Skip to content

Draft: More fine grained access for moderator privileges using tags

Ilja requested to merge ilja/pleroma:use_tags_for_moderation_privileges into develop

Fix #2852

The pitch

The idea is to limit moderation endpoints based on the fact that the user

  • is a staff member AND
  • has the right privileges based on user tags

That way admins can decide what they allow their moderators (and also admins) and what not. E.g. Some admins may want their moderators to be able to delete users, others may not want that. Some admins may want to be able to read chats and non-public messages (which is currently possible through admin-fe), others may not want that (although, they obviously still can through the database if they have server access, but not every one with admin role is necessarily system-admin with server access).

In a later stage, we could introduce custom roles other than "Admin" and "Moderator". Custom roles are out of scope for this MR, but this MR shouldn't introduce changes which would make it harder to go that route later.

Note that I run my own single-user instance, so I don't really have much experience with moderation. I grouped things in a way that made sense to me, feel free to provide feedback if there are things you feel should be done differently. Especially feedback from staff of instances with multiple moderators is very welcome here.

tags and what they allow

Currently I've grouped endpoints as followed

  • moderation_tag:report-triage
    • Get a list of reports
    • get specific report
    • update specific report
    • add and delete report notes
  • moderation_tag:manage-user-tags
    • Add end remove user tags. You can NOT add or delete user tags starting with "moderation_tag:"
  • moderation_tag:post-deletion
    • TODO
  • moderation_tag:messages-read-non-public
    • Get list of statuses (including non-public) and chats. you can also get a specific status or chat
  • moderation_tag:account-restriction
    • TODO
  • moderation_tag:account-activation
    • Activate and deactivate users
  • moderation_tag:account-deletion
    • Delete users
  • moderation_tag:account-credentials
    • Force password reset, disable mfa, show and update user credentials (I assume username/email)

Extra

I kept the naming convention the way it's done for the mrf-tags (see https://git.pleroma.social/pleroma/pleroma/-/blob/develop/lib/pleroma/web/activity_pub/mrf/tag_policy.ex#L8)

If you want to try this out, you can give a user the needed tags by starting Pleroma with iex -S mix phx.server and then in the iex shell, you can do (assuming your user is named erica and the tag you want to set is moderation_tag:report-triage).

alias Pleroma.User

# Set the tag
User.tag("erica","moderation_tag:report-triage")

# Unset the tag
User.untag("erica","moderation_tag:report-triage")

Todo

  • Add and group other tags
    • Non-public posts that are reported should still be viewable with the report. Check that this is still a thing even for someone who doesn't have the "moderation_tag:messages-read-non-public"
  • Go through the rest of the code to see if other things need to be restricted that super_users now have/can
    • getting report notifications
    • report notifications deletion when the tag is removed (instead of when not a super user any more)
    • Showing deactivated field !3644 (closed)
    • Other?
  • Clean up previous MR's
  • Add setting for what user tags an admin and moderator respectively get. (This implies that it will be possible to allow a moderator things while restricting it for admins, and vice versa)
  • Migration to give moderators and admins the tags corresponding to what they have on latest stable
  • Making someone moderator or admin should also set the correct tags
  • What with existing admin/mods when someone changed what tags an admin/mod can have?
    • Some ideas:
      • Set it correct during start-up?
      • Have a mix task to correct things?
      • Other options?
  • Do we need to make it possible to allow setting a specific tag to a user already? (Personally I think we shouldn't at this time)
  • Make changed to Pleroma-fe to show certain options/menus based on these tags
  • What with admin-fe?
  • Docs/Changelog/etc.
  • Other things I'm forgetting?
Edited by Ilja

Merge request reports

Loading