Relax admin automated account registration #16
9 changed files with 108 additions and 6 deletions
|
@ -2119,6 +2119,7 @@ _permissions:
|
||||||
"read:flash-likes": "View list of liked Plays"
|
"read:flash-likes": "View list of liked Plays"
|
||||||
"write:flash-likes": "Edit list of liked Plays"
|
"write:flash-likes": "Edit list of liked Plays"
|
||||||
"read:admin:abuse-user-reports": "View user reports"
|
"read:admin:abuse-user-reports": "View user reports"
|
||||||
|
"write:admin:create-account": "Create user account"
|
||||||
"write:admin:delete-account": "Delete user account"
|
"write:admin:delete-account": "Delete user account"
|
||||||
"write:admin:delete-all-files-of-a-user": "Delete all files of a user"
|
"write:admin:delete-all-files-of-a-user": "Delete all files of a user"
|
||||||
"read:admin:index-stats": "View database index stats"
|
"read:admin:index-stats": "View database index stats"
|
||||||
|
|
4
locales/index.d.ts
vendored
4
locales/index.d.ts
vendored
|
@ -8238,6 +8238,10 @@ export interface Locale extends ILocale {
|
||||||
* ユーザーからの通報を見る
|
* ユーザーからの通報を見る
|
||||||
*/
|
*/
|
||||||
"read:admin:abuse-user-reports": string;
|
"read:admin:abuse-user-reports": string;
|
||||||
|
/**
|
||||||
|
* ユーザーアカウントを作成する
|
||||||
|
*/
|
||||||
|
"write:admin:create-account": string;
|
||||||
/**
|
/**
|
||||||
* ユーザーアカウントを削除する
|
* ユーザーアカウントを削除する
|
||||||
*/
|
*/
|
||||||
|
|
|
@ -2163,6 +2163,7 @@ _permissions:
|
||||||
"read:flash-likes": "Playのいいねを見る"
|
"read:flash-likes": "Playのいいねを見る"
|
||||||
"write:flash-likes": "Playのいいねを操作する"
|
"write:flash-likes": "Playのいいねを操作する"
|
||||||
"read:admin:abuse-user-reports": "ユーザーからの通報を見る"
|
"read:admin:abuse-user-reports": "ユーザーからの通報を見る"
|
||||||
|
"write:admin:create-account": "ユーザーアカウントを作成する"
|
||||||
"write:admin:delete-account": "ユーザーアカウントを削除する"
|
"write:admin:delete-account": "ユーザーアカウントを削除する"
|
||||||
"write:admin:delete-all-files-of-a-user": "ユーザーのすべてのファイルを削除する"
|
"write:admin:delete-all-files-of-a-user": "ユーザーのすべてのファイルを削除する"
|
||||||
"read:admin:index-stats": "データベースインデックスに関する情報を見る"
|
"read:admin:index-stats": "データベースインデックスに関する情報を見る"
|
||||||
|
|
|
@ -15,18 +15,21 @@ import { DI } from '@/di-symbols.js';
|
||||||
import type { Config } from '@/config.js';
|
import type { Config } from '@/config.js';
|
||||||
import { ApiError } from '@/server/api/error.js';
|
import { ApiError } from '@/server/api/error.js';
|
||||||
import { Packed } from '@/misc/json-schema.js';
|
import { Packed } from '@/misc/json-schema.js';
|
||||||
|
import { RoleService } from '@/core/RoleService.js';
|
||||||
|
|
||||||
export const meta = {
|
export const meta = {
|
||||||
tags: ['admin'],
|
tags: ['admin'],
|
||||||
|
|
||||||
errors: {
|
errors: {
|
||||||
accessDenied: {
|
accessDenied: {
|
||||||
|
httpStatusCode: 403,
|
||||||
message: 'Access denied.',
|
message: 'Access denied.',
|
||||||
code: 'ACCESS_DENIED',
|
code: 'ACCESS_DENIED',
|
||||||
id: '1fb7cb09-d46a-4fff-b8df-057708cce513',
|
id: '1fb7cb09-d46a-4fff-b8df-057708cce513',
|
||||||
},
|
},
|
||||||
|
|
||||||
wrongInitialPassword: {
|
wrongInitialPassword: {
|
||||||
|
httpStatusCode: 401,
|
||||||
message: 'Initial password is incorrect.',
|
message: 'Initial password is incorrect.',
|
||||||
code: 'INCORRECT_INITIAL_PASSWORD',
|
code: 'INCORRECT_INITIAL_PASSWORD',
|
||||||
id: '97147c55-1ae1-4f6f-91d6-e1c3e0e76d62',
|
id: '97147c55-1ae1-4f6f-91d6-e1c3e0e76d62',
|
||||||
|
@ -65,6 +68,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
|
||||||
@Inject(DI.usersRepository)
|
@Inject(DI.usersRepository)
|
||||||
private usersRepository: UsersRepository,
|
private usersRepository: UsersRepository,
|
||||||
|
|
||||||
|
private roleService: RoleService,
|
||||||
private userEntityService: UserEntityService,
|
private userEntityService: UserEntityService,
|
||||||
private signupService: SignupService,
|
private signupService: SignupService,
|
||||||
private instanceActorService: InstanceActorService,
|
private instanceActorService: InstanceActorService,
|
||||||
|
@ -85,8 +89,11 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
|
||||||
// 初期パスワードが設定されていないのに初期パスワードが入力された場合
|
// 初期パスワードが設定されていないのに初期パスワードが入力された場合
|
||||||
throw new ApiError(meta.errors.wrongInitialPassword);
|
throw new ApiError(meta.errors.wrongInitialPassword);
|
||||||
}
|
}
|
||||||
} else if ((realUsers && !me?.isRoot) || token !== null) {
|
} else if (!(me?.isRoot) && !await this.roleService.isAdministrator(me)) {
|
||||||
// 初回セットアップではなく、管理者でない場合 or 外部トークンを使用している場合
|
// 管理者でない場合
|
||||||
|
throw new ApiError(meta.errors.accessDenied);
|
||||||
|
} else if (token && !token?.permission.includes('write:admin:create-account')) {
|
||||||
|
// access token を使うときは write:admin:create-account 権限が必要
|
||||||
throw new ApiError(meta.errors.accessDenied);
|
throw new ApiError(meta.errors.accessDenied);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
88
packages/backend/test/e2e/admin-create-account.ts
Normal file
88
packages/backend/test/e2e/admin-create-account.ts
Normal file
|
@ -0,0 +1,88 @@
|
||||||
|
/*
|
||||||
|
* SPDX-FileCopyrightText: syuilo and misskey-project
|
||||||
|
* SPDX-License-Identifier: AGPL-3.0-only
|
||||||
|
*/
|
||||||
|
|
||||||
|
process.env.NODE_ENV = 'test';
|
||||||
|
|
||||||
|
import * as assert from 'assert';
|
||||||
|
|
||||||
|
import type * as misskey from 'misskey-js';
|
||||||
|
import { api, role, signup } from '../utils.js';
|
||||||
|
|
||||||
|
describe('Admin Create User', () => {
|
||||||
|
let admin: misskey.entities.SignupResponse;
|
||||||
|
let user: misskey.entities.SignupResponse;
|
||||||
|
let formerAdmin: misskey.entities.SignupResponse;
|
||||||
|
let adminRole : misskey.entities.Role;
|
||||||
|
let formerAdminRole : misskey.entities.Role;
|
||||||
|
|
||||||
|
beforeAll(async () => {
|
||||||
|
admin = await signup({ username: 'admin' });
|
||||||
|
formerAdmin = await signup({ username: 'former_admin' });
|
||||||
|
user = await signup({ username: 'user' });
|
||||||
|
adminRole = await role(admin, {
|
||||||
|
name: 'admin',
|
||||||
|
isAdministrator: true
|
||||||
|
});
|
||||||
|
formerAdminRole = await role(admin, {
|
||||||
|
name: 'former_admin',
|
||||||
|
isAdministrator: true
|
||||||
|
});
|
||||||
|
const addAdminRole = await api('admin/roles/assign', {
|
||||||
|
userId: admin.id,
|
||||||
|
roleId: adminRole.id
|
||||||
|
}, admin);
|
||||||
|
assert.strictEqual(addAdminRole.status, 204);
|
||||||
|
|
||||||
|
const addFormerAdminRole = await api('admin/roles/assign', {
|
||||||
|
userId: formerAdmin.id,
|
||||||
|
roleId: formerAdminRole.id
|
||||||
|
}, admin);
|
||||||
|
assert.strictEqual(addFormerAdminRole.status, 204);
|
||||||
|
}, 1000 * 60 * 2);
|
||||||
|
|
||||||
|
test('Create User', async () => {
|
||||||
|
const newUser1 = await api('admin/accounts/create', {
|
||||||
|
username: 'new_user1',
|
||||||
|
password: 'password',
|
||||||
|
}, admin);
|
||||||
|
assert.strictEqual(newUser1.status, 200);
|
||||||
|
|
||||||
|
const newUser2 = await api('admin/accounts/create', {
|
||||||
|
username: 'new_user2',
|
||||||
|
password: 'password',
|
||||||
|
}, formerAdmin);
|
||||||
|
assert.strictEqual(newUser2.status, 200);
|
||||||
|
|
||||||
|
const newUser3 = await api('admin/accounts/create', {
|
||||||
|
username: 'new_user3',
|
||||||
|
password: 'password',
|
||||||
|
}, user);
|
||||||
|
assert.strictEqual(newUser3.status, 403);
|
||||||
|
});
|
||||||
|
|
||||||
|
test('Revoking Admin Role', async () => {
|
||||||
|
const res = await api('admin/roles/delete', {roleId: formerAdminRole.id}, admin);
|
||||||
|
assert.strictEqual(res.status, 204);
|
||||||
|
|
||||||
|
const res2 = await api('admin/roles/delete', {roleId: adminRole.id}, formerAdmin);
|
||||||
|
assert.strictEqual(res2.status, 403);
|
||||||
|
});
|
||||||
|
|
||||||
|
test('Revoked User Should Not Create User', async () => {
|
||||||
|
const newUser4 = await api('admin/accounts/create', {
|
||||||
|
username: 'new_user4',
|
||||||
|
password: 'password',
|
||||||
|
}, formerAdmin);
|
||||||
|
|
||||||
|
assert.strictEqual(newUser4.status, 403);
|
||||||
|
|
||||||
|
const newUser5 = await api('admin/accounts/create', {
|
||||||
|
username: 'new_user5',
|
||||||
|
password: 'password',
|
||||||
|
}, admin);
|
||||||
|
|
||||||
|
assert.strictEqual(newUser5.status, 200);
|
||||||
|
});
|
||||||
|
})
|
|
@ -2876,7 +2876,7 @@ type PartialRolePolicyOverride = Partial<{
|
||||||
}>;
|
}>;
|
||||||
|
|
||||||
// @public (undocumented)
|
// @public (undocumented)
|
||||||
export const permissions: readonly ["read:account", "write:account", "read:blocks", "write:blocks", "read:drive", "write:drive", "read:favorites", "write:favorites", "read:following", "write:following", "read:messaging", "write:messaging", "read:mutes", "write:mutes", "write:notes", "read:notifications", "write:notifications", "read:reactions", "write:reactions", "write:votes", "read:pages", "write:pages", "write:page-likes", "read:page-likes", "read:user-groups", "write:user-groups", "read:channels", "write:channels", "read:gallery", "write:gallery", "read:gallery-likes", "write:gallery-likes", "read:flash", "write:flash", "read:flash-likes", "write:flash-likes", "read:admin:abuse-user-reports", "write:admin:delete-account", "write:admin:delete-all-files-of-a-user", "read:admin:index-stats", "read:admin:table-stats", "read:admin:user-ips", "read:admin:meta", "write:admin:reset-password", "write:admin:resolve-abuse-user-report", "write:admin:send-email", "read:admin:server-info", "read:admin:show-moderation-log", "read:admin:show-user", "write:admin:suspend-user", "write:admin:unset-user-avatar", "write:admin:unset-user-banner", "write:admin:unsuspend-user", "write:admin:meta", "write:admin:user-note", "write:admin:roles", "read:admin:roles", "write:admin:relays", "read:admin:relays", "write:admin:invite-codes", "read:admin:invite-codes", "write:admin:announcements", "read:admin:announcements", "write:admin:avatar-decorations", "read:admin:avatar-decorations", "write:admin:federation", "write:admin:account", "read:admin:account", "write:admin:emoji", "read:admin:emoji", "write:admin:queue", "read:admin:queue", "write:admin:promo", "write:admin:drive", "read:admin:drive", "write:admin:ad", "read:admin:ad", "write:invite-codes", "read:invite-codes", "write:clip-favorite", "read:clip-favorite", "read:federation", "write:report-abuse"];
|
export const permissions: readonly ["read:account", "write:account", "read:blocks", "write:blocks", "read:drive", "write:drive", "read:favorites", "write:favorites", "read:following", "write:following", "read:messaging", "write:messaging", "read:mutes", "write:mutes", "write:notes", "read:notifications", "write:notifications", "read:reactions", "write:reactions", "write:votes", "read:pages", "write:pages", "write:page-likes", "read:page-likes", "read:user-groups", "write:user-groups", "read:channels", "write:channels", "read:gallery", "write:gallery", "read:gallery-likes", "write:gallery-likes", "read:flash", "write:flash", "read:flash-likes", "write:flash-likes", "read:admin:abuse-user-reports", "write:admin:create-account", "write:admin:delete-account", "write:admin:delete-all-files-of-a-user", "read:admin:index-stats", "read:admin:table-stats", "read:admin:user-ips", "read:admin:meta", "write:admin:reset-password", "write:admin:resolve-abuse-user-report", "write:admin:send-email", "read:admin:server-info", "read:admin:show-moderation-log", "read:admin:show-user", "write:admin:suspend-user", "write:admin:unset-user-avatar", "write:admin:unset-user-banner", "write:admin:unsuspend-user", "write:admin:meta", "write:admin:user-note", "write:admin:roles", "read:admin:roles", "write:admin:relays", "read:admin:relays", "write:admin:invite-codes", "read:admin:invite-codes", "write:admin:announcements", "read:admin:announcements", "write:admin:avatar-decorations", "read:admin:avatar-decorations", "write:admin:federation", "write:admin:account", "read:admin:account", "write:admin:emoji", "read:admin:emoji", "write:admin:queue", "read:admin:queue", "write:admin:promo", "write:admin:drive", "read:admin:drive", "write:admin:ad", "read:admin:ad", "write:invite-codes", "read:invite-codes", "write:clip-favorite", "read:clip-favorite", "read:federation", "write:report-abuse"];
|
||||||
|
|
||||||
// @public (undocumented)
|
// @public (undocumented)
|
||||||
type PingResponse = operations['ping']['responses']['200']['content']['application/json'];
|
type PingResponse = operations['ping']['responses']['200']['content']['application/json'];
|
||||||
|
|
|
@ -88,7 +88,7 @@ declare module '../api.js' {
|
||||||
/**
|
/**
|
||||||
* No description provided.
|
* No description provided.
|
||||||
*
|
*
|
||||||
* **Credential required**: *No*
|
* **Credential required**: *No* / **Permission**: *write:admin:create-account*
|
||||||
*/
|
*/
|
||||||
request<E extends 'admin/accounts/create', P extends Endpoints[E]['req']>(
|
request<E extends 'admin/accounts/create', P extends Endpoints[E]['req']>(
|
||||||
endpoint: E,
|
endpoint: E,
|
||||||
|
|
|
@ -85,7 +85,7 @@ export type paths = {
|
||||||
* admin/accounts/create
|
* admin/accounts/create
|
||||||
* @description No description provided.
|
* @description No description provided.
|
||||||
*
|
*
|
||||||
* **Credential required**: *No*
|
* **Credential required**: *No* / **Permission**: *write:admin:create-account*
|
||||||
*/
|
*/
|
||||||
post: operations['admin___accounts___create'];
|
post: operations['admin___accounts___create'];
|
||||||
};
|
};
|
||||||
|
@ -5659,7 +5659,7 @@ export type operations = {
|
||||||
* admin/accounts/create
|
* admin/accounts/create
|
||||||
* @description No description provided.
|
* @description No description provided.
|
||||||
*
|
*
|
||||||
* **Credential required**: *No*
|
* **Credential required**: *No* / **Permission**: *write:admin:create-account*
|
||||||
*/
|
*/
|
||||||
admin___accounts___create: {
|
admin___accounts___create: {
|
||||||
requestBody: {
|
requestBody: {
|
||||||
|
|
|
@ -64,6 +64,7 @@ export const permissions = [
|
||||||
'read:flash-likes',
|
'read:flash-likes',
|
||||||
'write:flash-likes',
|
'write:flash-likes',
|
||||||
'read:admin:abuse-user-reports',
|
'read:admin:abuse-user-reports',
|
||||||
|
'write:admin:create-account',
|
||||||
'write:admin:delete-account',
|
'write:admin:delete-account',
|
||||||
'write:admin:delete-all-files-of-a-user',
|
'write:admin:delete-all-files-of-a-user',
|
||||||
'read:admin:index-stats',
|
'read:admin:index-stats',
|
||||||
|
|
Loading…
Reference in a new issue