Commit 5e229e19 authored by Ilja's avatar Ilja
Browse files

Add "moderation_tag:account-invitation"

I moved the rest of scope "/api/v1/pleroma/admin" down because otherwise there's conflict between the endpoints `get("/users/:nickname"` and `get("/users/invites"`.
parent e80e55d9
Pipeline #39885 passed with stages
in 13 minutes and 19 seconds
......@@ -105,6 +105,11 @@ defmodule Pleroma.Web.Router do
plug(Pleroma.Web.Plugs.UserIsAdminPlug)
end
pipeline :require_moderation_tag_account_invitation do
plug(:admin_api)
plug(Pleroma.Web.Plugs.EnsureUserTag, "moderation_tag:account-invitation")
end
pipeline :require_moderation_tag_report_triage do
plug(:admin_api)
plug(Pleroma.Web.Plugs.EnsureUserTag, "moderation_tag:report-triage")
......@@ -262,9 +267,10 @@ defmodule Pleroma.Web.Router do
post("/backups", AdminAPIController, :create_backup)
end
# AdminAPI: admins and mods (staff) can perform these actions
# AdminAPI
# admins and mods (staff) with moderation_tag:account-invitation can perform these actions
scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
pipe_through(:admin_api)
pipe_through(:require_moderation_tag_account_invitation)
patch("/users/approve", UserController, :approve)
......@@ -272,23 +278,6 @@ defmodule Pleroma.Web.Router do
get("/users/invites", InviteController, :index)
post("/users/revoke_invite", InviteController, :revoke)
post("/users/email_invite", InviteController, :email)
get("/users", UserController, :index)
get("/users/:nickname", UserController, :show)
get("/instances/:instance/statuses", InstanceController, :list_statuses)
delete("/instances/:instance", InstanceController, :delete)
get("/statuses/:id", StatusController, :show)
put("/statuses/:id", StatusController, :update)
delete("/statuses/:id", StatusController, :delete)
get("/moderation_log", AdminAPIController, :list_log)
post("/reload_emoji", AdminAPIController, :reload_emoji)
get("/stats", AdminAPIController, :stats)
delete("/chats/:id/messages/:message_id", ChatController, :delete_message)
end
# AdminAPI
......@@ -403,6 +392,28 @@ defmodule Pleroma.Web.Router do
end
end
# AdminAPI: admins and mods (staff) can perform these actions
scope "/api/v1/pleroma/admin", Pleroma.Web.AdminAPI do
pipe_through(:admin_api)
get("/users", UserController, :index)
get("/users/:nickname", UserController, :show)
get("/instances/:instance/statuses", InstanceController, :list_statuses)
delete("/instances/:instance", InstanceController, :delete)
get("/statuses/:id", StatusController, :show)
put("/statuses/:id", StatusController, :update)
delete("/statuses/:id", StatusController, :delete)
get("/moderation_log", AdminAPIController, :list_log)
post("/reload_emoji", AdminAPIController, :reload_emoji)
get("/stats", AdminAPIController, :stats)
delete("/chats/:id/messages/:message_id", ChatController, :delete_message)
end
scope "/", Pleroma.Web.TwitterAPI do
pipe_through(:pleroma_html)
......
......@@ -11,7 +11,7 @@ defmodule Pleroma.Web.AdminAPI.InviteControllerTest do
alias Pleroma.UserInviteToken
setup do
admin = insert(:user, is_admin: true)
admin = insert(:user, is_admin: true, tags: ["moderation_tag:account-invitation"])
token = insert(:oauth_admin_token, user: admin)
conn =
......@@ -79,6 +79,25 @@ test "it returns 403 if requested by a non-admin" do
assert json_response(conn, :forbidden)
end
test "it requires user tag moderation_tag:account-invitation", %{conn: conn} do
recipient_email = "foo@bar.com"
recipient_name = "J. D."
conn =
conn.assigns.user.tags
|> put_in(conn.assigns.user.tags -- ["moderation_tag:account-invitation"])
conn =
conn
|> put_req_header("content-type", "application/json;charset=utf-8")
|> post("/api/pleroma/admin/users/email_invite", %{
email: recipient_email,
name: recipient_name
})
assert json_response(conn, :forbidden)
end
test "email with +", %{conn: conn, admin: admin} do
recipient_email = "foo+bar@baz.com"
......@@ -218,6 +237,19 @@ test "with max use and expires_at", %{conn: conn} do
assert invite.max_use == 150
assert invite.invite_type == "reusable_date_limited"
end
test "it requires user tag moderation_tag:account-invitation", %{conn: conn} do
conn =
conn.assigns.user.tags
|> put_in(conn.assigns.user.tags -- ["moderation_tag:account-invitation"])
response =
conn
|> put_req_header("content-type", "application/json")
|> post("/api/pleroma/admin/users/invite_token")
assert json_response(response, :forbidden)
end
end
describe "GET /api/pleroma/admin/users/invites" do
......@@ -246,6 +278,16 @@ test "with invite", %{conn: conn} do
]
}
end
test "it requires user tag moderation_tag:account-invitation", %{conn: conn} do
conn =
conn.assigns.user.tags
|> put_in(conn.assigns.user.tags -- ["moderation_tag:account-invitation"])
response = get(conn, "/api/pleroma/admin/users/invites")
assert json_response(response, :forbidden)
end
end
describe "POST /api/pleroma/admin/users/revoke_invite" do
......@@ -276,5 +318,18 @@ test "with invalid token", %{conn: conn} do
assert json_response_and_validate_schema(conn, :not_found) == %{"error" => "Not found"}
end
test "it requires user tag moderation_tag:account-invitation", %{conn: conn} do
conn =
conn.assigns.user.tags
|> put_in(conn.assigns.user.tags -- ["moderation_tag:account-invitation"])
response =
conn
|> put_req_header("content-type", "application/json")
|> post("/api/pleroma/admin/users/revoke_invite", %{"token" => "foo"})
assert json_response(response, :forbidden)
end
end
end
......@@ -29,7 +29,11 @@ defmodule Pleroma.Web.AdminAPI.UserControllerTest do
admin =
insert(:user,
is_admin: true,
tags: ["moderation_tag:account-activation", "moderation_tag:account-deletion"]
tags: [
"moderation_tag:account-activation",
"moderation_tag:account-deletion",
"moderation_tag:account-invitation"
]
)
token = insert(:oauth_admin_token, user: admin)
......@@ -924,7 +928,8 @@ test "it requires user tag moderation_tag:account-activation", %{conn: conn} do
end
end
test "PATCH /api/pleroma/admin/users/approve", %{admin: admin, conn: conn} do
describe "PATCH /api/pleroma/admin/users/approve" do
test "it approves users and logs an entry in the moderation log", %{admin: admin, conn: conn} do
user_one = insert(:user, is_approved: false)
user_two = insert(:user, is_approved: false)
......@@ -945,6 +950,26 @@ test "PATCH /api/pleroma/admin/users/approve", %{admin: admin, conn: conn} do
"@#{admin.nickname} approved users: @#{user_one.nickname}, @#{user_two.nickname}"
end
test "it requires user tag moderation_tag:account-invitation", %{conn: conn} do
conn =
conn.assigns.user.tags
|> put_in(conn.assigns.user.tags -- ["moderation_tag:account-invitation"])
user_one = insert(:user, is_approved: false)
user_two = insert(:user, is_approved: false)
response =
conn
|> put_req_header("content-type", "application/json")
|> patch(
"/api/pleroma/admin/users/approve",
%{nicknames: [user_one.nickname, user_two.nickname]}
)
assert json_response(response, :forbidden)
end
end
test "PATCH /api/pleroma/admin/users/suggest", %{admin: admin, conn: conn} do
user1 = insert(:user, is_suggested: false)
user2 = insert(:user, is_suggested: false)
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment