diff --git a/locales/en-US.yml b/locales/en-US.yml index 8570addfa2..313126d669 100644 --- a/locales/en-US.yml +++ b/locales/en-US.yml @@ -2119,6 +2119,7 @@ _permissions: "read:flash-likes": "View list of liked Plays" "write:flash-likes": "Edit list of liked Plays" "read:admin:abuse-user-reports": "View user reports" + "write:admin:create-account": "Create user account" "write:admin:delete-account": "Delete user account" "write:admin:delete-all-files-of-a-user": "Delete all files of a user" "read:admin:index-stats": "View database index stats" diff --git a/locales/index.d.ts b/locales/index.d.ts index 440f24ac84..4c2990e72b 100644 --- a/locales/index.d.ts +++ b/locales/index.d.ts @@ -8238,6 +8238,10 @@ export interface Locale extends ILocale { * ユーザーからの通報を見る */ "read:admin:abuse-user-reports": string; + /** + * ユーザーアカウントを作成する + */ + "write:admin:create-account": string; /** * ユーザーアカウントを削除する */ diff --git a/locales/ja-JP.yml b/locales/ja-JP.yml index 5d8e1a5e72..fdc2ce045b 100644 --- a/locales/ja-JP.yml +++ b/locales/ja-JP.yml @@ -2163,6 +2163,7 @@ _permissions: "read:flash-likes": "Playのいいねを見る" "write:flash-likes": "Playのいいねを操作する" "read:admin:abuse-user-reports": "ユーザーからの通報を見る" + "write:admin:create-account": "ユーザーアカウントを作成する" "write:admin:delete-account": "ユーザーアカウントを削除する" "write:admin:delete-all-files-of-a-user": "ユーザーのすべてのファイルを削除する" "read:admin:index-stats": "データベースインデックスに関する情報を見る" diff --git a/packages/backend/src/server/api/endpoints/admin/accounts/create.ts b/packages/backend/src/server/api/endpoints/admin/accounts/create.ts index d30131a62f..8d52fd94c4 100644 --- a/packages/backend/src/server/api/endpoints/admin/accounts/create.ts +++ b/packages/backend/src/server/api/endpoints/admin/accounts/create.ts @@ -15,18 +15,21 @@ import { DI } from '@/di-symbols.js'; import type { Config } from '@/config.js'; import { ApiError } from '@/server/api/error.js'; import { Packed } from '@/misc/json-schema.js'; +import { RoleService } from '@/core/RoleService.js'; export const meta = { tags: ['admin'], errors: { accessDenied: { + httpStatusCode: 403, message: 'Access denied.', code: 'ACCESS_DENIED', id: '1fb7cb09-d46a-4fff-b8df-057708cce513', }, wrongInitialPassword: { + httpStatusCode: 401, message: 'Initial password is incorrect.', code: 'INCORRECT_INITIAL_PASSWORD', id: '97147c55-1ae1-4f6f-91d6-e1c3e0e76d62', @@ -65,6 +68,7 @@ export default class extends Endpoint { // eslint- @Inject(DI.usersRepository) private usersRepository: UsersRepository, + private roleService: RoleService, private userEntityService: UserEntityService, private signupService: SignupService, private instanceActorService: InstanceActorService, @@ -85,8 +89,11 @@ export default class extends Endpoint { // eslint- // 初期パスワードが設定されていないのに初期パスワードが入力された場合 throw new ApiError(meta.errors.wrongInitialPassword); } - } else if ((realUsers && !me?.isRoot) || token !== null) { - // 初回セットアップではなく、管理者でない場合 or 外部トークンを使用している場合 + } else if (!(me?.isRoot) && !await this.roleService.isAdministrator(me)) { + // 管理者でない場合 + throw new ApiError(meta.errors.accessDenied); + } else if (token && !token?.permission.includes('write:admin:create-account')) { + // access token を使うときは write:admin:create-account 権限が必要 throw new ApiError(meta.errors.accessDenied); } diff --git a/packages/backend/test/e2e/admin-create-account.ts b/packages/backend/test/e2e/admin-create-account.ts new file mode 100644 index 0000000000..830ec52935 --- /dev/null +++ b/packages/backend/test/e2e/admin-create-account.ts @@ -0,0 +1,88 @@ +/* + * SPDX-FileCopyrightText: syuilo and misskey-project + * SPDX-License-Identifier: AGPL-3.0-only + */ + +process.env.NODE_ENV = 'test'; + +import * as assert from 'assert'; + +import type * as misskey from 'misskey-js'; +import { api, role, signup } from '../utils.js'; + +describe('Admin Create User', () => { + let admin: misskey.entities.SignupResponse; + let user: misskey.entities.SignupResponse; + let formerAdmin: misskey.entities.SignupResponse; + let adminRole : misskey.entities.Role; + let formerAdminRole : misskey.entities.Role; + + beforeAll(async () => { + admin = await signup({ username: 'admin' }); + formerAdmin = await signup({ username: 'former_admin' }); + user = await signup({ username: 'user' }); + adminRole = await role(admin, { + name: 'admin', + isAdministrator: true + }); + formerAdminRole = await role(admin, { + name: 'former_admin', + isAdministrator: true + }); + const addAdminRole = await api('admin/roles/assign', { + userId: admin.id, + roleId: adminRole.id + }, admin); + assert.strictEqual(addAdminRole.status, 204); + + const addFormerAdminRole = await api('admin/roles/assign', { + userId: formerAdmin.id, + roleId: formerAdminRole.id + }, admin); + assert.strictEqual(addFormerAdminRole.status, 204); + }, 1000 * 60 * 2); + + test('Create User', async () => { + const newUser1 = await api('admin/accounts/create', { + username: 'new_user1', + password: 'password', + }, admin); + assert.strictEqual(newUser1.status, 200); + + const newUser2 = await api('admin/accounts/create', { + username: 'new_user2', + password: 'password', + }, formerAdmin); + assert.strictEqual(newUser2.status, 200); + + const newUser3 = await api('admin/accounts/create', { + username: 'new_user3', + password: 'password', + }, user); + assert.strictEqual(newUser3.status, 403); + }); + + test('Revoking Admin Role', async () => { + const res = await api('admin/roles/delete', {roleId: formerAdminRole.id}, admin); + assert.strictEqual(res.status, 204); + + const res2 = await api('admin/roles/delete', {roleId: adminRole.id}, formerAdmin); + assert.strictEqual(res2.status, 403); + }); + + test('Revoked User Should Not Create User', async () => { + const newUser4 = await api('admin/accounts/create', { + username: 'new_user4', + password: 'password', + }, formerAdmin); + + assert.strictEqual(newUser4.status, 403); + + const newUser5 = await api('admin/accounts/create', { + username: 'new_user5', + password: 'password', + }, admin); + + assert.strictEqual(newUser5.status, 200); + }); +}) \ No newline at end of file diff --git a/packages/misskey-js/etc/misskey-js.api.md b/packages/misskey-js/etc/misskey-js.api.md index 8ac48678ed..2457783311 100644 --- a/packages/misskey-js/etc/misskey-js.api.md +++ b/packages/misskey-js/etc/misskey-js.api.md @@ -2876,7 +2876,7 @@ type PartialRolePolicyOverride = Partial<{ }>; // @public (undocumented) -export const permissions: readonly ["read:account", "write:account", "read:blocks", "write:blocks", "read:drive", "write:drive", "read:favorites", "write:favorites", "read:following", "write:following", "read:messaging", "write:messaging", "read:mutes", "write:mutes", "write:notes", "read:notifications", "write:notifications", "read:reactions", "write:reactions", "write:votes", "read:pages", "write:pages", "write:page-likes", "read:page-likes", "read:user-groups", "write:user-groups", "read:channels", "write:channels", "read:gallery", "write:gallery", "read:gallery-likes", "write:gallery-likes", "read:flash", "write:flash", "read:flash-likes", "write:flash-likes", "read:admin:abuse-user-reports", "write:admin:delete-account", "write:admin:delete-all-files-of-a-user", "read:admin:index-stats", "read:admin:table-stats", "read:admin:user-ips", "read:admin:meta", "write:admin:reset-password", "write:admin:resolve-abuse-user-report", "write:admin:send-email", "read:admin:server-info", "read:admin:show-moderation-log", "read:admin:show-user", "write:admin:suspend-user", "write:admin:unset-user-avatar", "write:admin:unset-user-banner", "write:admin:unsuspend-user", "write:admin:meta", "write:admin:user-note", "write:admin:roles", "read:admin:roles", "write:admin:relays", "read:admin:relays", "write:admin:invite-codes", "read:admin:invite-codes", "write:admin:announcements", "read:admin:announcements", "write:admin:avatar-decorations", "read:admin:avatar-decorations", "write:admin:federation", "write:admin:account", "read:admin:account", "write:admin:emoji", "read:admin:emoji", "write:admin:queue", "read:admin:queue", "write:admin:promo", "write:admin:drive", "read:admin:drive", "write:admin:ad", "read:admin:ad", "write:invite-codes", "read:invite-codes", "write:clip-favorite", "read:clip-favorite", "read:federation", "write:report-abuse"]; +export const permissions: readonly ["read:account", "write:account", "read:blocks", "write:blocks", "read:drive", "write:drive", "read:favorites", "write:favorites", "read:following", "write:following", "read:messaging", "write:messaging", "read:mutes", "write:mutes", "write:notes", "read:notifications", "write:notifications", "read:reactions", "write:reactions", "write:votes", "read:pages", "write:pages", "write:page-likes", "read:page-likes", "read:user-groups", "write:user-groups", "read:channels", "write:channels", "read:gallery", "write:gallery", "read:gallery-likes", "write:gallery-likes", "read:flash", "write:flash", "read:flash-likes", "write:flash-likes", "read:admin:abuse-user-reports", "write:admin:create-account", "write:admin:delete-account", "write:admin:delete-all-files-of-a-user", "read:admin:index-stats", "read:admin:table-stats", "read:admin:user-ips", "read:admin:meta", "write:admin:reset-password", "write:admin:resolve-abuse-user-report", "write:admin:send-email", "read:admin:server-info", "read:admin:show-moderation-log", "read:admin:show-user", "write:admin:suspend-user", "write:admin:unset-user-avatar", "write:admin:unset-user-banner", "write:admin:unsuspend-user", "write:admin:meta", "write:admin:user-note", "write:admin:roles", "read:admin:roles", "write:admin:relays", "read:admin:relays", "write:admin:invite-codes", "read:admin:invite-codes", "write:admin:announcements", "read:admin:announcements", "write:admin:avatar-decorations", "read:admin:avatar-decorations", "write:admin:federation", "write:admin:account", "read:admin:account", "write:admin:emoji", "read:admin:emoji", "write:admin:queue", "read:admin:queue", "write:admin:promo", "write:admin:drive", "read:admin:drive", "write:admin:ad", "read:admin:ad", "write:invite-codes", "read:invite-codes", "write:clip-favorite", "read:clip-favorite", "read:federation", "write:report-abuse"]; // @public (undocumented) type PingResponse = operations['ping']['responses']['200']['content']['application/json']; diff --git a/packages/misskey-js/src/autogen/apiClientJSDoc.ts b/packages/misskey-js/src/autogen/apiClientJSDoc.ts index e2c7cbba52..236eb87131 100644 --- a/packages/misskey-js/src/autogen/apiClientJSDoc.ts +++ b/packages/misskey-js/src/autogen/apiClientJSDoc.ts @@ -88,7 +88,7 @@ declare module '../api.js' { /** * No description provided. * - * **Credential required**: *No* + * **Credential required**: *No* / **Permission**: *write:admin:create-account* */ request( endpoint: E, diff --git a/packages/misskey-js/src/autogen/types.ts b/packages/misskey-js/src/autogen/types.ts index 5f9b4316f3..227a9c5377 100644 --- a/packages/misskey-js/src/autogen/types.ts +++ b/packages/misskey-js/src/autogen/types.ts @@ -85,7 +85,7 @@ export type paths = { * admin/accounts/create * @description No description provided. * - * **Credential required**: *No* + * **Credential required**: *No* / **Permission**: *write:admin:create-account* */ post: operations['admin___accounts___create']; }; @@ -5659,7 +5659,7 @@ export type operations = { * admin/accounts/create * @description No description provided. * - * **Credential required**: *No* + * **Credential required**: *No* / **Permission**: *write:admin:create-account* */ admin___accounts___create: { requestBody: { diff --git a/packages/misskey-js/src/consts.ts b/packages/misskey-js/src/consts.ts index c5911a70eb..40cc44763f 100644 --- a/packages/misskey-js/src/consts.ts +++ b/packages/misskey-js/src/consts.ts @@ -64,6 +64,7 @@ export const permissions = [ 'read:flash-likes', 'write:flash-likes', 'read:admin:abuse-user-reports', + 'write:admin:create-account', 'write:admin:delete-account', 'write:admin:delete-all-files-of-a-user', 'read:admin:index-stats',