diff --git a/config/config.exs b/config/config.exs index a0c18c75a9..6fd7044e34 100644 --- a/config/config.exs +++ b/config/config.exs @@ -262,7 +262,8 @@ :statuses_read, :user_tag, :user_activation, - :user_invite + :user_invite, + :report_handle ], moderator_privileges: [], max_endorsed_users: 20, diff --git a/config/description.exs b/config/description.exs index 7e74778c54..d0364340e5 100644 --- a/config/description.exs +++ b/config/description.exs @@ -969,7 +969,8 @@ :statuses_read, :user_tag, :user_activation, - :user_invite + :user_invite, + :report_handle ], description: "What extra priviledges to allow admins (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)" @@ -983,7 +984,8 @@ :statuses_read, :user_tag, :user_activation, - :user_invite + :user_invite, + :report_handle ], description: "What extra priviledges to allow moderators (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)" diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex index 87e564488e..dbcd6f3999 100644 --- a/lib/pleroma/web/router.ex +++ b/lib/pleroma/web/router.ex @@ -135,6 +135,11 @@ defmodule Pleroma.Web.Router do plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_invite) end + pipeline :require_privileged_role_report_handle do + plug(:admin_api) + plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :report_handle) + end + pipeline :pleroma_html do plug(:browser) plug(:authenticate) @@ -312,6 +317,17 @@ defmodule Pleroma.Web.Router do post("/users/email_invite", InviteController, :email) end + # AdminAPI: admins and mods (staff) can perform these actions (if privileged by role) + scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do + pipe_through(:require_privileged_role_report_handle) + + get("/reports", ReportController, :index) + get("/reports/:id", ReportController, :show) + patch("/reports", ReportController, :update) + post("/reports/:id/notes", ReportController, :notes_create) + delete("/reports/:report_id/notes/:id", ReportController, :notes_delete) + end + # AdminAPI: admins and mods (staff) can perform these actions scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do pipe_through(:admin_api) @@ -322,12 +338,6 @@ defmodule Pleroma.Web.Router do get("/instances/:instance/statuses", InstanceController, :list_statuses) delete("/instances/:instance", InstanceController, :delete) - get("/reports", ReportController, :index) - get("/reports/:id", ReportController, :show) - patch("/reports", ReportController, :update) - post("/reports/:id/notes", ReportController, :notes_create) - delete("/reports/:report_id/notes/:id", ReportController, :notes_delete) - get("/statuses/:id", StatusController, :show) put("/statuses/:id", StatusController, :update) delete("/statuses/:id", StatusController, :delete) diff --git a/test/pleroma/web/admin_api/controllers/report_controller_test.exs b/test/pleroma/web/admin_api/controllers/report_controller_test.exs index 30dcb87e2c..c39cf978b0 100644 --- a/test/pleroma/web/admin_api/controllers/report_controller_test.exs +++ b/test/pleroma/web/admin_api/controllers/report_controller_test.exs @@ -26,6 +26,20 @@ defmodule Pleroma.Web.AdminAPI.ReportControllerTest do end describe "GET /api/pleroma/admin/reports/:id" do + setup do + clear_config([:instance, :admin_privileges], [:report_handle]) + end + + test "returns 403 if not privileged with :report_handle", %{conn: conn} do + clear_config([:instance, :admin_privileges], []) + + conn = + conn + |> get("/api/pleroma/admin/reports/report_id") + + assert json_response(conn, :forbidden) + end + test "returns report by its id", %{conn: conn} do [reporter, target_user] = insert_pair(:user) activity = insert(:note_activity, user: target_user) @@ -63,6 +77,8 @@ test "returns 404 when report id is invalid", %{conn: conn} do describe "PATCH /api/pleroma/admin/reports" do setup do + clear_config([:instance, :admin_privileges], [:report_handle]) + [reporter, target_user] = insert_pair(:user) activity = insert(:note_activity, user: target_user) @@ -86,6 +102,20 @@ test "returns 404 when report id is invalid", %{conn: conn} do } end + test "returns 403 if not privileged with :report_handle", %{conn: conn, id: id, admin: admin} do + clear_config([:instance, :admin_privileges], []) + + conn = + conn + |> assign(:token, insert(:oauth_token, user: admin, scopes: ["admin:write:reports"])) + |> put_req_header("content-type", "application/json") + |> patch("/api/pleroma/admin/reports", %{ + "reports" => [%{"state" => "resolved", "id" => id}] + }) + + assert json_response(conn, :forbidden) + end + test "requires admin:write:reports scope", %{conn: conn, id: id, admin: admin} do read_token = insert(:oauth_token, user: admin, scopes: ["admin:read"]) write_token = insert(:oauth_token, user: admin, scopes: ["admin:write:reports"]) @@ -209,6 +239,20 @@ test "updates state of multiple reports", %{ end describe "GET /api/pleroma/admin/reports" do + setup do + clear_config([:instance, :admin_privileges], [:report_handle]) + end + + test "returns 403 if not privileged with :report_handle", %{conn: conn} do + clear_config([:instance, :admin_privileges], []) + + conn = + conn + |> get(report_path(conn, :index)) + + assert json_response(conn, :forbidden) + end + test "returns empty response when no reports created", %{conn: conn} do response = conn @@ -317,6 +361,8 @@ test "returns 403 when requested by anonymous" do describe "POST /api/pleroma/admin/reports/:id/notes" do setup %{conn: conn, admin: admin} do + clear_config([:instance, :admin_privileges], [:report_handle]) + [reporter, target_user] = insert_pair(:user) activity = insert(:note_activity, user: target_user) @@ -345,6 +391,22 @@ test "returns 403 when requested by anonymous" do } end + test "returns 403 if not privileged with :report_handle", %{conn: conn, report_id: report_id} do + clear_config([:instance, :admin_privileges], []) + + post_conn = + conn + |> put_req_header("content-type", "application/json") + |> post("/api/pleroma/admin/reports/#{report_id}/notes", %{ + content: "this is disgusting2!" + }) + + delete_conn = delete(conn, "/api/pleroma/admin/reports/#{report_id}/notes/note.id") + + assert json_response(post_conn, :forbidden) + assert json_response(delete_conn, :forbidden) + end + test "it creates report note", %{admin_id: admin_id, report_id: report_id} do assert [note, _] = Repo.all(ReportNote)