From b34f2492b6fce4dec2406d80bd7a3f09a0af5766 Mon Sep 17 00:00:00 2001
From: eternal-flame-AD <yume@yumechi.jp>
Date: Thu, 14 Nov 2024 02:50:44 -0600
Subject: [PATCH] Relax admin automated account registration

Signed-off-by: eternal-flame-AD <yume@yumechi.jp>
---
 .../api/endpoints/admin/accounts/create.ts    |  8 ++-
 .../backend/test/e2e/admin-create-account.ts  | 71 +++++++++++++++++++
 2 files changed, 77 insertions(+), 2 deletions(-)
 create mode 100644 packages/backend/test/e2e/admin-create-account.ts

diff --git a/packages/backend/src/server/api/endpoints/admin/accounts/create.ts b/packages/backend/src/server/api/endpoints/admin/accounts/create.ts
index d30131a62f..29e1ddd5a0 100644
--- a/packages/backend/src/server/api/endpoints/admin/accounts/create.ts
+++ b/packages/backend/src/server/api/endpoints/admin/accounts/create.ts
@@ -15,18 +15,21 @@ import { DI } from '@/di-symbols.js';
 import type { Config } from '@/config.js';
 import { ApiError } from '@/server/api/error.js';
 import { Packed } from '@/misc/json-schema.js';
+import { RoleService } from '@/core/RoleService.js';
 
 export const meta = {
 	tags: ['admin'],
 
 	errors: {
 		accessDenied: {
+			httpStatusCode: 403,
 			message: 'Access denied.',
 			code: 'ACCESS_DENIED',
 			id: '1fb7cb09-d46a-4fff-b8df-057708cce513',
 		},
 
 		wrongInitialPassword: {
+			httpStatusCode: 401,
 			message: 'Initial password is incorrect.',
 			code: 'INCORRECT_INITIAL_PASSWORD',
 			id: '97147c55-1ae1-4f6f-91d6-e1c3e0e76d62',
@@ -65,6 +68,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 		@Inject(DI.usersRepository)
 		private usersRepository: UsersRepository,
 
+		private roleService: RoleService,
 		private userEntityService: UserEntityService,
 		private signupService: SignupService,
 		private instanceActorService: InstanceActorService,
@@ -85,8 +89,8 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 					// 初期パスワードが設定されていないのに初期パスワードが入力された場合
 					throw new ApiError(meta.errors.wrongInitialPassword);
 				}
-			} else if ((realUsers && !me?.isRoot) || token !== null) {
-				// 初回セットアップではなく、管理者でない場合 or 外部トークンを使用している場合
+			} else if (!(me?.isRoot) && !await this.roleService.isAdministrator(me)) {
+				// 管理者でない場合
 				throw new ApiError(meta.errors.accessDenied);
 			}
 
diff --git a/packages/backend/test/e2e/admin-create-account.ts b/packages/backend/test/e2e/admin-create-account.ts
new file mode 100644
index 0000000000..27ed149e5a
--- /dev/null
+++ b/packages/backend/test/e2e/admin-create-account.ts
@@ -0,0 +1,71 @@
+/*
+ * SPDX-FileCopyrightText: syuilo and misskey-project
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+process.env.NODE_ENV = 'test';
+
+import * as assert from 'assert';
+
+import type * as misskey from 'misskey-js';
+import { api, role, signup } from '../utils.js';
+
+describe('Admin Create User', () => {
+    let admin: misskey.entities.SignupResponse;
+    let user: misskey.entities.SignupResponse;
+    let formerAdmin: misskey.entities.SignupResponse;
+    let adminRole : misskey.entities.Role;
+    let formerAdminRole : misskey.entities.Role;
+
+    beforeAll(async () => {
+        admin = await signup({ username: 'admin' });
+        formerAdmin = await signup({ username: 'former-admin' });
+        user = await signup({ username: 'user' });
+        adminRole = await role(admin, {isAdministrator: true});
+        formerAdminRole = await role(formerAdmin, {isAdministrator: true});
+    }, 1000 * 60 * 2);
+
+    test('Create User', async () => {
+        const newUser1 = await api('admin/accounts/create', {
+            username: 'new-user1',
+            password: 'password',
+        }, admin);
+        assert.strictEqual(newUser1.status, 200);
+
+        const newUser2 = await api('admin/accounts/create', {
+            username: 'new-user2',
+            password: 'password',
+        }, formerAdmin);
+        assert.strictEqual(newUser2.status, 200);
+
+        const newUser3 = await api('admin/accounts/create', {
+            username: 'new-user3',
+            password: 'password',
+        }, user);
+        assert.strictEqual(newUser3.status, 403);
+    });
+
+    test('Revoking Admin Role', async () => {
+        const res = await api('admin/roles/delete', {roleId: formerAdminRole.id}, admin);
+        assert.strictEqual(res.status, 200);
+
+        const res2 = await api('admin/roles/delete', {roleId: adminRole.id}, formerAdmin);
+        assert.strictEqual(res2.status, 403);
+    });
+
+    test('Revoked User Should Not Create User', async () => {
+        const newUser4 = await api('admin/accounts/create', {
+            username: 'new-user4',
+            password: 'password',
+        }, formerAdmin);
+
+        assert.strictEqual(newUser4.status, 403);
+
+        const newUser5 = await api('admin/accounts/create', {
+            username: 'new-user5',
+            password: 'password',
+        }, admin);
+
+        assert.strictEqual(newUser5.status, 200);
+    });
+})
\ No newline at end of file