aiden
/
pixelfed
mirror of https://github.com/pixelfed/pixelfed
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Implement proper OAuth authorization on Admin API endpoints

Browse Source
pull/4911/head
Emelia Smith 1 year ago
parent 7b0a6060b2
commit 9330cd02f7
No known key found for this signature in database
3 changed files with 56 additions and 18 deletions
Show Stats Download Patch File Download Diff File

67
app/Http/Controllers/Api/AdminApiController.php
Unescape Escape View File

@ -40,16 +40,20 @@ class AdminApiController extends Controller
{ {
public function supported(Request $request) public function supported(Request $request)
{ {
abort_if(!$request->user(), 404); abort_if(!$request->user() || !$request->user()->token(), 404);
abort_unless($request->user()->is_admin == 1, 404); abort_unless($request->user()->is_admin == 1, 404);
abort_unless($request->user()->tokenCan('admin:read'), 404);
return response()->json(['supported' => true]); return response()->json(['supported' => true]);
} }
public function getStats(Request $request) public function getStats(Request $request)
{ {
abort_if(!$request->user(), 404); abort_if(!$request->user() || !$request->user()->token(), 404);
abort_unless($request->user()->is_admin == 1, 404); abort_unless($request->user()->is_admin == 1, 404);
abort_unless($request->user()->tokenCan('admin:read'), 404);
$res = AdminStatsService::summary(); $res = AdminStatsService::summary();
$res['autospam_count'] = AccountInterstitial::whereType('post.autospam') $res['autospam_count'] = AccountInterstitial::whereType('post.autospam')
@ -60,8 +64,10 @@ class AdminApiController extends Controller
public function autospam(Request $request) public function autospam(Request $request)
{ {
abort_if(!$request->user(), 404); abort_if(!$request->user() || !$request->user()->token(), 404);
abort_unless($request->user()->is_admin == 1, 404); abort_unless($request->user()->is_admin == 1, 404);
abort_unless($request->user()->tokenCan('admin:read'), 404);
$appeals = AccountInterstitial::whereType('post.autospam') $appeals = AccountInterstitial::whereType('post.autospam')
->whereNull('appeal_handled_at') ->whereNull('appeal_handled_at')
@ -95,8 +101,10 @@ class AdminApiController extends Controller
public function autospamHandle(Request $request) public function autospamHandle(Request $request)
{ {
abort_if(!$request->user(), 404); abort_if(!$request->user() || !$request->user()->token(), 404);
abort_unless($request->user()->is_admin == 1, 404); abort_unless($request->user()->is_admin == 1, 404);
abort_unless($request->user()->tokenCan('admin:write'), 404);
$this->validate($request, [ $this->validate($request, [
'action' => 'required|in:dismiss,approve,dismiss-all,approve-all,delete-post,delete-account', 'action' => 'required|in:dismiss,approve,dismiss-all,approve-all,delete-post,delete-account',
@ -239,8 +247,10 @@ class AdminApiController extends Controller
public function modReports(Request $request) public function modReports(Request $request)
{ {
abort_if(!$request->user(), 404); abort_if(!$request->user() || !$request->user()->token(), 404);
abort_unless($request->user()->is_admin == 1, 404); abort_unless($request->user()->is_admin == 1, 404);
abort_unless($request->user()->tokenCan('admin:read'), 404);
$reports = Report::whereNull('admin_seen') $reports = Report::whereNull('admin_seen')
->orderBy('created_at','desc') ->orderBy('created_at','desc')
@ -285,8 +295,10 @@ class AdminApiController extends Controller
public function modReportHandle(Request $request) public function modReportHandle(Request $request)
{ {
abort_if(!$request->user(), 404); abort_if(!$request->user() || !$request->user()->token(), 404);
abort_unless($request->user()->is_admin == 1, 404); abort_unless($request->user()->is_admin == 1, 404);
abort_unless($request->user()->tokenCan('admin:write'), 404);
$this->validate($request, [ $this->validate($request, [
'action' => 'required|string', 'action' => 'required|string',
@ -343,8 +355,11 @@ class AdminApiController extends Controller
public function getConfiguration(Request $request) public function getConfiguration(Request $request)
{ {
abort_if(!$request->user(), 404); abort_if(!$request->user() || !$request->user()->token(), 404);
abort_unless($request->user()->is_admin == 1, 404); abort_unless($request->user()->is_admin == 1, 404);
abort_unless($request->user()->tokenCan('admin:read'), 404);
abort_unless(config('instance.enable_cc'), 400); abort_unless(config('instance.enable_cc'), 400);
return collect([ return collect([
@ -386,8 +401,11 @@ class AdminApiController extends Controller
public function updateConfiguration(Request $request) public function updateConfiguration(Request $request)
{ {
abort_if(!$request->user(), 404); abort_if(!$request->user() || !$request->user()->token(), 404);
abort_unless($request->user()->is_admin == 1, 404); abort_unless($request->user()->is_admin == 1, 404);
abort_unless($request->user()->tokenCan('admin:write'), 404);
abort_unless(config('instance.enable_cc'), 400); abort_unless(config('instance.enable_cc'), 400);
$this->validate($request, [ $this->validate($request, [
@ -448,8 +466,11 @@ class AdminApiController extends Controller
public function getUsers(Request $request) public function getUsers(Request $request)
{ {
abort_if(!$request->user(), 404); abort_if(!$request->user() || !$request->user()->token(), 404);
abort_unless($request->user()->is_admin == 1, 404); abort_unless($request->user()->is_admin == 1, 404);
abort_unless($request->user()->tokenCan('admin:read'), 404);
$this->validate($request, [ $this->validate($request, [
'sort' => 'sometimes|in:asc,desc', 'sort' => 'sometimes|in:asc,desc',
]); ]);
@ -466,8 +487,10 @@ class AdminApiController extends Controller
public function getUser(Request $request) public function getUser(Request $request)
{ {
abort_if(!$request->user(), 404); abort_if(!$request->user() || !$request->user()->token(), 404);
abort_unless($request->user()->is_admin == 1, 404); abort_unless($request->user()->is_admin == 1, 404);
abort_unless($request->user()->tokenCan('admin:read'), 404);
$id = $request->input('user_id'); $id = $request->input('user_id');
$key = 'pf-admin-api:getUser:byId:' . $id; $key = 'pf-admin-api:getUser:byId:' . $id;
@ -497,8 +520,10 @@ class AdminApiController extends Controller
public function userAdminAction(Request $request) public function userAdminAction(Request $request)
{ {
abort_if(!$request->user(), 404); abort_if(!$request->user() || !$request->user()->token(), 404);
abort_unless($request->user()->is_admin == 1, 404); abort_unless($request->user()->is_admin == 1, 404);
abort_unless($request->user()->tokenCan('admin:write'), 404);
$this->validate($request, [ $this->validate($request, [
'id' => 'required', 'id' => 'required',
@ -669,8 +694,10 @@ class AdminApiController extends Controller
public function instances(Request $request) public function instances(Request $request)
{ {
abort_if(!$request->user(), 404); abort_if(!$request->user() || !$request->user()->token(), 404);
abort_unless($request->user()->is_admin == 1, 404); abort_unless($request->user()->is_admin == 1, 404);
abort_unless($request->user()->tokenCan('admin:write'), 404);
$this->validate($request, [ $this->validate($request, [
'q' => 'sometimes', 'q' => 'sometimes',
@ -707,8 +734,10 @@ class AdminApiController extends Controller
public function getInstance(Request $request) public function getInstance(Request $request)
{ {
abort_if(!$request->user(), 404); abort_if(!$request->user() || !$request->user()->token(), 404);
abort_unless($request->user()->is_admin == 1, 404); abort_unless($request->user()->is_admin == 1, 404);
abort_unless($request->user()->tokenCan('admin:read'), 404);
$id = $request->input('id'); $id = $request->input('id');
$res = Instance::findOrFail($id); $res = Instance::findOrFail($id);
@ -718,8 +747,10 @@ class AdminApiController extends Controller
public function moderateInstance(Request $request) public function moderateInstance(Request $request)
{ {
abort_if(!$request->user(), 404); abort_if(!$request->user() || !$request->user()->token(), 404);
abort_unless($request->user()->is_admin == 1, 404); abort_unless($request->user()->is_admin == 1, 404);
abort_unless($request->user()->tokenCan('admin:write'), 404);
$this->validate($request, [ $this->validate($request, [
'id' => 'required', 'id' => 'required',
@ -742,8 +773,10 @@ class AdminApiController extends Controller
public function refreshInstanceStats(Request $request) public function refreshInstanceStats(Request $request)
{ {
abort_if(!$request->user(), 404); abort_if(!$request->user() || !$request->user()->token(), 404);
abort_unless($request->user()->is_admin == 1, 404); abort_unless($request->user()->is_admin == 1, 404);
abort_unless($request->user()->tokenCan('admin:write'), 404);
$this->validate($request, [ $this->validate($request, [
'id' => 'required', 'id' => 'required',
@ -760,8 +793,10 @@ class AdminApiController extends Controller
public function getAllStats(Request $request) public function getAllStats(Request $request)
{ {
abort_if(!$request->user(), 404); abort_if(!$request->user() || !$request->user()->token(), 404);
abort_unless($request->user()->is_admin === 1, 404); abort_unless($request->user()->is_admin === 1, 404);
abort_unless($request->user()->tokenCan('admin:read'), 404);
if($request->has('refresh')) { if($request->has('refresh')) {
Cache::forget('admin-api:instance-all-stats-v1'); Cache::forget('admin-api:instance-all-stats-v1');

3
app/Http/Controllers/Api/ApiV1Dot1Controller.php
Unescape Escape View File

@ -757,8 +757,9 @@ class ApiV1Dot1Controller extends Controller
public function moderatePost(Request $request, $id) public function moderatePost(Request $request, $id)
{ {
abort_if(!$request->user(), 403); abort_if(!$request->user() || !$request->user()->token(), 403);
abort_if($request->user()->is_admin != true, 403); abort_if($request->user()->is_admin != true, 403);
abort_unless($request->user()->tokenCan('admin:write'), 403);
if(config('pixelfed.bouncer.cloud_ips.ban_signups')) { if(config('pixelfed.bouncer.cloud_ips.ban_signups')) {
abort_if(BouncerService::checkIp($request->ip()), 404); abort_if(BouncerService::checkIp($request->ip()), 404);

4
app/Providers/AuthServiceProvider.php
Unescape Escape View File

@ -41,7 +41,9 @@ class AuthServiceProvider extends ServiceProvider
'read' => 'Full read access to your account', 'read' => 'Full read access to your account',
'write' => 'Full write access to your account', 'write' => 'Full write access to your account',
'follow' => 'Ability to follow other profiles', 'follow' => 'Ability to follow other profiles',
'push' => '' 'admin:read' => 'Read all data on the server',
'admin:write' => 'Modify all data on the server',
'push' => 'Receive your push notifications'
]); ]);
} }

Write Preview
Loading…
Cancel
Save