Validator for deleting statusses is now done with priviledge instead of superuser
This commit is contained in:
parent
7cf473c500
commit
bb61cfee8d
|
@ -136,11 +136,11 @@ def same_domain?(cng, fields \\ [:actor, :object]) do
|
||||||
|
|
||||||
# This figures out if a user is able to create, delete or modify something
|
# This figures out if a user is able to create, delete or modify something
|
||||||
# based on the domain and superuser status
|
# based on the domain and superuser status
|
||||||
@spec validate_modification_rights(Ecto.Changeset.t()) :: Ecto.Changeset.t()
|
@spec validate_modification_rights(Ecto.Changeset.t(), atom()) :: Ecto.Changeset.t()
|
||||||
def validate_modification_rights(cng) do
|
def validate_modification_rights(cng, privilege) do
|
||||||
actor = User.get_cached_by_ap_id(get_field(cng, :actor))
|
actor = User.get_cached_by_ap_id(get_field(cng, :actor))
|
||||||
|
|
||||||
if User.superuser?(actor) || same_domain?(cng) do
|
if User.privileged?(actor, privilege) || same_domain?(cng) do
|
||||||
cng
|
cng
|
||||||
else
|
else
|
||||||
cng
|
cng
|
||||||
|
|
|
@ -61,7 +61,7 @@ defp validate_data(cng) do
|
||||||
|> validate_required([:id, :type, :actor, :to, :cc, :object])
|
|> validate_required([:id, :type, :actor, :to, :cc, :object])
|
||||||
|> validate_inclusion(:type, ["Delete"])
|
|> validate_inclusion(:type, ["Delete"])
|
||||||
|> validate_delete_actor(:actor)
|
|> validate_delete_actor(:actor)
|
||||||
|> validate_modification_rights()
|
|> validate_modification_rights(:status_delete)
|
||||||
|> validate_object_or_user_presence(allowed_types: @deletable_types)
|
|> validate_object_or_user_presence(allowed_types: @deletable_types)
|
||||||
|> add_deleted_activity_id()
|
|> add_deleted_activity_id()
|
||||||
end
|
end
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
# SPDX-License-Identifier: AGPL-3.0-only
|
# SPDX-License-Identifier: AGPL-3.0-only
|
||||||
|
|
||||||
defmodule Pleroma.Web.ActivityPub.ObjectValidators.DeleteValidationTest do
|
defmodule Pleroma.Web.ActivityPub.ObjectValidators.DeleteValidationTest do
|
||||||
use Pleroma.DataCase, async: true
|
use Pleroma.DataCase, async: false
|
||||||
|
|
||||||
alias Pleroma.Object
|
alias Pleroma.Object
|
||||||
alias Pleroma.Web.ActivityPub.Builder
|
alias Pleroma.Web.ActivityPub.Builder
|
||||||
|
@ -90,17 +90,26 @@ test "it's invalid if the actor of the object and the actor of delete are from d
|
||||||
assert {:actor, {"is not allowed to modify object", []}} in cng.errors
|
assert {:actor, {"is not allowed to modify object", []}} in cng.errors
|
||||||
end
|
end
|
||||||
|
|
||||||
test "it's valid if the actor of the object is a local superuser",
|
test "it's only valid if the actor of the object is a privileged local user",
|
||||||
%{valid_post_delete: valid_post_delete} do
|
%{valid_post_delete: valid_post_delete} do
|
||||||
|
clear_config([:instance, :moderator_privileges], [:status_delete])
|
||||||
|
|
||||||
user =
|
user =
|
||||||
insert(:user, local: true, is_moderator: true, ap_id: "https://gensokyo.2hu/users/raymoo")
|
insert(:user, local: true, is_moderator: true, ap_id: "https://gensokyo.2hu/users/raymoo")
|
||||||
|
|
||||||
valid_other_actor =
|
post_delete_with_moderator_actor =
|
||||||
valid_post_delete
|
valid_post_delete
|
||||||
|> Map.put("actor", user.ap_id)
|
|> Map.put("actor", user.ap_id)
|
||||||
|
|
||||||
{:ok, _, meta} = ObjectValidator.validate(valid_other_actor, [])
|
{:ok, _, meta} = ObjectValidator.validate(post_delete_with_moderator_actor, [])
|
||||||
|
|
||||||
assert meta[:do_not_federate]
|
assert meta[:do_not_federate]
|
||||||
|
|
||||||
|
clear_config([:instance, :moderator_privileges], [])
|
||||||
|
|
||||||
|
{:error, cng} = ObjectValidator.validate(post_delete_with_moderator_actor, [])
|
||||||
|
|
||||||
|
assert {:actor, {"is not allowed to modify object", []}} in cng.errors
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue