Add privileges for :report_handle

This commit is contained in:
Ilja 2022-05-28 09:43:57 +02:00
parent 14e697a64f
commit 3f26f1b30f
4 changed files with 84 additions and 9 deletions

View file

@ -262,7 +262,8 @@
:statuses_read, :statuses_read,
:user_tag, :user_tag,
:user_activation, :user_activation,
:user_invite :user_invite,
:report_handle
], ],
moderator_privileges: [], moderator_privileges: [],
max_endorsed_users: 20, max_endorsed_users: 20,

View file

@ -969,7 +969,8 @@
:statuses_read, :statuses_read,
:user_tag, :user_tag,
:user_activation, :user_activation,
:user_invite :user_invite,
:report_handle
], ],
description: description:
"What extra priviledges to allow admins (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)" "What extra priviledges to allow admins (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
@ -983,7 +984,8 @@
:statuses_read, :statuses_read,
:user_tag, :user_tag,
:user_activation, :user_activation,
:user_invite :user_invite,
:report_handle
], ],
description: description:
"What extra priviledges to allow moderators (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)" "What extra priviledges to allow moderators (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"

View file

@ -135,6 +135,11 @@ defmodule Pleroma.Web.Router do
plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_invite) plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :user_invite)
end end
pipeline :require_privileged_role_report_handle do
plug(:admin_api)
plug(Pleroma.Web.Plugs.EnsurePrivilegedPlug, :report_handle)
end
pipeline :pleroma_html do pipeline :pleroma_html do
plug(:browser) plug(:browser)
plug(:authenticate) plug(:authenticate)
@ -312,6 +317,17 @@ defmodule Pleroma.Web.Router do
post("/users/email_invite", InviteController, :email) post("/users/email_invite", InviteController, :email)
end end
# AdminAPI: admins and mods (staff) can perform these actions (if privileged by role)
scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
pipe_through(:require_privileged_role_report_handle)
get("/reports", ReportController, :index)
get("/reports/:id", ReportController, :show)
patch("/reports", ReportController, :update)
post("/reports/:id/notes", ReportController, :notes_create)
delete("/reports/:report_id/notes/:id", ReportController, :notes_delete)
end
# AdminAPI: admins and mods (staff) can perform these actions # AdminAPI: admins and mods (staff) can perform these actions
scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
pipe_through(:admin_api) pipe_through(:admin_api)
@ -322,12 +338,6 @@ defmodule Pleroma.Web.Router do
get("/instances/:instance/statuses", InstanceController, :list_statuses) get("/instances/:instance/statuses", InstanceController, :list_statuses)
delete("/instances/:instance", InstanceController, :delete) delete("/instances/:instance", InstanceController, :delete)
get("/reports", ReportController, :index)
get("/reports/:id", ReportController, :show)
patch("/reports", ReportController, :update)
post("/reports/:id/notes", ReportController, :notes_create)
delete("/reports/:report_id/notes/:id", ReportController, :notes_delete)
get("/statuses/:id", StatusController, :show) get("/statuses/:id", StatusController, :show)
put("/statuses/:id", StatusController, :update) put("/statuses/:id", StatusController, :update)
delete("/statuses/:id", StatusController, :delete) delete("/statuses/:id", StatusController, :delete)

View file

@ -26,6 +26,20 @@ defmodule Pleroma.Web.AdminAPI.ReportControllerTest do
end end
describe "GET /api/pleroma/admin/reports/:id" do describe "GET /api/pleroma/admin/reports/:id" do
setup do
clear_config([:instance, :admin_privileges], [:report_handle])
end
test "returns 403 if not privileged with :report_handle", %{conn: conn} do
clear_config([:instance, :admin_privileges], [])
conn =
conn
|> get("/api/pleroma/admin/reports/report_id")
assert json_response(conn, :forbidden)
end
test "returns report by its id", %{conn: conn} do test "returns report by its id", %{conn: conn} do
[reporter, target_user] = insert_pair(:user) [reporter, target_user] = insert_pair(:user)
activity = insert(:note_activity, user: target_user) activity = insert(:note_activity, user: target_user)
@ -63,6 +77,8 @@ test "returns 404 when report id is invalid", %{conn: conn} do
describe "PATCH /api/pleroma/admin/reports" do describe "PATCH /api/pleroma/admin/reports" do
setup do setup do
clear_config([:instance, :admin_privileges], [:report_handle])
[reporter, target_user] = insert_pair(:user) [reporter, target_user] = insert_pair(:user)
activity = insert(:note_activity, user: target_user) activity = insert(:note_activity, user: target_user)
@ -86,6 +102,20 @@ test "returns 404 when report id is invalid", %{conn: conn} do
} }
end end
test "returns 403 if not privileged with :report_handle", %{conn: conn, id: id, admin: admin} do
clear_config([:instance, :admin_privileges], [])
conn =
conn
|> assign(:token, insert(:oauth_token, user: admin, scopes: ["admin:write:reports"]))
|> put_req_header("content-type", "application/json")
|> patch("/api/pleroma/admin/reports", %{
"reports" => [%{"state" => "resolved", "id" => id}]
})
assert json_response(conn, :forbidden)
end
test "requires admin:write:reports scope", %{conn: conn, id: id, admin: admin} do test "requires admin:write:reports scope", %{conn: conn, id: id, admin: admin} do
read_token = insert(:oauth_token, user: admin, scopes: ["admin:read"]) read_token = insert(:oauth_token, user: admin, scopes: ["admin:read"])
write_token = insert(:oauth_token, user: admin, scopes: ["admin:write:reports"]) write_token = insert(:oauth_token, user: admin, scopes: ["admin:write:reports"])
@ -209,6 +239,20 @@ test "updates state of multiple reports", %{
end end
describe "GET /api/pleroma/admin/reports" do describe "GET /api/pleroma/admin/reports" do
setup do
clear_config([:instance, :admin_privileges], [:report_handle])
end
test "returns 403 if not privileged with :report_handle", %{conn: conn} do
clear_config([:instance, :admin_privileges], [])
conn =
conn
|> get(report_path(conn, :index))
assert json_response(conn, :forbidden)
end
test "returns empty response when no reports created", %{conn: conn} do test "returns empty response when no reports created", %{conn: conn} do
response = response =
conn conn
@ -317,6 +361,8 @@ test "returns 403 when requested by anonymous" do
describe "POST /api/pleroma/admin/reports/:id/notes" do describe "POST /api/pleroma/admin/reports/:id/notes" do
setup %{conn: conn, admin: admin} do setup %{conn: conn, admin: admin} do
clear_config([:instance, :admin_privileges], [:report_handle])
[reporter, target_user] = insert_pair(:user) [reporter, target_user] = insert_pair(:user)
activity = insert(:note_activity, user: target_user) activity = insert(:note_activity, user: target_user)
@ -345,6 +391,22 @@ test "returns 403 when requested by anonymous" do
} }
end end
test "returns 403 if not privileged with :report_handle", %{conn: conn, report_id: report_id} do
clear_config([:instance, :admin_privileges], [])
post_conn =
conn
|> put_req_header("content-type", "application/json")
|> post("/api/pleroma/admin/reports/#{report_id}/notes", %{
content: "this is disgusting2!"
})
delete_conn = delete(conn, "/api/pleroma/admin/reports/#{report_id}/notes/note.id")
assert json_response(post_conn, :forbidden)
assert json_response(delete_conn, :forbidden)
end
test "it creates report note", %{admin_id: admin_id, report_id: report_id} do test "it creates report note", %{admin_id: admin_id, report_id: report_id} do
assert [note, _] = Repo.all(ReportNote) assert [note, _] = Repo.all(ReportNote)