Merge branch 'feature/database-configuration-whitelist' into 'develop'

Database configuration whitelist See merge request pleroma/pleroma!2522
2020-05-14 16:07:37 +00:00 · 2020-05-14 16:07:37 +00:00 · e455ca3f3e
commit e455ca3f3e
parent 4157c459b8 80308c5c26
5 changed files with 117 additions and 16 deletions
--- a/lib/pleroma/web/admin_api/admin_api_controller.ex
+++ b/lib/pleroma/web/admin_api/admin_api_controller.ex
@ -37,7 +37,7 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIController do

  require Logger

-  @descriptions_json Pleroma.Docs.JSON.compile()
+  @descriptions Pleroma.Docs.JSON.compile()
  @users_page_size 50

  plug(
@ -897,9 +897,9 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIController do
  end

  def config_descriptions(conn, _params) do
-    conn
-    |> Plug.Conn.put_resp_content_type("application/json")
-    |> Plug.Conn.send_resp(200, @descriptions_json)
+    descriptions = Enum.filter(@descriptions, &whitelisted_config?/1)
+
+    json(conn, descriptions)
  end

  def config_show(conn, %{"only_db" => true}) do
@ -954,7 +954,9 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIController do
  def config_update(conn, %{"configs" => configs}) do
    with :ok <- configurable_from_database(conn) do
      {_errors, results} =
-        Enum.map(configs, fn
+        configs
+        |> Enum.filter(&whitelisted_config?/1)
+        |> Enum.map(fn
          %{"group" => group, "key" => key, "delete" => true} = params ->
            ConfigDB.delete(%{group: group, key: key, subkeys: params["subkeys"]})

@ -1016,6 +1018,28 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIController do
    end
  end

+  defp whitelisted_config?(group, key) do
+    if whitelisted_configs = Config.get(:database_config_whitelist) do
+      Enum.any?(whitelisted_configs, fn
+        {whitelisted_group} ->
+          group == inspect(whitelisted_group)
+
+        {whitelisted_group, whitelisted_key} ->
+          group == inspect(whitelisted_group) && key == inspect(whitelisted_key)
+      end)
+    else
+      true
+    end
+  end
+
+  defp whitelisted_config?(%{"group" => group, "key" => key}) do
+    whitelisted_config?(group, key)
+  end
+
+  defp whitelisted_config?(%{:group => group} = config) do
+    whitelisted_config?(group, config[:key])
+  end
+
  def reload_emoji(conn, _params) do
    Pleroma.Emoji.reload()