Implement proper OAuth authorization on Admin API endpoints

This commit is contained in:
Emelia Smith 2024-02-08 02:50:02 +01:00
parent 7b0a6060b2
commit 9330cd02f7
No known key found for this signature in database
3 changed files with 56 additions and 18 deletions

View file

@ -40,16 +40,20 @@ class AdminApiController extends Controller
{
public function supported(Request $request)
{
abort_if(!$request->user(), 404);
abort_if(!$request->user() || !$request->user()->token(), 404);
abort_unless($request->user()->is_admin == 1, 404);
abort_unless($request->user()->tokenCan('admin:read'), 404);
return response()->json(['supported' => true]);
}
public function getStats(Request $request)
{
abort_if(!$request->user(), 404);
abort_if(!$request->user() || !$request->user()->token(), 404);
abort_unless($request->user()->is_admin == 1, 404);
abort_unless($request->user()->tokenCan('admin:read'), 404);
$res = AdminStatsService::summary();
$res['autospam_count'] = AccountInterstitial::whereType('post.autospam')
@ -60,8 +64,10 @@ class AdminApiController extends Controller
public function autospam(Request $request)
{
abort_if(!$request->user(), 404);
abort_if(!$request->user() || !$request->user()->token(), 404);
abort_unless($request->user()->is_admin == 1, 404);
abort_unless($request->user()->tokenCan('admin:read'), 404);
$appeals = AccountInterstitial::whereType('post.autospam')
->whereNull('appeal_handled_at')
@ -95,8 +101,10 @@ class AdminApiController extends Controller
public function autospamHandle(Request $request)
{
abort_if(!$request->user(), 404);
abort_if(!$request->user() || !$request->user()->token(), 404);
abort_unless($request->user()->is_admin == 1, 404);
abort_unless($request->user()->tokenCan('admin:write'), 404);
$this->validate($request, [
'action' => 'required|in:dismiss,approve,dismiss-all,approve-all,delete-post,delete-account',
@ -239,8 +247,10 @@ class AdminApiController extends Controller
public function modReports(Request $request)
{
abort_if(!$request->user(), 404);
abort_if(!$request->user() || !$request->user()->token(), 404);
abort_unless($request->user()->is_admin == 1, 404);
abort_unless($request->user()->tokenCan('admin:read'), 404);
$reports = Report::whereNull('admin_seen')
->orderBy('created_at','desc')
@ -285,8 +295,10 @@ class AdminApiController extends Controller
public function modReportHandle(Request $request)
{
abort_if(!$request->user(), 404);
abort_if(!$request->user() || !$request->user()->token(), 404);
abort_unless($request->user()->is_admin == 1, 404);
abort_unless($request->user()->tokenCan('admin:write'), 404);
$this->validate($request, [
'action' => 'required|string',
@ -343,8 +355,11 @@ class AdminApiController extends Controller
public function getConfiguration(Request $request)
{
abort_if(!$request->user(), 404);
abort_if(!$request->user() || !$request->user()->token(), 404);
abort_unless($request->user()->is_admin == 1, 404);
abort_unless($request->user()->tokenCan('admin:read'), 404);
abort_unless(config('instance.enable_cc'), 400);
return collect([
@ -386,8 +401,11 @@ class AdminApiController extends Controller
public function updateConfiguration(Request $request)
{
abort_if(!$request->user(), 404);
abort_if(!$request->user() || !$request->user()->token(), 404);
abort_unless($request->user()->is_admin == 1, 404);
abort_unless($request->user()->tokenCan('admin:write'), 404);
abort_unless(config('instance.enable_cc'), 400);
$this->validate($request, [
@ -448,8 +466,11 @@ class AdminApiController extends Controller
public function getUsers(Request $request)
{
abort_if(!$request->user(), 404);
abort_if(!$request->user() || !$request->user()->token(), 404);
abort_unless($request->user()->is_admin == 1, 404);
abort_unless($request->user()->tokenCan('admin:read'), 404);
$this->validate($request, [
'sort' => 'sometimes|in:asc,desc',
]);
@ -466,8 +487,10 @@ class AdminApiController extends Controller
public function getUser(Request $request)
{
abort_if(!$request->user(), 404);
abort_if(!$request->user() || !$request->user()->token(), 404);
abort_unless($request->user()->is_admin == 1, 404);
abort_unless($request->user()->tokenCan('admin:read'), 404);
$id = $request->input('user_id');
$key = 'pf-admin-api:getUser:byId:' . $id;
@ -497,8 +520,10 @@ class AdminApiController extends Controller
public function userAdminAction(Request $request)
{
abort_if(!$request->user(), 404);
abort_if(!$request->user() || !$request->user()->token(), 404);
abort_unless($request->user()->is_admin == 1, 404);
abort_unless($request->user()->tokenCan('admin:write'), 404);
$this->validate($request, [
'id' => 'required',
@ -669,8 +694,10 @@ class AdminApiController extends Controller
public function instances(Request $request)
{
abort_if(!$request->user(), 404);
abort_if(!$request->user() || !$request->user()->token(), 404);
abort_unless($request->user()->is_admin == 1, 404);
abort_unless($request->user()->tokenCan('admin:write'), 404);
$this->validate($request, [
'q' => 'sometimes',
@ -707,8 +734,10 @@ class AdminApiController extends Controller
public function getInstance(Request $request)
{
abort_if(!$request->user(), 404);
abort_if(!$request->user() || !$request->user()->token(), 404);
abort_unless($request->user()->is_admin == 1, 404);
abort_unless($request->user()->tokenCan('admin:read'), 404);
$id = $request->input('id');
$res = Instance::findOrFail($id);
@ -718,8 +747,10 @@ class AdminApiController extends Controller
public function moderateInstance(Request $request)
{
abort_if(!$request->user(), 404);
abort_if(!$request->user() || !$request->user()->token(), 404);
abort_unless($request->user()->is_admin == 1, 404);
abort_unless($request->user()->tokenCan('admin:write'), 404);
$this->validate($request, [
'id' => 'required',
@ -742,8 +773,10 @@ class AdminApiController extends Controller
public function refreshInstanceStats(Request $request)
{
abort_if(!$request->user(), 404);
abort_if(!$request->user() || !$request->user()->token(), 404);
abort_unless($request->user()->is_admin == 1, 404);
abort_unless($request->user()->tokenCan('admin:write'), 404);
$this->validate($request, [
'id' => 'required',
@ -760,8 +793,10 @@ class AdminApiController extends Controller
public function getAllStats(Request $request)
{
abort_if(!$request->user(), 404);
abort_if(!$request->user() || !$request->user()->token(), 404);
abort_unless($request->user()->is_admin === 1, 404);
abort_unless($request->user()->tokenCan('admin:read'), 404);
if($request->has('refresh')) {
Cache::forget('admin-api:instance-all-stats-v1');

View file

@ -757,8 +757,9 @@ class ApiV1Dot1Controller extends Controller
public function moderatePost(Request $request, $id)
{
abort_if(!$request->user(), 403);
abort_if(!$request->user() || !$request->user()->token(), 403);
abort_if($request->user()->is_admin != true, 403);
abort_unless($request->user()->tokenCan('admin:write'), 403);
if(config('pixelfed.bouncer.cloud_ips.ban_signups')) {
abort_if(BouncerService::checkIp($request->ip()), 404);

View file

@ -41,7 +41,9 @@ class AuthServiceProvider extends ServiceProvider
'read' => 'Full read access to your account',
'write' => 'Full write access to your account',
'follow' => 'Ability to follow other profiles',
'push' => ''
'admin:read' => 'Read all data on the server',
'admin:write' => 'Modify all data on the server',
'push' => 'Receive your push notifications'
]);
}