mirror of
https://github.com/pixelfed/pixelfed.git
synced 2024-11-24 23:35:23 +00:00
Implement proper OAuth authorization on Admin API endpoints
This commit is contained in:
parent
7b0a6060b2
commit
9330cd02f7
3 changed files with 56 additions and 18 deletions
|
@ -40,16 +40,20 @@ class AdminApiController extends Controller
|
|||
{
|
||||
public function supported(Request $request)
|
||||
{
|
||||
abort_if(!$request->user(), 404);
|
||||
abort_if(!$request->user() || !$request->user()->token(), 404);
|
||||
|
||||
abort_unless($request->user()->is_admin == 1, 404);
|
||||
abort_unless($request->user()->tokenCan('admin:read'), 404);
|
||||
|
||||
return response()->json(['supported' => true]);
|
||||
}
|
||||
|
||||
public function getStats(Request $request)
|
||||
{
|
||||
abort_if(!$request->user(), 404);
|
||||
abort_if(!$request->user() || !$request->user()->token(), 404);
|
||||
|
||||
abort_unless($request->user()->is_admin == 1, 404);
|
||||
abort_unless($request->user()->tokenCan('admin:read'), 404);
|
||||
|
||||
$res = AdminStatsService::summary();
|
||||
$res['autospam_count'] = AccountInterstitial::whereType('post.autospam')
|
||||
|
@ -60,8 +64,10 @@ class AdminApiController extends Controller
|
|||
|
||||
public function autospam(Request $request)
|
||||
{
|
||||
abort_if(!$request->user(), 404);
|
||||
abort_if(!$request->user() || !$request->user()->token(), 404);
|
||||
|
||||
abort_unless($request->user()->is_admin == 1, 404);
|
||||
abort_unless($request->user()->tokenCan('admin:read'), 404);
|
||||
|
||||
$appeals = AccountInterstitial::whereType('post.autospam')
|
||||
->whereNull('appeal_handled_at')
|
||||
|
@ -95,8 +101,10 @@ class AdminApiController extends Controller
|
|||
|
||||
public function autospamHandle(Request $request)
|
||||
{
|
||||
abort_if(!$request->user(), 404);
|
||||
abort_if(!$request->user() || !$request->user()->token(), 404);
|
||||
|
||||
abort_unless($request->user()->is_admin == 1, 404);
|
||||
abort_unless($request->user()->tokenCan('admin:write'), 404);
|
||||
|
||||
$this->validate($request, [
|
||||
'action' => 'required|in:dismiss,approve,dismiss-all,approve-all,delete-post,delete-account',
|
||||
|
@ -239,8 +247,10 @@ class AdminApiController extends Controller
|
|||
|
||||
public function modReports(Request $request)
|
||||
{
|
||||
abort_if(!$request->user(), 404);
|
||||
abort_if(!$request->user() || !$request->user()->token(), 404);
|
||||
|
||||
abort_unless($request->user()->is_admin == 1, 404);
|
||||
abort_unless($request->user()->tokenCan('admin:read'), 404);
|
||||
|
||||
$reports = Report::whereNull('admin_seen')
|
||||
->orderBy('created_at','desc')
|
||||
|
@ -285,8 +295,10 @@ class AdminApiController extends Controller
|
|||
|
||||
public function modReportHandle(Request $request)
|
||||
{
|
||||
abort_if(!$request->user(), 404);
|
||||
abort_if(!$request->user() || !$request->user()->token(), 404);
|
||||
|
||||
abort_unless($request->user()->is_admin == 1, 404);
|
||||
abort_unless($request->user()->tokenCan('admin:write'), 404);
|
||||
|
||||
$this->validate($request, [
|
||||
'action' => 'required|string',
|
||||
|
@ -343,8 +355,11 @@ class AdminApiController extends Controller
|
|||
|
||||
public function getConfiguration(Request $request)
|
||||
{
|
||||
abort_if(!$request->user(), 404);
|
||||
abort_if(!$request->user() || !$request->user()->token(), 404);
|
||||
|
||||
abort_unless($request->user()->is_admin == 1, 404);
|
||||
abort_unless($request->user()->tokenCan('admin:read'), 404);
|
||||
|
||||
abort_unless(config('instance.enable_cc'), 400);
|
||||
|
||||
return collect([
|
||||
|
@ -386,8 +401,11 @@ class AdminApiController extends Controller
|
|||
|
||||
public function updateConfiguration(Request $request)
|
||||
{
|
||||
abort_if(!$request->user(), 404);
|
||||
abort_if(!$request->user() || !$request->user()->token(), 404);
|
||||
|
||||
abort_unless($request->user()->is_admin == 1, 404);
|
||||
abort_unless($request->user()->tokenCan('admin:write'), 404);
|
||||
|
||||
abort_unless(config('instance.enable_cc'), 400);
|
||||
|
||||
$this->validate($request, [
|
||||
|
@ -448,8 +466,11 @@ class AdminApiController extends Controller
|
|||
|
||||
public function getUsers(Request $request)
|
||||
{
|
||||
abort_if(!$request->user(), 404);
|
||||
abort_if(!$request->user() || !$request->user()->token(), 404);
|
||||
|
||||
abort_unless($request->user()->is_admin == 1, 404);
|
||||
abort_unless($request->user()->tokenCan('admin:read'), 404);
|
||||
|
||||
$this->validate($request, [
|
||||
'sort' => 'sometimes|in:asc,desc',
|
||||
]);
|
||||
|
@ -466,8 +487,10 @@ class AdminApiController extends Controller
|
|||
|
||||
public function getUser(Request $request)
|
||||
{
|
||||
abort_if(!$request->user(), 404);
|
||||
abort_if(!$request->user() || !$request->user()->token(), 404);
|
||||
|
||||
abort_unless($request->user()->is_admin == 1, 404);
|
||||
abort_unless($request->user()->tokenCan('admin:read'), 404);
|
||||
|
||||
$id = $request->input('user_id');
|
||||
$key = 'pf-admin-api:getUser:byId:' . $id;
|
||||
|
@ -497,8 +520,10 @@ class AdminApiController extends Controller
|
|||
|
||||
public function userAdminAction(Request $request)
|
||||
{
|
||||
abort_if(!$request->user(), 404);
|
||||
abort_if(!$request->user() || !$request->user()->token(), 404);
|
||||
|
||||
abort_unless($request->user()->is_admin == 1, 404);
|
||||
abort_unless($request->user()->tokenCan('admin:write'), 404);
|
||||
|
||||
$this->validate($request, [
|
||||
'id' => 'required',
|
||||
|
@ -669,8 +694,10 @@ class AdminApiController extends Controller
|
|||
|
||||
public function instances(Request $request)
|
||||
{
|
||||
abort_if(!$request->user(), 404);
|
||||
abort_if(!$request->user() || !$request->user()->token(), 404);
|
||||
|
||||
abort_unless($request->user()->is_admin == 1, 404);
|
||||
abort_unless($request->user()->tokenCan('admin:write'), 404);
|
||||
|
||||
$this->validate($request, [
|
||||
'q' => 'sometimes',
|
||||
|
@ -707,8 +734,10 @@ class AdminApiController extends Controller
|
|||
|
||||
public function getInstance(Request $request)
|
||||
{
|
||||
abort_if(!$request->user(), 404);
|
||||
abort_if(!$request->user() || !$request->user()->token(), 404);
|
||||
|
||||
abort_unless($request->user()->is_admin == 1, 404);
|
||||
abort_unless($request->user()->tokenCan('admin:read'), 404);
|
||||
|
||||
$id = $request->input('id');
|
||||
$res = Instance::findOrFail($id);
|
||||
|
@ -718,8 +747,10 @@ class AdminApiController extends Controller
|
|||
|
||||
public function moderateInstance(Request $request)
|
||||
{
|
||||
abort_if(!$request->user(), 404);
|
||||
abort_if(!$request->user() || !$request->user()->token(), 404);
|
||||
|
||||
abort_unless($request->user()->is_admin == 1, 404);
|
||||
abort_unless($request->user()->tokenCan('admin:write'), 404);
|
||||
|
||||
$this->validate($request, [
|
||||
'id' => 'required',
|
||||
|
@ -742,8 +773,10 @@ class AdminApiController extends Controller
|
|||
|
||||
public function refreshInstanceStats(Request $request)
|
||||
{
|
||||
abort_if(!$request->user(), 404);
|
||||
abort_if(!$request->user() || !$request->user()->token(), 404);
|
||||
|
||||
abort_unless($request->user()->is_admin == 1, 404);
|
||||
abort_unless($request->user()->tokenCan('admin:write'), 404);
|
||||
|
||||
$this->validate($request, [
|
||||
'id' => 'required',
|
||||
|
@ -760,8 +793,10 @@ class AdminApiController extends Controller
|
|||
|
||||
public function getAllStats(Request $request)
|
||||
{
|
||||
abort_if(!$request->user(), 404);
|
||||
abort_if(!$request->user() || !$request->user()->token(), 404);
|
||||
|
||||
abort_unless($request->user()->is_admin === 1, 404);
|
||||
abort_unless($request->user()->tokenCan('admin:read'), 404);
|
||||
|
||||
if($request->has('refresh')) {
|
||||
Cache::forget('admin-api:instance-all-stats-v1');
|
||||
|
|
|
@ -757,8 +757,9 @@ class ApiV1Dot1Controller extends Controller
|
|||
|
||||
public function moderatePost(Request $request, $id)
|
||||
{
|
||||
abort_if(!$request->user(), 403);
|
||||
abort_if(!$request->user() || !$request->user()->token(), 403);
|
||||
abort_if($request->user()->is_admin != true, 403);
|
||||
abort_unless($request->user()->tokenCan('admin:write'), 403);
|
||||
|
||||
if(config('pixelfed.bouncer.cloud_ips.ban_signups')) {
|
||||
abort_if(BouncerService::checkIp($request->ip()), 404);
|
||||
|
|
|
@ -41,7 +41,9 @@ class AuthServiceProvider extends ServiceProvider
|
|||
'read' => 'Full read access to your account',
|
||||
'write' => 'Full write access to your account',
|
||||
'follow' => 'Ability to follow other profiles',
|
||||
'push' => ''
|
||||
'admin:read' => 'Read all data on the server',
|
||||
'admin:write' => 'Modify all data on the server',
|
||||
'push' => 'Receive your push notifications'
|
||||
]);
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue