Merge branch 'security/PleromaAPI-delete' into 'develop'

CommonAPI: generate ModerationLog for all admin/moderator deletes

See merge request pleroma/pleroma!3765

lib/pleroma/web/admin_api/controllers/chat_controller.ex

@@ -8,7 +8,6 @@ defmodule Pleroma.Web.AdminAPI.ChatController do
   alias Pleroma.Activity
   alias Pleroma.Chat
   alias Pleroma.Chat.MessageReference
-  alias Pleroma.ModerationLog
   alias Pleroma.Pagination
   alias Pleroma.Web.AdminAPI
   alias Pleroma.Web.CommonAPI
@@ -42,12 +41,6 @@ def delete_message(%{assigns: %{user: user}} = conn, %{
          ^chat_id <- to_string(cm_ref.chat_id),
          %Activity{id: activity_id} <- Activity.get_create_by_object_ap_id(object_ap_id),
          {:ok, _} <- CommonAPI.delete(activity_id, user) do
-      ModerationLog.insert_log(%{
-        action: "chat_message_delete",
-        actor: user,
-        subject_id: message_id
-      })
-
       conn
       |> put_view(MessageReferenceView)
       |> render("show.json", chat_message_reference: cm_ref)

lib/pleroma/web/admin_api/controllers/status_controller.ex

@@ -65,12 +65,6 @@ def update(%{assigns: %{user: admin}, body_params: params} = conn, %{id: id}) do
 
   def delete(%{assigns: %{user: user}} = conn, %{id: id}) do
     with {:ok, %Activity{}} <- CommonAPI.delete(id, user) do
-      ModerationLog.insert_log(%{
-        action: "status_delete",
-        actor: user,
-        subject_id: id
-      })
-
       json(conn, %{})
     end
   end

lib/pleroma/web/common_api.ex

@@ -6,6 +6,7 @@ defmodule Pleroma.Web.CommonAPI do
   alias Pleroma.Activity
   alias Pleroma.Conversation.Participation
   alias Pleroma.Formatter
+  alias Pleroma.ModerationLog
   alias Pleroma.Object
   alias Pleroma.ThreadMute
   alias Pleroma.User
@@ -147,6 +148,21 @@ def delete(activity_id, user) do
          true <- User.superuser?(user) || user.ap_id == object.data["actor"],
          {:ok, delete_data, _} <- Builder.delete(user, object.data["id"]),
          {:ok, delete, _} <- Pipeline.common_pipeline(delete_data, local: true) do
+      if User.superuser?(user) and user.ap_id != object.data["actor"] do
+        action =
+          if object.data["type"] == "ChatMessage" do
+            "chat_message_delete"
+          else
+            "status_delete"
+          end
+
+        ModerationLog.insert_log(%{
+          action: action,
+          actor: user,
+          subject_id: activity_id
+        })
+      end
+
       {:ok, delete}
     else
       {:find_activity, _} ->

test/pleroma/web/admin_api/controllers/chat_controller_test.exs

@@ -53,7 +53,7 @@ test "it deletes a message from the chat", %{conn: conn, admin: admin} do
       log_entry = Repo.one(ModerationLog)
 
       assert ModerationLog.get_log_entry_message(log_entry) ==
-               "@#{admin.nickname} deleted chat message ##{cm_ref.id}"
+               "@#{admin.nickname} deleted chat message ##{message.id}"
 
       assert result["id"] == cm_ref.id
       refute MessageReference.get_by_id(cm_ref.id)

test/pleroma/web/mastodon_api/controllers/status_controller_test.exs

@@ -8,6 +8,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
 
   alias Pleroma.Activity
   alias Pleroma.Conversation.Participation
+  alias Pleroma.ModerationLog
   alias Pleroma.Object
   alias Pleroma.Repo
   alias Pleroma.ScheduledActivity
@@ -970,30 +971,40 @@ test "when you didn't create it" do
       assert Activity.get_by_id(activity.id) == activity
     end
 
-    test "when you're an admin or moderator", %{conn: conn} do
+    test "when you're an admin", %{conn: conn} do
-      activity1 = insert(:note_activity)
+      activity = insert(:note_activity)
-      activity2 = insert(:note_activity)
+      user = insert(:user, is_admin: true)
-      admin = insert(:user, is_admin: true)
-      moderator = insert(:user, is_moderator: true)
 
       res_conn =
         conn
-        |> assign(:user, admin)
+        |> assign(:user, user)
-        |> assign(:token, insert(:oauth_token, user: admin, scopes: ["write:statuses"]))
+        |> assign(:token, insert(:oauth_token, user: user, scopes: ["write:statuses"]))
-        |> delete("/api/v1/statuses/#{activity1.id}")
+        |> delete("/api/v1/statuses/#{activity.id}")
 
       assert %{} = json_response_and_validate_schema(res_conn, 200)
 
+      assert ModerationLog |> Repo.one() |> ModerationLog.get_log_entry_message() ==
+               "@#{user.nickname} deleted status ##{activity.id}"
+
+      refute Activity.get_by_id(activity.id)
+    end
+
+    test "when you're a moderator", %{conn: conn} do
+      activity = insert(:note_activity)
+      user = insert(:user, is_moderator: true)
+
       res_conn =
         conn
-        |> assign(:user, moderator)
+        |> assign(:user, user)
-        |> assign(:token, insert(:oauth_token, user: moderator, scopes: ["write:statuses"]))
+        |> assign(:token, insert(:oauth_token, user: user, scopes: ["write:statuses"]))
-        |> delete("/api/v1/statuses/#{activity2.id}")
+        |> delete("/api/v1/statuses/#{activity.id}")
 
       assert %{} = json_response_and_validate_schema(res_conn, 200)
 
-      refute Activity.get_by_id(activity1.id)
+      assert ModerationLog |> Repo.one() |> ModerationLog.get_log_entry_message() ==
-      refute Activity.get_by_id(activity2.id)
+               "@#{user.nickname} deleted status ##{activity.id}"
+
+      refute Activity.get_by_id(activity.id)
     end
   end