[#1427] Bugfix for `enforce_oauth_admin_scope_usage`. Admin API documentation entry.

This commit is contained in:
Ivan Tashkinov 2019-12-06 16:56:23 +03:00
parent 13926537b6
commit 93a80ee915
2 changed files with 15 additions and 9 deletions

View File

@ -2,6 +2,13 @@
Authentication is required and the user must be an admin. Authentication is required and the user must be an admin.
Configuration options:
* `[:auth, :enforce_oauth_admin_scope_usage]` — OAuth admin scope requirement toggle.
If `true`, admin actions explicitly demand admin OAuth scope(s) presence in OAuth token (client app must support admin scopes).
If `false` and token doesn't have admin scope(s), `is_admin` user flag grants access to admin-specific actions.
Note that client app needs to explicitly support admin scopes and request them when obtaining auth token.
## `GET /api/pleroma/admin/users` ## `GET /api/pleroma/admin/users`
### List users ### List users

View File

@ -6,13 +6,20 @@ defmodule Pleroma.Plugs.UserIsAdminPlug do
import Pleroma.Web.TranslationHelpers import Pleroma.Web.TranslationHelpers
import Plug.Conn import Plug.Conn
alias Pleroma.User
alias Pleroma.Web.OAuth alias Pleroma.Web.OAuth
def init(options) do def init(options) do
options options
end end
unless Pleroma.Config.enforce_oauth_admin_scope_usage?() do
# To do: once AdminFE makes use of "admin" scope, disable the following func definition
# (fail on no admin scope(s) in token even if `is_admin` is true)
def call(%Plug.Conn{assigns: %{user: %Pleroma.User{is_admin: true}}} = conn, _) do
conn
end
end
def call(%Plug.Conn{assigns: %{token: %OAuth.Token{scopes: oauth_scopes} = _token}} = conn, _) do def call(%Plug.Conn{assigns: %{token: %OAuth.Token{scopes: oauth_scopes} = _token}} = conn, _) do
if OAuth.Scopes.contains_admin_scopes?(oauth_scopes) do if OAuth.Scopes.contains_admin_scopes?(oauth_scopes) do
# Note: checking for _any_ admin scope presence, not necessarily fitting requested action. # Note: checking for _any_ admin scope presence, not necessarily fitting requested action.
@ -23,14 +30,6 @@ def call(%Plug.Conn{assigns: %{token: %OAuth.Token{scopes: oauth_scopes} = _toke
end end
end end
unless Pleroma.Config.enforce_oauth_admin_scope_usage?() do
# To do: once AdminFE makes use of "admin" scope, disable the following func definition
# (fail on no admin scope(s) in token even if `is_admin` is true)
def call(%Plug.Conn{assigns: %{user: %User{is_admin: true}}} = conn, _) do
conn
end
end
def call(conn, _) do def call(conn, _) do
fail(conn) fail(conn)
end end