hj/pleroma
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

[#1234] Defined admin OAuth scopes, refined other scopes. Added tests.

Browse source
This commit is contained in:
Ivan Tashkinov 2019-09-17 22:19:39 +03:00
commit 76068873db
3 changed files with 210 additions and 111 deletions
Download patch file Download diff file Expand all files Collapse all files

71
lib/pleroma/web/admin_api/admin_api_controller.ex
View file

@ -24,38 +24,20 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIController do
require Logger
plug(OAuthScopesPlug, %{scopes: ["read:statuses"]} when action == :list_user_statuses)
plug(
OAuthScopesPlug,
%{scopes: ["write:statuses"]} when action in [:status_update, :status_delete]
%{scopes: ["admin:read:accounts", "read:accounts"]}
when action in [:list_users, :user_show, :right_get, :invites]
)
plug(
OAuthScopesPlug,
%{scopes: ["read"]}
%{scopes: ["admin:write", "write:accounts"]}
when action in [
:list_reports,
:report_show,
:right_get,
:get_invite_token,
:invites,
:revoke_invite,
:email_invite,
:get_password_reset,
:list_users,
:user_show,
:config_show,
:migrate_to_db,
:migrate_from_db,
:list_log
]
)
plug(
OAuthScopesPlug,
%{scopes: ["write"]}
when action in [
:report_update_state,
:report_respond,
:user_follow,
:user_unfollow,
:user_delete,
@ -65,15 +47,44 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIController do
:untag_users,
:right_add,
:right_delete,
:set_activation_status,
:relay_follow,
:relay_unfollow,
:revoke_invite,
:email_invite,
:config_update
:set_activation_status
]
)
plug(
OAuthScopesPlug,
%{scopes: ["admin:read:reports", "read:reports"]} when action in [:list_reports, :report_show]
)
plug(
OAuthScopesPlug,
%{scopes: ["admin:write:reports", "write:reports"]}
when action in [:report_update_state, :report_respond]
)
plug(
OAuthScopesPlug,
%{scopes: ["admin:read:statuses", "read:statuses"]} when action == :list_user_statuses
)
plug(
OAuthScopesPlug,
%{scopes: ["admin:write:statuses", "write:statuses"]}
when action in [:status_update, :status_delete]
)
plug(
OAuthScopesPlug,
%{scopes: ["admin:read", "read"]}
when action in [:config_show, :migrate_to_db, :migrate_from_db, :list_log]
)
plug(
OAuthScopesPlug,
%{scopes: ["admin:write", "write"]}
when action in [:relay_follow, :relay_unfollow, :config_update]
)
@users_page_size 50
action_fallback(:errors)
@ -451,7 +462,7 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIController do
end
end
@doc "Get a account registeration invite token (base64 string)"
@doc "Get a account registration invite token (base64 string)"
def get_invite_token(conn, params) do
options = params["invite"] || %{}
{:ok, invite} = UserInviteToken.create_invite(options)

23
lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex
View file

@ -53,13 +53,13 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
require Logger
require Pleroma.Constants
plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug when action != :index)
@unauthenticated_access %{fallback: :proceed_unauthenticated, scopes: []}
# Note: :index action handles attempt of unauthenticated access to private instance with redirect
plug(
OAuthScopesPlug,
%{scopes: ["read"], skip_instance_privacy_check: true} when action == :index
Map.merge(@unauthenticated_access, %{scopes: ["read"], skip_instance_privacy_check: true})
when action == :index
)
plug(
@ -220,6 +220,23 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
%{scopes: ["write:bookmarks"]} when action in [:bookmark_status, :unbookmark_status]
)
# An extra safety measure for possible actions not guarded by OAuth permissions specification
plug(
Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug
when action not in [
:account_register,
:create_app,
:index,
:login,
:logout,
:password_reset,
:account_confirmation_resend,
:masto_instance,
:peers,
:custom_emojis
]
)
@rate_limited_relations_actions ~w(follow unfollow)a
@rate_limited_status_actions ~w(reblog_status unreblog_status fav_status unfav_status