diff options
| author | Ivan Tashkinov <ivantashkinov@gmail.com> | 2019-12-06 16:56:23 +0300 |
|---|---|---|
| committer | Ivan Tashkinov <ivantashkinov@gmail.com> | 2019-12-06 16:56:23 +0300 |
| commit | 93a80ee9155bf5257aa92afaca2fe017f28aabfa (patch) | |
| tree | c9e8cc5733bac57bbd3ab687a469ea14c3514028 | |
| parent | 13926537b644c3a4f1904c2fcd5d25fe0f284663 (diff) | |
| download | pleroma-93a80ee9155bf5257aa92afaca2fe017f28aabfa.tar.gz | |
[#1427] Bugfix for `enforce_oauth_admin_scope_usage`. Admin API documentation entry.
| -rw-r--r-- | docs/API/admin_api.md | 7 | ||||
| -rw-r--r-- | lib/pleroma/plugs/user_is_admin_plug.ex | 17 |
2 files changed, 15 insertions, 9 deletions
diff --git a/docs/API/admin_api.md b/docs/API/admin_api.md index 2cac317de..b19793150 100644 --- a/docs/API/admin_api.md +++ b/docs/API/admin_api.md @@ -2,6 +2,13 @@ Authentication is required and the user must be an admin. +Configuration options: + +* `[:auth, :enforce_oauth_admin_scope_usage]` — OAuth admin scope requirement toggle. + If `true`, admin actions explicitly demand admin OAuth scope(s) presence in OAuth token (client app must support admin scopes). + If `false` and token doesn't have admin scope(s), `is_admin` user flag grants access to admin-specific actions. + Note that client app needs to explicitly support admin scopes and request them when obtaining auth token. + ## `GET /api/pleroma/admin/users` ### List users diff --git a/lib/pleroma/plugs/user_is_admin_plug.ex b/lib/pleroma/plugs/user_is_admin_plug.ex index 8814556f1..814029dce 100644 --- a/lib/pleroma/plugs/user_is_admin_plug.ex +++ b/lib/pleroma/plugs/user_is_admin_plug.ex @@ -6,13 +6,20 @@ defmodule Pleroma.Plugs.UserIsAdminPlug do import Pleroma.Web.TranslationHelpers import Plug.Conn - alias Pleroma.User alias Pleroma.Web.OAuth def init(options) do options end + unless Pleroma.Config.enforce_oauth_admin_scope_usage?() do + # To do: once AdminFE makes use of "admin" scope, disable the following func definition + # (fail on no admin scope(s) in token even if `is_admin` is true) + def call(%Plug.Conn{assigns: %{user: %Pleroma.User{is_admin: true}}} = conn, _) do + conn + end + end + def call(%Plug.Conn{assigns: %{token: %OAuth.Token{scopes: oauth_scopes} = _token}} = conn, _) do if OAuth.Scopes.contains_admin_scopes?(oauth_scopes) do # Note: checking for _any_ admin scope presence, not necessarily fitting requested action. @@ -23,14 +30,6 @@ defmodule Pleroma.Plugs.UserIsAdminPlug do end end - unless Pleroma.Config.enforce_oauth_admin_scope_usage?() do - # To do: once AdminFE makes use of "admin" scope, disable the following func definition - # (fail on no admin scope(s) in token even if `is_admin` is true) - def call(%Plug.Conn{assigns: %{user: %User{is_admin: true}}} = conn, _) do - conn - end - end - def call(conn, _) do fail(conn) end |