bss
/
pleroma
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Remove privileged_staff 

Everything that was done through this setting, can now be set by giving the proper privileges to the roles.
This commit is contained in:
Ilja 2022-05-26 14:51:53 +02:00
parent b1ff5241c2
commit 5a65e2dac5
8 changed files with 4 additions and 120 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGELOG.md
View File

@ -17,8 +17,6 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
- `activeMonth` and `activeHalfyear` fields in NodeInfo usage.users object - `activeMonth` and `activeHalfyear` fields in NodeInfo usage.users object
- Experimental support for Finch. Put `config :tesla, :adapter, {Tesla.Adapter.Finch, name: MyFinch}` in your secrets file to use it. Reverse Proxy will still use Hackney. - Experimental support for Finch. Put `config :tesla, :adapter, {Tesla.Adapter.Finch, name: MyFinch}` in your secrets file to use it. Reverse Proxy will still use Hackney.
- `ForceMentionsInPostContent` MRF policy - `ForceMentionsInPostContent` MRF policy
- AdminAPI: allow moderators to manage reports, users, invites, and custom emojis
- AdminAPI: restrict moderators to access sensitive data: change user credentials, get password reset token, read private statuses and chats, etc
- PleromaAPI: Add remote follow API endpoint at `POST /api/v1/pleroma/remote_interaction` - PleromaAPI: Add remote follow API endpoint at `POST /api/v1/pleroma/remote_interaction`
- MastoAPI: Add `GET /api/v1/accounts/lookup` - MastoAPI: Add `GET /api/v1/accounts/lookup`
- MastoAPI: Profile Directory support - MastoAPI: Profile Directory support

3
config/config.exs
View File

@ -256,8 +256,7 @@
show_reactions: true, show_reactions: true,
password_reset_token_validity: 60 * 60 * 24, password_reset_token_validity: 60 * 60 * 24,
profile_directory: true, profile_directory: true,
privileged_staff: false, admin_privileges: [:user_deletion, :user_credentials, :statuses_read],
admin_privileges: [:user_deletion, :user_credentials],
moderator_privileges: [], moderator_privileges: [],
max_endorsed_users: 20, max_endorsed_users: 20,
birthday_required: false, birthday_required: false,

10
config/description.exs
View File

@ -960,23 +960,17 @@
type: :boolean, type: :boolean,
description: "Enable profile directory." description: "Enable profile directory."
}, },
%{
key: :privileged_staff,
type: :boolean,
description:
"Let moderators access sensitive data (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
},
%{ %{
key: :admin_privileges, key: :admin_privileges,
type: {:list, :atom}, type: {:list, :atom},
suggestions: [:user_deletion, :user_credentials], suggestions: [:user_deletion, :user_credentials, :statuses_read],
description: description:
"What extra priviledges to allow admins (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)" "What extra priviledges to allow admins (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
}, },
%{ %{
key: :moderator_privileges, key: :moderator_privileges,
type: {:list, :atom}, type: {:list, :atom},
suggestions: [:user_deletion, :user_credentials], suggestions: [:user_deletion, :user_credentials, :statuses_read],
description: description:
"What extra priviledges to allow moderators (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)" "What extra priviledges to allow moderators (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
}, },

1
lib/pleroma/web/mastodon_api/views/instance_view.ex
View File

@ -47,7 +47,6 @@ def render("show.json", _) do
federation: federation(), federation: federation(),
fields_limits: fields_limits(), fields_limits: fields_limits(),
post_formats: Config.get([:instance, :allowed_post_formats]), post_formats: Config.get([:instance, :allowed_post_formats]),
privileged_staff: Config.get([:instance, :privileged_staff]),
birthday_required: Config.get([:instance, :birthday_required]), birthday_required: Config.get([:instance, :birthday_required]),
birthday_min_age: Config.get([:instance, :birthday_min_age]) birthday_min_age: Config.get([:instance, :birthday_min_age])
}, },

3
lib/pleroma/web/nodeinfo/nodeinfo.ex
View File

@ -69,8 +69,7 @@ def get_nodeinfo("2.0") do
mailerEnabled: Config.get([Pleroma.Emails.Mailer, :enabled], false), mailerEnabled: Config.get([Pleroma.Emails.Mailer, :enabled], false),
features: features, features: features,
restrictedNicknames: Config.get([Pleroma.User, :restricted_nicknames]), restrictedNicknames: Config.get([Pleroma.User, :restricted_nicknames]),
skipThreadContainment: Config.get([:instance, :skip_thread_containment], false), skipThreadContainment: Config.get([:instance, :skip_thread_containment], false)
privilegedStaff: Config.get([:instance, :privileged_staff])
} }
} }
end end

36
lib/pleroma/web/plugs/ensure_staff_privileged_plug.ex
View File

@ -1,36 +0,0 @@
# Pleroma: A lightweight social networking server
# Copyright © 2017-2022 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.Web.Plugs.EnsureStaffPrivilegedPlug do
@moduledoc """
Ensures staff are privileged enough to do certain tasks.
"""
import Pleroma.Web.TranslationHelpers
import Plug.Conn
alias Pleroma.Config
alias Pleroma.User
def init(options) do
options
end
def call(%{assigns: %{user: %User{is_admin: true}}} = conn, _), do: conn
def call(%{assigns: %{user: %User{is_moderator: true}}} = conn, _) do
if Config.get!([:instance, :privileged_staff]) do
conn
else
conn
|> render_error(:forbidden, "User is not an admin.")
|> halt()
end
end
def call(conn, _) do
conn
|> render_error(:forbidden, "User is not a staff member.")
|> halt()
end
end

9
lib/pleroma/web/router.ex
View File

@ -101,10 +101,6 @@ defmodule Pleroma.Web.Router do
plug(Pleroma.Web.Plugs.IdempotencyPlug) plug(Pleroma.Web.Plugs.IdempotencyPlug)
end end
pipeline :require_privileged_staff do
plug(Pleroma.Web.Plugs.EnsureStaffPrivilegedPlug)
end
pipeline :require_admin do pipeline :require_admin do
plug(Pleroma.Web.Plugs.UserIsAdminPlug) plug(Pleroma.Web.Plugs.UserIsAdminPlug)
end end
@ -273,11 +269,6 @@ defmodule Pleroma.Web.Router do
get("/chats/:id/messages", ChatController, :messages) get("/chats/:id/messages", ChatController, :messages)
end end
# AdminAPI: admins and mods (staff) can perform these actions (if enabled by config)
scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
pipe_through([:admin_api, :require_privileged_staff])
end
# AdminAPI: admins and mods (staff) can perform these actions # AdminAPI: admins and mods (staff) can perform these actions
scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
pipe_through(:admin_api) pipe_through(:admin_api)

60
test/pleroma/web/plugs/ensure_staff_privileged_plug_test.exs
View File

@ -1,60 +0,0 @@
# Pleroma: A lightweight social networking server
# Copyright © 2017-2022 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.Web.Plugs.EnsureStaffPrivilegedPlugTest do
use Pleroma.Web.ConnCase, async: true
alias Pleroma.Web.Plugs.EnsureStaffPrivilegedPlug
import Pleroma.Factory
test "accepts a user that is an admin" do
user = insert(:user, is_admin: true)
conn = assign(build_conn(), :user, user)
ret_conn = EnsureStaffPrivilegedPlug.call(conn, %{})
assert conn == ret_conn
end
test "accepts a user that is a moderator when :privileged_staff is enabled" do
clear_config([:instance, :privileged_staff], true)
user = insert(:user, is_moderator: true)
conn = assign(build_conn(), :user, user)
ret_conn = EnsureStaffPrivilegedPlug.call(conn, %{})
assert conn == ret_conn
end
test "denies a user that is a moderator when :privileged_staff is disabled" do
clear_config([:instance, :privileged_staff], false)
user = insert(:user, is_moderator: true)
conn =
build_conn()
|> assign(:user, user)
|> EnsureStaffPrivilegedPlug.call(%{})
assert conn.status == 403
end
test "denies a user that isn't a staff member" do
user = insert(:user)
conn =
build_conn()
|> assign(:user, user)
|> EnsureStaffPrivilegedPlug.call(%{})
assert conn.status == 403
end
test "denies when a user isn't set" do
conn = EnsureStaffPrivilegedPlug.call(build_conn(), %{})
assert conn.status == 403
end
end