Validator for deleting statusses is now done with priviledge instead of superuser

This commit is contained in:
Ilja 2022-06-13 13:58:26 +02:00
parent 7cf473c500
commit bb61cfee8d
3 changed files with 17 additions and 8 deletions

View File

@ -136,11 +136,11 @@ def same_domain?(cng, fields \\ [:actor, :object]) do
# This figures out if a user is able to create, delete or modify something # This figures out if a user is able to create, delete or modify something
# based on the domain and superuser status # based on the domain and superuser status
@spec validate_modification_rights(Ecto.Changeset.t()) :: Ecto.Changeset.t() @spec validate_modification_rights(Ecto.Changeset.t(), atom()) :: Ecto.Changeset.t()
def validate_modification_rights(cng) do def validate_modification_rights(cng, privilege) do
actor = User.get_cached_by_ap_id(get_field(cng, :actor)) actor = User.get_cached_by_ap_id(get_field(cng, :actor))
if User.superuser?(actor) || same_domain?(cng) do if User.privileged?(actor, privilege) || same_domain?(cng) do
cng cng
else else
cng cng

View File

@ -61,7 +61,7 @@ defp validate_data(cng) do
|> validate_required([:id, :type, :actor, :to, :cc, :object]) |> validate_required([:id, :type, :actor, :to, :cc, :object])
|> validate_inclusion(:type, ["Delete"]) |> validate_inclusion(:type, ["Delete"])
|> validate_delete_actor(:actor) |> validate_delete_actor(:actor)
|> validate_modification_rights() |> validate_modification_rights(:status_delete)
|> validate_object_or_user_presence(allowed_types: @deletable_types) |> validate_object_or_user_presence(allowed_types: @deletable_types)
|> add_deleted_activity_id() |> add_deleted_activity_id()
end end

View File

@ -3,7 +3,7 @@
# SPDX-License-Identifier: AGPL-3.0-only # SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.Web.ActivityPub.ObjectValidators.DeleteValidationTest do defmodule Pleroma.Web.ActivityPub.ObjectValidators.DeleteValidationTest do
use Pleroma.DataCase, async: true use Pleroma.DataCase, async: false
alias Pleroma.Object alias Pleroma.Object
alias Pleroma.Web.ActivityPub.Builder alias Pleroma.Web.ActivityPub.Builder
@ -90,17 +90,26 @@ test "it's invalid if the actor of the object and the actor of delete are from d
assert {:actor, {"is not allowed to modify object", []}} in cng.errors assert {:actor, {"is not allowed to modify object", []}} in cng.errors
end end
test "it's valid if the actor of the object is a local superuser", test "it's only valid if the actor of the object is a privileged local user",
%{valid_post_delete: valid_post_delete} do %{valid_post_delete: valid_post_delete} do
clear_config([:instance, :moderator_privileges], [:status_delete])
user = user =
insert(:user, local: true, is_moderator: true, ap_id: "https://gensokyo.2hu/users/raymoo") insert(:user, local: true, is_moderator: true, ap_id: "https://gensokyo.2hu/users/raymoo")
valid_other_actor = post_delete_with_moderator_actor =
valid_post_delete valid_post_delete
|> Map.put("actor", user.ap_id) |> Map.put("actor", user.ap_id)
{:ok, _, meta} = ObjectValidator.validate(valid_other_actor, []) {:ok, _, meta} = ObjectValidator.validate(post_delete_with_moderator_actor, [])
assert meta[:do_not_federate] assert meta[:do_not_federate]
clear_config([:instance, :moderator_privileges], [])
{:error, cng} = ObjectValidator.validate(post_delete_with_moderator_actor, [])
assert {:actor, {"is not allowed to modify object", []}} in cng.errors
end end
end end
end end