Merge branch 'security/PleromaAPI-delete' into 'develop'

CommonAPI: generate ModerationLog for all admin/moderator deletes

See merge request pleroma/pleroma!3765
This commit is contained in:
Haelwenn 2022-10-15 12:54:20 +00:00
commit 705ba6d615
5 changed files with 41 additions and 27 deletions

View File

@ -8,7 +8,6 @@ defmodule Pleroma.Web.AdminAPI.ChatController do
alias Pleroma.Activity alias Pleroma.Activity
alias Pleroma.Chat alias Pleroma.Chat
alias Pleroma.Chat.MessageReference alias Pleroma.Chat.MessageReference
alias Pleroma.ModerationLog
alias Pleroma.Pagination alias Pleroma.Pagination
alias Pleroma.Web.AdminAPI alias Pleroma.Web.AdminAPI
alias Pleroma.Web.CommonAPI alias Pleroma.Web.CommonAPI
@ -42,12 +41,6 @@ def delete_message(%{assigns: %{user: user}} = conn, %{
^chat_id <- to_string(cm_ref.chat_id), ^chat_id <- to_string(cm_ref.chat_id),
%Activity{id: activity_id} <- Activity.get_create_by_object_ap_id(object_ap_id), %Activity{id: activity_id} <- Activity.get_create_by_object_ap_id(object_ap_id),
{:ok, _} <- CommonAPI.delete(activity_id, user) do {:ok, _} <- CommonAPI.delete(activity_id, user) do
ModerationLog.insert_log(%{
action: "chat_message_delete",
actor: user,
subject_id: message_id
})
conn conn
|> put_view(MessageReferenceView) |> put_view(MessageReferenceView)
|> render("show.json", chat_message_reference: cm_ref) |> render("show.json", chat_message_reference: cm_ref)

View File

@ -65,12 +65,6 @@ def update(%{assigns: %{user: admin}, body_params: params} = conn, %{id: id}) do
def delete(%{assigns: %{user: user}} = conn, %{id: id}) do def delete(%{assigns: %{user: user}} = conn, %{id: id}) do
with {:ok, %Activity{}} <- CommonAPI.delete(id, user) do with {:ok, %Activity{}} <- CommonAPI.delete(id, user) do
ModerationLog.insert_log(%{
action: "status_delete",
actor: user,
subject_id: id
})
json(conn, %{}) json(conn, %{})
end end
end end

View File

@ -6,6 +6,7 @@ defmodule Pleroma.Web.CommonAPI do
alias Pleroma.Activity alias Pleroma.Activity
alias Pleroma.Conversation.Participation alias Pleroma.Conversation.Participation
alias Pleroma.Formatter alias Pleroma.Formatter
alias Pleroma.ModerationLog
alias Pleroma.Object alias Pleroma.Object
alias Pleroma.ThreadMute alias Pleroma.ThreadMute
alias Pleroma.User alias Pleroma.User
@ -147,6 +148,21 @@ def delete(activity_id, user) do
true <- User.superuser?(user) || user.ap_id == object.data["actor"], true <- User.superuser?(user) || user.ap_id == object.data["actor"],
{:ok, delete_data, _} <- Builder.delete(user, object.data["id"]), {:ok, delete_data, _} <- Builder.delete(user, object.data["id"]),
{:ok, delete, _} <- Pipeline.common_pipeline(delete_data, local: true) do {:ok, delete, _} <- Pipeline.common_pipeline(delete_data, local: true) do
if User.superuser?(user) and user.ap_id != object.data["actor"] do
action =
if object.data["type"] == "ChatMessage" do
"chat_message_delete"
else
"status_delete"
end
ModerationLog.insert_log(%{
action: action,
actor: user,
subject_id: activity_id
})
end
{:ok, delete} {:ok, delete}
else else
{:find_activity, _} -> {:find_activity, _} ->

View File

@ -53,7 +53,7 @@ test "it deletes a message from the chat", %{conn: conn, admin: admin} do
log_entry = Repo.one(ModerationLog) log_entry = Repo.one(ModerationLog)
assert ModerationLog.get_log_entry_message(log_entry) == assert ModerationLog.get_log_entry_message(log_entry) ==
"@#{admin.nickname} deleted chat message ##{cm_ref.id}" "@#{admin.nickname} deleted chat message ##{message.id}"
assert result["id"] == cm_ref.id assert result["id"] == cm_ref.id
refute MessageReference.get_by_id(cm_ref.id) refute MessageReference.get_by_id(cm_ref.id)

View File

@ -8,6 +8,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
alias Pleroma.Activity alias Pleroma.Activity
alias Pleroma.Conversation.Participation alias Pleroma.Conversation.Participation
alias Pleroma.ModerationLog
alias Pleroma.Object alias Pleroma.Object
alias Pleroma.Repo alias Pleroma.Repo
alias Pleroma.ScheduledActivity alias Pleroma.ScheduledActivity
@ -970,30 +971,40 @@ test "when you didn't create it" do
assert Activity.get_by_id(activity.id) == activity assert Activity.get_by_id(activity.id) == activity
end end
test "when you're an admin or moderator", %{conn: conn} do test "when you're an admin", %{conn: conn} do
activity1 = insert(:note_activity) activity = insert(:note_activity)
activity2 = insert(:note_activity) user = insert(:user, is_admin: true)
admin = insert(:user, is_admin: true)
moderator = insert(:user, is_moderator: true)
res_conn = res_conn =
conn conn
|> assign(:user, admin) |> assign(:user, user)
|> assign(:token, insert(:oauth_token, user: admin, scopes: ["write:statuses"])) |> assign(:token, insert(:oauth_token, user: user, scopes: ["write:statuses"]))
|> delete("/api/v1/statuses/#{activity1.id}") |> delete("/api/v1/statuses/#{activity.id}")
assert %{} = json_response_and_validate_schema(res_conn, 200) assert %{} = json_response_and_validate_schema(res_conn, 200)
assert ModerationLog |> Repo.one() |> ModerationLog.get_log_entry_message() ==
"@#{user.nickname} deleted status ##{activity.id}"
refute Activity.get_by_id(activity.id)
end
test "when you're a moderator", %{conn: conn} do
activity = insert(:note_activity)
user = insert(:user, is_moderator: true)
res_conn = res_conn =
conn conn
|> assign(:user, moderator) |> assign(:user, user)
|> assign(:token, insert(:oauth_token, user: moderator, scopes: ["write:statuses"])) |> assign(:token, insert(:oauth_token, user: user, scopes: ["write:statuses"]))
|> delete("/api/v1/statuses/#{activity2.id}") |> delete("/api/v1/statuses/#{activity.id}")
assert %{} = json_response_and_validate_schema(res_conn, 200) assert %{} = json_response_and_validate_schema(res_conn, 200)
refute Activity.get_by_id(activity1.id) assert ModerationLog |> Repo.one() |> ModerationLog.get_log_entry_message() ==
refute Activity.get_by_id(activity2.id) "@#{user.nickname} deleted status ##{activity.id}"
refute Activity.get_by_id(activity.id)
end end
end end