moon
/
honkoma
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add new setting and Plug to allow for privilege settings for staff

This commit is contained in:
Ilja 2022-05-21 18:48:21 +02:00
parent 7466136ad3
commit 5b19543f0a
4 changed files with 154 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
config/config.exs
View File

@ -257,6 +257,8 @@
password_reset_token_validity: 60 * 60 * 24, password_reset_token_validity: 60 * 60 * 24,
profile_directory: true, profile_directory: true,
privileged_staff: false, privileged_staff: false,
admin_privileges: [],
moderator_privileges: [],
max_endorsed_users: 20, max_endorsed_users: 20,
birthday_required: false, birthday_required: false,
birthday_min_age: 0, birthday_min_age: 0,

12
config/description.exs
View File

@ -966,6 +966,18 @@
description: description:
"Let moderators access sensitive data (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)" "Let moderators access sensitive data (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
}, },
%{
key: :admin_privileges,
type: {:list, :atom},
suggestions: [],
description: "What extra priviledges to allow admins (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
},
%{
key: :moderator_privileges,
type: {:list, :atom},
suggestions: [],
description: "What extra priviledges to allow moderators (e.g. updating user credentials, get password reset token, delete users, index and read private statuses and chats)"
},
%{ %{
key: :birthday_required, key: :birthday_required,
type: :boolean, type: :boolean,

44
lib/pleroma/web/plugs/ensure_privileged_plug.ex Normal file
View File

@ -0,0 +1,44 @@
# Pleroma: A lightweight social networking server
# Copyright © 2017-2022 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.Web.Plugs.EnsurePrivilegedPlug do
@moduledoc """
Ensures staff are privileged enough to do certain tasks.
"""
import Pleroma.Web.TranslationHelpers
import Plug.Conn
alias Pleroma.Config
alias Pleroma.User
def init(options) do
options
end
def call(%{assigns: %{user: %User{is_admin: false, is_moderator: false}}} = conn, _) do
conn
|> render_error(:forbidden, "User isn't privileged.")
|> halt()
end
def call(
%{assigns: %{user: %User{is_admin: is_admin, is_moderator: is_moderator}}} = conn,
priviledge
) do
if (is_admin and priviledge in Config.get([:instance, :admin_privileges])) or
(is_moderator and priviledge in Config.get([:instance, :moderator_privileges])) do
conn
else
conn
|> render_error(:forbidden, "User isn't privileged.")
|> halt()
end
end
def call(conn, _) do
conn
|> render_error(:forbidden, "User isn't privileged.")
|> halt()
end
end

96
test/pleroma/web/plugs/ensure_privileged_plug_test.exs Normal file
View File

@ -0,0 +1,96 @@
# Pleroma: A lightweight social networking server
# Copyright © 2017-2022 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.Web.Plugs.EnsurePrivilegedPlugTest do
use Pleroma.Web.ConnCase, async: true
alias Pleroma.Web.Plugs.EnsurePrivilegedPlug
import Pleroma.Factory
test "denies a user that isn't moderator or admin" do
clear_config([:instance, :admin_privileges], [])
user = insert(:user)
conn =
build_conn()
|> assign(:user, user)
|> EnsurePrivilegedPlug.call(:cofe)
assert conn.status == 403
end
test "accepts an admin that is privileged" do
clear_config([:instance, :admin_privileges], [:cofe])
user = insert(:user, is_admin: true)
conn = assign(build_conn(), :user, user)
ret_conn = EnsurePrivilegedPlug.call(conn, :cofe)
assert conn == ret_conn
end
test "denies an admin that isn't privileged" do
clear_config([:instance, :admin_privileges], [:suya])
user = insert(:user, is_admin: true)
conn =
build_conn()
|> assign(:user, user)
|> EnsurePrivilegedPlug.call(:cofe)
assert conn.status == 403
end
test "accepts a moderator that is privileged" do
clear_config([:instance, :moderator_privileges], [:cofe])
user = insert(:user, is_moderator: true)
conn = assign(build_conn(), :user, user)
ret_conn = EnsurePrivilegedPlug.call(conn, :cofe)
assert conn == ret_conn
end
test "denies a moderator that isn't privileged" do
clear_config([:instance, :moderator_privileges], [:suya])
user = insert(:user, is_moderator: true)
conn =
build_conn()
|> assign(:user, user)
|> EnsurePrivilegedPlug.call(:cofe)
assert conn.status == 403
end
test "accepts for a priviledged role even if other role isn't priviledged" do
clear_config([:instance, :admin_privileges], [:cofe])
clear_config([:instance, :moderator_privileges], [])
user = insert(:user, is_admin: true, is_moderator: true)
conn = assign(build_conn(), :user, user)
ret_conn = EnsurePrivilegedPlug.call(conn, :cofe)
# priviledged through admin role
assert conn == ret_conn
clear_config([:instance, :admin_privileges], [])
clear_config([:instance, :moderator_privileges], [:cofe])
user = insert(:user, is_admin: true, is_moderator: true)
conn = assign(build_conn(), :user, user)
ret_conn = EnsurePrivilegedPlug.call(conn, :cofe)
# priviledged through moderator role
assert conn == ret_conn
end
test "denies when no user is set" do
conn =
build_conn()
|> EnsurePrivilegedPlug.call(:cofe)
assert conn.status == 403
end
end