@@ -17,11 +17,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). | |||
- Authentication: Added rate limit for password-authorized actions / login existence checks | |||
- Metadata Link: Atom syndication Feed | |||
- Admin API: `/users/:nickname/toggle_activation` endpoint is now deprecated in favor of: `/users/activate`, `/users/deactivate`, both accept `nicknames` array | |||
- Admin API: `POST /api/pleroma/admin/users/:nickname/permission_group/:permission_group` / `DELETE /api/pleroma/admin/users/:nickname/permission_group/:permission_group` are deprecated in favor of: `POST /api/pleroma/admin/users/permission_group/:permission_group` / `DELETE /api/pleroma/admin/users/permission_group/:permission_group` (both accept `nicknames` array) | |||
### Changed | |||
- **Breaking:** Elixir >=1.8 is now required (was >= 1.7) | |||
- **Breaking:** Admin API: Return link alongside with token on password reset | |||
- **Breaking:** Admin API: `POST /users/permission_group/:permission_group` / `DELETE /users/permission_group/:permission_group` now accept `nicknames` array | |||
- Replaced [pleroma_job_queue](https://git.pleroma.social/pleroma/pleroma_job_queue) and `Pleroma.Web.Federator.RetryQueue` with [Oban](https://github.com/sorentwo/oban) (see [`docs/config.md`](docs/config.md) on migrating customized worker / retry settings) | |||
- Introduced [quantum](https://github.com/quantum-elixir/quantum-core) job scheduler | |||
- Admin API: Return `total` when querying for reports | |||
@@ -154,9 +154,18 @@ Note: Available `:permission_group` is currently moderator and admin. 404 is ret | |||
} | |||
``` | |||
## DEPRECATED `POST /api/pleroma/admin/users/:nickname/permission_group/:permission_group` | |||
### Add user to permission group | |||
- Params: none | |||
- Response: | |||
- On failure: `{"error": "…"}` | |||
- On success: JSON of the `user.info` | |||
## `POST /api/pleroma/admin/users/permission_group/:permission_group` | |||
### Add user in permission group | |||
### Add users to permission group | |||
- Params: | |||
- `nicknames`: nicknames array | |||
@@ -164,10 +173,20 @@ Note: Available `:permission_group` is currently moderator and admin. 404 is ret | |||
- On failure: `{"error": "…"}` | |||
- On success: JSON of the `user.info` | |||
## `DELETE /api/pleroma/admin/users/permission_group/:permission_group` | |||
## DEPRECATED `DELETE /api/pleroma/admin/users/:nickname/permission_group/:permission_group` | |||
### Remove user from permission group | |||
- Params: none | |||
- Response: | |||
- On failure: `{"error": "…"}` | |||
- On success: JSON of the `user.info` | |||
- Note: An admin cannot revoke their own admin status. | |||
## `DELETE /api/pleroma/admin/users/permission_group/:permission_group` | |||
### Remove users from permission group | |||
- Params: | |||
- `nicknames`: nicknames array | |||
- Response: | |||
@@ -345,7 +345,7 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIController do | |||
|> Enum.into(%{}, &{&1, true}) | |||
end | |||
def right_add(%{assigns: %{user: admin}} = conn, %{ | |||
def right_add_multiple(%{assigns: %{user: admin}} = conn, %{ | |||
"permission_group" => permission_group, | |||
"nicknames" => nicknames | |||
}) | |||
@@ -366,6 +366,32 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIController do | |||
json(conn, info) | |||
end | |||
def right_add_multiple(conn, _) do | |||
render_error(conn, :not_found, "No such permission_group") | |||
end | |||
def right_add(%{assigns: %{user: admin}} = conn, %{ | |||
"permission_group" => permission_group, | |||
"nickname" => nickname | |||
}) | |||
when permission_group in ["moderator", "admin"] do | |||
info = Map.put(%{}, "is_" <> permission_group, true) | |||
{:ok, user} = | |||
nickname | |||
|> User.get_cached_by_nickname() | |||
|> User.update_info(&User.Info.admin_api_update(&1, info)) | |||
ModerationLog.insert_log(%{ | |||
action: "grant", | |||
actor: admin, | |||
subject: [user], | |||
permission: permission_group | |||
}) | |||
json(conn, info) | |||
end | |||
def right_add(conn, _) do | |||
render_error(conn, :not_found, "No such permission_group") | |||
end | |||
@@ -380,7 +406,7 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIController do | |||
}) | |||
end | |||
def right_delete( | |||
def right_delete_multiple( | |||
%{assigns: %{user: %{nickname: admin_nickname} = admin}} = conn, | |||
%{ | |||
"permission_group" => permission_group, | |||
@@ -408,10 +434,39 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIController do | |||
end | |||
end | |||
def right_delete(conn, _) do | |||
def right_delete_multiple(conn, _) do | |||
render_error(conn, :not_found, "No such permission_group") | |||
end | |||
def right_delete( | |||
%{assigns: %{user: admin}} = conn, | |||
%{ | |||
"permission_group" => permission_group, | |||
"nickname" => nickname | |||
} | |||
) | |||
when permission_group in ["moderator", "admin"] do | |||
info = Map.put(%{}, "is_" <> permission_group, false) | |||
{:ok, user} = | |||
nickname | |||
|> User.get_cached_by_nickname() | |||
|> User.update_info(&User.Info.admin_api_update(&1, info)) | |||
ModerationLog.insert_log(%{ | |||
action: "revoke", | |||
actor: admin, | |||
subject: [user], | |||
permission: permission_group | |||
}) | |||
json(conn, info) | |||
end | |||
def right_delete(%{assigns: %{user: %{nickname: nickname}}} = conn, %{"nickname" => nickname}) do | |||
render_error(conn, :forbidden, "You can't revoke your own admin status.") | |||
end | |||
def relay_follow(%{assigns: %{user: admin}} = conn, %{"relay_url" => target}) do | |||
with {:ok, _message} <- Relay.follow(target) do | |||
ModerationLog.insert_log(%{ | |||
@@ -144,8 +144,22 @@ defmodule Pleroma.Web.Router do | |||
get("/users/:nickname/permission_group", AdminAPIController, :right_get) | |||
get("/users/:nickname/permission_group/:permission_group", AdminAPIController, :right_get) | |||
post("/users/permission_group/:permission_group", AdminAPIController, :right_add) | |||
delete("/users/permission_group/:permission_group", AdminAPIController, :right_delete) | |||
post("/users/:nickname/permission_group/:permission_group", AdminAPIController, :right_add) | |||
delete( | |||
"/users/:nickname/permission_group/:permission_group", | |||
AdminAPIController, | |||
:right_delete | |||
) | |||
post("/users/permission_group/:permission_group", AdminAPIController, :right_add_multiple) | |||
delete( | |||
"/users/permission_group/:permission_group", | |||
AdminAPIController, | |||
:right_delete_multiple | |||
) | |||
post("/relay", AdminAPIController, :relay_follow) | |||
delete("/relay", AdminAPIController, :relay_unfollow) | |||
@@ -386,6 +386,26 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do | |||
test "/:right POST, can add to a permission group" do | |||
admin = insert(:user, info: %{is_admin: true}) | |||
user = insert(:user) | |||
conn = | |||
build_conn() | |||
|> assign(:user, admin) | |||
|> put_req_header("accept", "application/json") | |||
|> post("/api/pleroma/admin/users/#{user.nickname}/permission_group/admin") | |||
assert json_response(conn, 200) == %{ | |||
"is_admin" => true | |||
} | |||
log_entry = Repo.one(ModerationLog) | |||
assert ModerationLog.get_log_entry_message(log_entry) == | |||
"@#{admin.nickname} made @#{user.nickname} admin" | |||
end | |||
test "/:right POST, can add to a permission group (multiple)" do | |||
admin = insert(:user, info: %{is_admin: true}) | |||
user_one = insert(:user) | |||
user_two = insert(:user) | |||
@@ -409,6 +429,26 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do | |||
test "/:right DELETE, can remove from a permission group" do | |||
admin = insert(:user, info: %{is_admin: true}) | |||
user = insert(:user, info: %{is_admin: true}) | |||
conn = | |||
build_conn() | |||
|> assign(:user, admin) | |||
|> put_req_header("accept", "application/json") | |||
|> delete("/api/pleroma/admin/users/#{user.nickname}/permission_group/admin") | |||
assert json_response(conn, 200) == %{ | |||
"is_admin" => false | |||
} | |||
log_entry = Repo.one(ModerationLog) | |||
assert ModerationLog.get_log_entry_message(log_entry) == | |||
"@#{admin.nickname} revoked admin role from @#{user.nickname}" | |||
end | |||
test "/:right DELETE, can remove from a permission group (multiple)" do | |||
admin = insert(:user, info: %{is_admin: true}) | |||
user_one = insert(:user, info: %{is_admin: true}) | |||
user_two = insert(:user, info: %{is_admin: true}) | |||