[#1427] Fixes / improvements of admin scopes support. Added tests.

2019-12-06 20:33:47 +03:00 · 2019-12-06 20:33:47 +03:00 · 40e1817f70
commit 40e1817f70
parent 93a80ee915
6 changed files with 162 additions and 58 deletions
--- a/lib/pleroma/plugs/oauth_scopes_plug.ex
+++ b/lib/pleroma/plugs/oauth_scopes_plug.ex
@ -6,6 +6,7 @@ defmodule Pleroma.Plugs.OAuthScopesPlug do
  import Plug.Conn
  import Pleroma.Web.Gettext

+  alias Pleroma.Config
  alias Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug

  @behaviour Plug
@ -15,6 +16,14 @@ defmodule Pleroma.Plugs.OAuthScopesPlug do
  def call(%Plug.Conn{assigns: assigns} = conn, %{scopes: scopes} = options) do
    op = options[:op] || :|
    token = assigns[:token]
+
+    scopes =
+      if options[:admin] do
+        Config.oauth_admin_scopes(scopes)
+      else
+        scopes
+      end
+
    matched_scopes = token && filter_descendants(scopes, token.scopes)

    cond do
--- a/lib/pleroma/plugs/user_is_admin_plug.ex
+++ b/lib/pleroma/plugs/user_is_admin_plug.ex
@ -12,31 +12,23 @@ defmodule Pleroma.Plugs.UserIsAdminPlug do
    options
  end

-  unless Pleroma.Config.enforce_oauth_admin_scope_usage?() do
-    # To do: once AdminFE makes use of "admin" scope, disable the following func definition
-    #   (fail on no admin scope(s) in token even if `is_admin` is true)
-    def call(%Plug.Conn{assigns: %{user: %Pleroma.User{is_admin: true}}} = conn, _) do
-      conn
+  def call(%Plug.Conn{assigns: assigns} = conn, _) do
+    token = assigns[:token]
+    user = assigns[:user]
+
+    cond do
+      token && OAuth.Scopes.contains_admin_scopes?(token.scopes) ->
+        # Note: checking for _any_ admin scope presence, not necessarily fitting requested action.
+        #   Thus, controller must explicitly invoke OAuthScopesPlug to verify scope requirements.
+        conn
+
+      user && user.is_admin && !Pleroma.Config.enforce_oauth_admin_scope_usage?() ->
+        conn
+
+      true ->
+        conn
+        |> render_error(:forbidden, "User is not an admin or OAuth admin scope is not granted.")
+        |> halt()
    end
  end
-
-  def call(%Plug.Conn{assigns: %{token: %OAuth.Token{scopes: oauth_scopes} = _token}} = conn, _) do
-    if OAuth.Scopes.contains_admin_scopes?(oauth_scopes) do
-      # Note: checking for _any_ admin scope presence, not necessarily fitting requested action.
-      #   Thus, controller must explicitly invoke OAuthScopesPlug to verify scope requirements.
-      conn
-    else
-      fail(conn)
-    end
-  end
-
-  def call(conn, _) do
-    fail(conn)
-  end
-
-  defp fail(conn) do
-    conn
-    |> render_error(:forbidden, "User is not an admin or OAuth admin scope is not granted.")
-    |> halt()
-  end
 end