Merge branch 'from/upstream-develop/tusooa/2892-backup-scope' into 'develop'

Make backups require its own scope Closes #2892 See merge request pleroma/pleroma!3721
2022-09-05 15:42:02 +00:00 · 2022-09-05 15:42:02 +00:00 · b8d6cb5845
parent 346c130ddc 9874b4c985
commit b8d6cb5845
4 changed files with 6 additions and 5 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -14,6 +14,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - **Breaking:** Elixir >=1.10 is now required (was >= 1.9)
 - Allow users to remove their emails if instance does not need email to register
 - Uploadfilter `Pleroma.Upload.Filter.Exiftool` has been renamed to `Pleroma.Upload.Filter.Exiftool.StripLocation`
+- **Breaking**: `/api/v1/pleroma/backups` endpoints now requires `read:backups` scope instead of `read:accounts`
 - Updated the recommended pleroma.vcl configuration for Varnish to target Varnish 7.0+

 ### Added
--- a/lib/pleroma/web/api_spec/operations/pleroma_backup_operation.ex
+++ b/lib/pleroma/web/api_spec/operations/pleroma_backup_operation.ex
@ -16,7 +16,7 @@ def index_operation do
    %Operation{
      tags: ["Backups"],
      summary: "List backups",
-      security: [%{"oAuth" => ["read:account"]}],
+      security: [%{"oAuth" => ["read:backups"]}],
      operationId: "PleromaAPI.BackupController.index",
      responses: %{
        200 =>
@ -37,7 +37,7 @@ def create_operation do
    %Operation{
      tags: ["Backups"],
      summary: "Create a backup",
-      security: [%{"oAuth" => ["read:account"]}],
+      security: [%{"oAuth" => ["read:backups"]}],
      operationId: "PleromaAPI.BackupController.create",
      responses: %{
        200 =>
--- a/lib/pleroma/web/pleroma_api/controllers/backup_controller.ex
+++ b/lib/pleroma/web/pleroma_api/controllers/backup_controller.ex
@ -9,7 +9,7 @@ defmodule Pleroma.Web.PleromaAPI.BackupController do
  alias Pleroma.Web.Plugs.OAuthScopesPlug

  action_fallback(Pleroma.Web.MastodonAPI.FallbackController)
-  plug(OAuthScopesPlug, %{scopes: ["read:accounts"]} when action in [:index, :create])
+  plug(OAuthScopesPlug, %{scopes: ["read:backups"]} when action in [:index, :create])
  plug(Pleroma.Web.ApiSpec.CastAndValidate)

  defdelegate open_api_operation(action), to: Pleroma.Web.ApiSpec.PleromaBackupOperation
--- a/test/pleroma/web/pleroma_api/controllers/backup_controller_test.exs
+++ b/test/pleroma/web/pleroma_api/controllers/backup_controller_test.exs
@ -11,7 +11,7 @@ defmodule Pleroma.Web.PleromaAPI.BackupControllerTest do
  setup do
    clear_config([Pleroma.Upload, :uploader])
    clear_config([Backup, :limit_days])
-    oauth_access(["read:accounts"])
+    oauth_access(["read:backups"])
  end

  test "GET /api/v1/pleroma/backups", %{user: user, conn: conn} do
@ -85,7 +85,7 @@ test "POST /api/v1/pleroma/backups", %{user: _user, conn: conn} do

  test "Backup without email address" do
    user = Pleroma.Factory.insert(:user, email: nil)
-    %{conn: conn} = oauth_access(["read:accounts"], user: user)
+    %{conn: conn} = oauth_access(["read:backups"], user: user)

    assert is_nil(user.email)