Prevent moderators from deleting admins

2023-03-15 19:20:36 -05:00 · 2023-03-15 19:20:36 -05:00 · c64c4454d7
commit c64c4454d7
parent 9af0657ec9
2 changed files with 67 additions and 10 deletions
--- a/lib/pleroma/web/admin_api/controllers/user_controller.ex
+++ b/lib/pleroma/web/admin_api/controllers/user_controller.ex
@ -60,20 +60,35 @@ def delete(conn, %{nickname: nickname}) do
  def delete(%{assigns: %{user: admin}, body_params: %{nicknames: nicknames}} = conn, _) do
    users = Enum.map(nicknames, &User.get_cached_by_nickname/1)

-    Enum.each(users, fn user ->
-      {:ok, delete_data, _} = Builder.delete(admin, user.ap_id)
-      Pipeline.common_pipeline(delete_data, local: true)
-    end)
+    if Enum.all?(users, &is_higher_role(admin, &1)) do
+      Enum.each(users, fn user ->
+        {:ok, delete_data, _} = Builder.delete(admin, user.ap_id)
+        Pipeline.common_pipeline(delete_data, local: true)
+      end)

-    ModerationLog.insert_log(%{
-      actor: admin,
-      subject: users,
-      action: "delete"
-    })
+      ModerationLog.insert_log(%{
+        actor: admin,
+        subject: users,
+        action: "delete"
+      })

-    json(conn, nicknames)
+      json(conn, nicknames)
+    else
+      conn
+      |> put_status(:forbidden)
+      |> json(%{error: dgettext("errors", "Forbidden")})
+    end
  end

+  # true if actor is greater OR EQUAL in role to target
+  defp is_higher_role(%User{} = actor, %User{} = target) do
+    role_weight(actor) >= role_weight(target)
+  end
+
+  defp role_weight(%User{is_admin: true}), do: 2
+  defp role_weight(%User{is_moderator: true}), do: 1
+  defp role_weight(_), do: 0
+
  def follow(
        %{
          assigns: %{user: admin},
--- a/test/pleroma/web/admin_api/controllers/user_controller_test.exs
+++ b/test/pleroma/web/admin_api/controllers/user_controller_test.exs
@ -139,6 +139,48 @@ test "Needs privileged role", %{conn: conn} do

      assert json_response(response, :forbidden)
    end
+
+    test "Moderators can't delete admins" do
+      admin = insert(:user, is_admin: true)
+      moderator = insert(:user, is_moderator: true)
+      token = insert(:oauth_admin_token, user: moderator)
+
+      conn =
+        build_conn()
+        |> assign(:user, moderator)
+        |> assign(:token, token)
+
+      response =
+        conn
+        |> put_req_header("accept", "application/json")
+        |> put_req_header("content-type", "application/json")
+        |> delete("/api/pleroma/admin/users", %{
+          nicknames: [admin.nickname]
+        })
+
+      assert json_response(response, :forbidden)
+    end
+
+    test "Moderators can delete other moderators" do
+      moderator1 = insert(:user, is_moderator: true)
+      moderator2 = insert(:user, is_moderator: true)
+      token = insert(:oauth_admin_token, user: moderator1)
+
+      conn =
+        build_conn()
+        |> assign(:user, moderator1)
+        |> assign(:token, token)
+
+      response =
+        conn
+        |> put_req_header("accept", "application/json")
+        |> put_req_header("content-type", "application/json")
+        |> delete("/api/pleroma/admin/users", %{
+          nicknames: [moderator2.nickname]
+        })
+
+      assert json_response(response, 200)
+    end
  end

  describe "/api/pleroma/admin/users" do