delete statusses is now privileged by :status_delete
Instead of superusers, you now need a role with privilige :status_delete to delete other users statusses I also cleaned up some other stuff I saw
This commit is contained in:
parent
7adfc2e0f4
commit
7cf473c500
|
@ -144,7 +144,7 @@ def delete(activity_id, user) do
|
||||||
{:find_activity, Activity.get_by_id(activity_id)},
|
{:find_activity, Activity.get_by_id(activity_id)},
|
||||||
{_, %Object{} = object, _} <-
|
{_, %Object{} = object, _} <-
|
||||||
{:find_object, Object.normalize(activity, fetch: false), activity},
|
{:find_object, Object.normalize(activity, fetch: false), activity},
|
||||||
true <- User.superuser?(user) || user.ap_id == object.data["actor"],
|
true <- User.privileged?(user, :status_delete) || user.ap_id == object.data["actor"],
|
||||||
{:ok, delete_data, _} <- Builder.delete(user, object.data["id"]),
|
{:ok, delete_data, _} <- Builder.delete(user, object.data["id"]),
|
||||||
{:ok, delete, _} <- Pipeline.common_pipeline(delete_data, local: true) do
|
{:ok, delete, _} <- Pipeline.common_pipeline(delete_data, local: true) do
|
||||||
{:ok, delete}
|
{:ok, delete}
|
||||||
|
|
|
@ -85,7 +85,6 @@ test "DELETE /instances/:instance", %{conn: conn} do
|
||||||
|
|
||||||
clear_config([:instance, :admin_privileges], [])
|
clear_config([:instance, :admin_privileges], [])
|
||||||
|
|
||||||
response =
|
|
||||||
conn
|
conn
|
||||||
|> delete("/api/pleroma/admin/instances/lain.com")
|
|> delete("/api/pleroma/admin/instances/lain.com")
|
||||||
|> json_response(:forbidden)
|
|> json_response(:forbidden)
|
||||||
|
|
|
@ -4,7 +4,7 @@
|
||||||
|
|
||||||
defmodule Pleroma.Web.CommonAPITest do
|
defmodule Pleroma.Web.CommonAPITest do
|
||||||
use Oban.Testing, repo: Pleroma.Repo
|
use Oban.Testing, repo: Pleroma.Repo
|
||||||
use Pleroma.DataCase
|
use Pleroma.DataCase, async: false
|
||||||
|
|
||||||
alias Pleroma.Activity
|
alias Pleroma.Activity
|
||||||
alias Pleroma.Chat
|
alias Pleroma.Chat
|
||||||
|
@ -321,7 +321,7 @@ test "it allows users to delete their posts" do
|
||||||
refute Activity.get_by_id(post.id)
|
refute Activity.get_by_id(post.id)
|
||||||
end
|
end
|
||||||
|
|
||||||
test "it does not allow a user to delete their posts" do
|
test "it does not allow a user to delete posts from another user" do
|
||||||
user = insert(:user)
|
user = insert(:user)
|
||||||
other_user = insert(:user)
|
other_user = insert(:user)
|
||||||
|
|
||||||
|
@ -331,7 +331,8 @@ test "it does not allow a user to delete their posts" do
|
||||||
assert Activity.get_by_id(post.id)
|
assert Activity.get_by_id(post.id)
|
||||||
end
|
end
|
||||||
|
|
||||||
test "it allows moderators to delete other user's posts" do
|
test "it allows privileged users to delete other user's posts" do
|
||||||
|
clear_config([:instance, :moderator_privileges], [:status_delete])
|
||||||
user = insert(:user)
|
user = insert(:user)
|
||||||
moderator = insert(:user, is_moderator: true)
|
moderator = insert(:user, is_moderator: true)
|
||||||
|
|
||||||
|
@ -343,19 +344,20 @@ test "it allows moderators to delete other user's posts" do
|
||||||
refute Activity.get_by_id(post.id)
|
refute Activity.get_by_id(post.id)
|
||||||
end
|
end
|
||||||
|
|
||||||
test "it allows admins to delete other user's posts" do
|
test "it doesn't allow unprivileged mods or admins to delete other user's posts" do
|
||||||
|
clear_config([:instance, :admin_privileges], [])
|
||||||
|
clear_config([:instance, :moderator_privileges], [])
|
||||||
user = insert(:user)
|
user = insert(:user)
|
||||||
moderator = insert(:user, is_admin: true)
|
moderator = insert(:user, is_moderator: true, is_admin: true)
|
||||||
|
|
||||||
{:ok, post} = CommonAPI.post(user, %{status: "namu amida butsu"})
|
{:ok, post} = CommonAPI.post(user, %{status: "namu amida butsu"})
|
||||||
|
|
||||||
assert {:ok, delete} = CommonAPI.delete(post.id, moderator)
|
assert {:error, "Could not delete"} = CommonAPI.delete(post.id, moderator)
|
||||||
assert delete.local
|
assert Activity.get_by_id(post.id)
|
||||||
|
|
||||||
refute Activity.get_by_id(post.id)
|
|
||||||
end
|
end
|
||||||
|
|
||||||
test "superusers deleting non-local posts won't federate the delete" do
|
test "privileged users deleting non-local posts won't federate the delete" do
|
||||||
|
clear_config([:instance, :admin_privileges], [:status_delete])
|
||||||
# This is the user of the ingested activity
|
# This is the user of the ingested activity
|
||||||
_user =
|
_user =
|
||||||
insert(:user,
|
insert(:user,
|
||||||
|
@ -364,7 +366,7 @@ test "superusers deleting non-local posts won't federate the delete" do
|
||||||
last_refreshed_at: NaiveDateTime.utc_now()
|
last_refreshed_at: NaiveDateTime.utc_now()
|
||||||
)
|
)
|
||||||
|
|
||||||
moderator = insert(:user, is_admin: true)
|
admin = insert(:user, is_admin: true)
|
||||||
|
|
||||||
data =
|
data =
|
||||||
File.read!("test/fixtures/mastodon-post-activity.json")
|
File.read!("test/fixtures/mastodon-post-activity.json")
|
||||||
|
@ -374,7 +376,7 @@ test "superusers deleting non-local posts won't federate the delete" do
|
||||||
|
|
||||||
with_mock Pleroma.Web.Federator,
|
with_mock Pleroma.Web.Federator,
|
||||||
publish: fn _ -> nil end do
|
publish: fn _ -> nil end do
|
||||||
assert {:ok, delete} = CommonAPI.delete(post.id, moderator)
|
assert {:ok, delete} = CommonAPI.delete(post.id, admin)
|
||||||
assert delete.local
|
assert delete.local
|
||||||
refute called(Pleroma.Web.Federator.publish(:_))
|
refute called(Pleroma.Web.Federator.publish(:_))
|
||||||
end
|
end
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
# SPDX-License-Identifier: AGPL-3.0-only
|
# SPDX-License-Identifier: AGPL-3.0-only
|
||||||
|
|
||||||
defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
|
defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
|
||||||
use Pleroma.Web.ConnCase
|
use Pleroma.Web.ConnCase, async: false
|
||||||
use Oban.Testing, repo: Pleroma.Repo
|
use Oban.Testing, repo: Pleroma.Repo
|
||||||
|
|
||||||
alias Pleroma.Activity
|
alias Pleroma.Activity
|
||||||
|
@ -968,30 +968,20 @@ test "when you didn't create it" do
|
||||||
assert Activity.get_by_id(activity.id) == activity
|
assert Activity.get_by_id(activity.id) == activity
|
||||||
end
|
end
|
||||||
|
|
||||||
test "when you're an admin or moderator", %{conn: conn} do
|
test "when you're privileged to", %{conn: conn} do
|
||||||
activity1 = insert(:note_activity)
|
clear_config([:instance, :moderator_privileges], [:status_delete])
|
||||||
activity2 = insert(:note_activity)
|
activity = insert(:note_activity)
|
||||||
admin = insert(:user, is_admin: true)
|
|
||||||
moderator = insert(:user, is_moderator: true)
|
moderator = insert(:user, is_moderator: true)
|
||||||
|
|
||||||
res_conn =
|
|
||||||
conn
|
|
||||||
|> assign(:user, admin)
|
|
||||||
|> assign(:token, insert(:oauth_token, user: admin, scopes: ["write:statuses"]))
|
|
||||||
|> delete("/api/v1/statuses/#{activity1.id}")
|
|
||||||
|
|
||||||
assert %{} = json_response_and_validate_schema(res_conn, 200)
|
|
||||||
|
|
||||||
res_conn =
|
res_conn =
|
||||||
conn
|
conn
|
||||||
|> assign(:user, moderator)
|
|> assign(:user, moderator)
|
||||||
|> assign(:token, insert(:oauth_token, user: moderator, scopes: ["write:statuses"]))
|
|> assign(:token, insert(:oauth_token, user: moderator, scopes: ["write:statuses"]))
|
||||||
|> delete("/api/v1/statuses/#{activity2.id}")
|
|> delete("/api/v1/statuses/#{activity.id}")
|
||||||
|
|
||||||
assert %{} = json_response_and_validate_schema(res_conn, 200)
|
assert %{} = json_response_and_validate_schema(res_conn, 200)
|
||||||
|
|
||||||
refute Activity.get_by_id(activity1.id)
|
refute Activity.get_by_id(activity.id)
|
||||||
refute Activity.get_by_id(activity2.id)
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue