/pleroma_backup_operation.ex +++ b/lib/pleroma/web/api_spec/operations/pleroma_backup_operation.ex @@ -16,7 +16,7 @@ defmodule Pleroma.Web.ApiSpec.PleromaBackupOperation do %Operation{ tags: ["Backups"], summary: "List backups", - security: [%{"oAuth" => ["read:account"]}], + security: [%{"oAuth" => ["read:backups"]}], operationId: "PleromaAPI.BackupController.index", responses: %{ 200 => @@ -37,7 +37,7 @@ defmodule Pleroma.Web.ApiSpec.PleromaBackupOperation do %Operation{ tags: ["Backups"], summary: "Create a backup", - security: [%{"oAuth" => ["read:account"]}], + security: [%{"oAuth" => ["read:backups"]}], operationId: "PleromaAPI.BackupController.create", responses: %{ 200 => diff --git a/lib/pleroma/web/pleroma_api/controllers/backup_controller.ex b/lib/pleroma/web/pleroma_api/controllers/backup_controller.ex index 1a0548295..b9daed22b 100644 --- a/lib/pleroma/web/pleroma_api/controllers/backup_controller.ex +++ b/lib/pleroma/web/pleroma_api/controllers/backup_controller.ex @@ -9,7 +9,7 @@ defmodule Pleroma.Web.PleromaAPI.BackupController do alias Pleroma.Web.Plugs.OAuthScopesPlug action_fallback(Pleroma.Web.MastodonAPI.FallbackController) - plug(OAuthScopesPlug, %{scopes: ["read:accounts"]} when action in [:index, :create]) + plug(OAuthScopesPlug, %{scopes: ["read:backups"]} when action in [:index, :create]) plug(Pleroma.Web.ApiSpec.CastAndValidate) defdelegate open_api_operation(action), to: Pleroma.Web.ApiSpec.PleromaBackupOperation diff --git a/test/pleroma/web/pleroma_api/controllers/backup_controller_test.exs b/test/pleroma/web/pleroma_api/controllers/backup_controller_test.exs index 3b4b1bfff..a758925b7 100644 --- a/test/pleroma/web/pleroma_api/controllers/backup_controller_test.exs +++ b/test/pleroma/web/pleroma_api/controllers/backup_controller_test.exs @@ -11,7 +11,7 @@ defmodule Pleroma.Web.PleromaAPI.BackupControllerTest do setup do clear_config([Pleroma.Upload, :uploader]) clear_config([Backup, :limit_days]) - oauth_access(["read:accounts"]) + oauth_access(["read:backups"]) end test "GET /api/v1/pleroma/backups", %{user: user, conn: conn} do @@ -85,7 +85,7 @@ defmodule Pleroma.Web.PleromaAPI.BackupControllerTest do test "Backup without email address" do user = Pleroma.Factory.insert(:user, email: nil) - %{conn: conn} = oauth_access(["read:accounts"], user: user) + %{conn: conn} = oauth_access(["read:backups"], user: user) assert is_nil(user.email) |