diff --git a/packages/backend/src/server/api/endpoints/admin/accounts/create.ts b/packages/backend/src/server/api/endpoints/admin/accounts/create.ts index d30131a62f..29e1ddd5a0 100644 --- a/packages/backend/src/server/api/endpoints/admin/accounts/create.ts +++ b/packages/backend/src/server/api/endpoints/admin/accounts/create.ts @@ -15,18 +15,21 @@ import { DI } from '@/di-symbols.js'; import type { Config } from '@/config.js'; import { ApiError } from '@/server/api/error.js'; import { Packed } from '@/misc/json-schema.js'; +import { RoleService } from '@/core/RoleService.js'; export const meta = { tags: ['admin'], errors: { accessDenied: { + httpStatusCode: 403, message: 'Access denied.', code: 'ACCESS_DENIED', id: '1fb7cb09-d46a-4fff-b8df-057708cce513', }, wrongInitialPassword: { + httpStatusCode: 401, message: 'Initial password is incorrect.', code: 'INCORRECT_INITIAL_PASSWORD', id: '97147c55-1ae1-4f6f-91d6-e1c3e0e76d62', @@ -65,6 +68,7 @@ export default class extends Endpoint { // eslint- @Inject(DI.usersRepository) private usersRepository: UsersRepository, + private roleService: RoleService, private userEntityService: UserEntityService, private signupService: SignupService, private instanceActorService: InstanceActorService, @@ -85,8 +89,8 @@ export default class extends Endpoint { // eslint- // 初期パスワードが設定されていないのに初期パスワードが入力された場合 throw new ApiError(meta.errors.wrongInitialPassword); } - } else if ((realUsers && !me?.isRoot) || token !== null) { - // 初回セットアップではなく、管理者でない場合 or 外部トークンを使用している場合 + } else if (!(me?.isRoot) && !await this.roleService.isAdministrator(me)) { + // 管理者でない場合 throw new ApiError(meta.errors.accessDenied); } diff --git a/packages/backend/test/e2e/admin-create-account.ts b/packages/backend/test/e2e/admin-create-account.ts new file mode 100644 index 0000000000..a64af9907c --- /dev/null +++ b/packages/backend/test/e2e/admin-create-account.ts @@ -0,0 +1,71 @@ +/* + * SPDX-FileCopyrightText: syuilo and misskey-project + * SPDX-License-Identifier: AGPL-3.0-only + */ + +process.env.NODE_ENV = 'test'; + +import * as assert from 'assert'; + +import type * as misskey from 'misskey-js'; +import { api, role, signup } from '../utils.js'; + +describe('Admin Create User', () => { + let admin: misskey.entities.SignupResponse; + let user: misskey.entities.SignupResponse; + let formerAdmin: misskey.entities.SignupResponse; + let adminRole : misskey.entities.Role; + let formerAdminRole : misskey.entities.Role; + + beforeAll(async () => { + admin = await signup({ username: 'admin' }); + formerAdmin = await signup({ username: 'former-admin' }); + user = await signup({ username: 'user' }); + adminRole = await role(admin, {isAdministrator: true}); + formerAdminRole = await role(formerAdmin, {isAdministrator: true}); + }, 1000 * 60 * 2); + + test('Create User', async () => { + const newUser1 = await api('admin/accounts/create', { + username: 'new_user1', + password: 'password', + }, admin); + assert.strictEqual(newUser1.status, 200); + + const newUser2 = await api('admin/accounts/create', { + username: 'new_user2', + password: 'password', + }, formerAdmin); + assert.strictEqual(newUser2.status, 200); + + const newUser3 = await api('admin/accounts/create', { + username: 'new_user3', + password: 'password', + }, user); + assert.strictEqual(newUser3.status, 403); + }); + + test('Revoking Admin Role', async () => { + const res = await api('admin/roles/delete', {roleId: formerAdminRole.id}, admin); + assert.strictEqual(res.status, 200); + + const res2 = await api('admin/roles/delete', {roleId: adminRole.id}, formerAdmin); + assert.strictEqual(res2.status, 403); + }); + + test('Revoked User Should Not Create User', async () => { + const newUser4 = await api('admin/accounts/create', { + username: 'new_user4', + password: 'password', + }, formerAdmin); + + assert.strictEqual(newUser4.status, 403); + + const newUser5 = await api('admin/accounts/create', { + username: 'new_user5', + password: 'password', + }, admin); + + assert.strictEqual(newUser5.status, 200); + }); +}) \ No newline at end of file