[#1940] Reinstated OAuth-less `admin_token` authentication. Refactored UserIsAdminPlug (freed from checking admin scopes presence).

author: Ivan Tashkinov <ivantashkinov@gmail.com> 2020-07-19 21:35:57 +0300
committer: Ivan Tashkinov <ivantashkinov@gmail.com> 2020-07-19 21:35:57 +0300
commit: cf3f8cb72a46f0c8c798d4022cff442fae4ab401 (patch)
tree: 585b45b649a67efae1db0f22114b120d804031e8 /lib
parent: 5d215fd81f529b639db9096ca71d4e7f0a6ed386 (diff)
download: pleroma-cf3f8cb72a46f0c8c798d4022cff442fae4ab401.tar.gz
2 files changed, 13 insertions, 24 deletions
diff --git a/lib/pleroma/plugs/admin_secret_authentication_plug.ex b/lib/pleroma/plugs/admin_secret_authentication_plug.ex
index b4b47a31f..ff0328d4a 100644
--- a/lib/pleroma/plugs/admin_secret_authentication_plug.ex
+++ b/lib/pleroma/plugs/admin_secret_authentication_plug.ex
@@ -4,7 +4,9 @@
 
 defmodule Pleroma.Plugs.AdminSecretAuthenticationPlug do
   import Plug.Conn
+
   alias Pleroma.User
+  alias Pleroma.Plugs.OAuthScopesPlug
 
   def init(options) do
     options
@@ -26,7 +28,7 @@ defmodule Pleroma.Plugs.AdminSecretAuthenticationPlug do
 
   def authenticate(%{params: %{"admin_token" => admin_token}} = conn) do
     if admin_token == secret_token() do
-      assign(conn, :user, %User{is_admin: true})
+      assign_admin_user(conn)
     else
       conn
     end
@@ -36,8 +38,14 @@ defmodule Pleroma.Plugs.AdminSecretAuthenticationPlug do
     token = secret_token()
 
     case get_req_header(conn, "x-admin-token") do
-      [^token] -> assign(conn, :user, %User{is_admin: true})
+      [^token] -> assign_admin_user(conn)
       _ -> conn
     end
   end
+
+  defp assign_admin_user(conn) do
+    conn
+    |> assign(:user, %User{is_admin: true})
+    |> OAuthScopesPlug.skip_plug()
+  end
 end
diff --git a/lib/pleroma/plugs/user_is_admin_plug.ex b/lib/pleroma/plugs/user_is_admin_plug.ex
index 2748102df..488a61d1d 100644
--- a/lib/pleroma/plugs/user_is_admin_plug.ex
+++ b/lib/pleroma/plugs/user_is_admin_plug.ex
@@ -7,37 +7,18 @@ defmodule Pleroma.Plugs.UserIsAdminPlug do
   import Plug.Conn
 
   alias Pleroma.User
-  alias Pleroma.Web.OAuth
 
   def init(options) do
     options
   end
 
-  def call(%{assigns: %{user: %User{is_admin: true}} = assigns} = conn, _) do
-    token = assigns[:token]
-
-    cond do
-      not Pleroma.Config.enforce_oauth_admin_scope_usage?() ->
-        conn
-
-      token && OAuth.Scopes.contains_admin_scopes?(token.scopes) ->
-        # Note: checking for _any_ admin scope presence, not necessarily fitting requested action.
-        #   Thus, controller must explicitly invoke OAuthScopesPlug to verify scope requirements.
-        #   Admin might opt out of admin scope for some apps to block any admin actions from them.
-        conn
-
-      true ->
-        fail(conn)
-    end
+  def call(%{assigns: %{user: %User{is_admin: true}}} = conn, _) do
+    conn
   end
 
   def call(conn, _) do
-    fail(conn)
-  end
-
-  defp fail(conn) do
     conn
-    |> render_error(:forbidden, "User is not an admin or OAuth admin scope is not granted.")
+    |> render_error(:forbidden, "User is not an admin.")
     |> halt()
   end
 end
author	Ivan Tashkinov <ivantashkinov@gmail.com>	2020-07-19 21:35:57 +0300
committer	Ivan Tashkinov <ivantashkinov@gmail.com>	2020-07-19 21:35:57 +0300
commit	cf3f8cb72a46f0c8c798d4022cff442fae4ab401 (patch)
tree	585b45b649a67efae1db0f22114b120d804031e8 /lib
parent	5d215fd81f529b639db9096ca71d4e7f0a6ed386 (diff)
download	pleroma-cf3f8cb72a46f0c8c798d4022cff442fae4ab401.tar.gz