Make backups require its own scope (#218)

Pulled from https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3721.

This makes backups require its own scope (`read:backups`) instead of the `read:accounts` scope.

Co-authored-by: Tusooa Zhu <tusooa@kazv.moe>
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/218
Co-authored-by: Norm <normandy@biribiri.dev>
Co-committed-by: Norm <normandy@biribiri.dev>
This commit is contained in:
Norm 2022-09-19 17:31:35 +00:00 committed by floatingghost
parent 0aabe4d0c3
commit 561e1f2470
4 changed files with 10 additions and 5 deletions

View file

@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
## Unreleased
### Changed
- **Breaking**: `/api/v1/pleroma/backups` endpoints now requires `read:backups` scope instead of `read:accounts`
## 2022.09 ## 2022.09
### Added ### Added

View file

@ -16,7 +16,7 @@ defmodule Pleroma.Web.ApiSpec.PleromaBackupOperation do
%Operation{ %Operation{
tags: ["Backups"], tags: ["Backups"],
summary: "List backups", summary: "List backups",
security: [%{"oAuth" => ["read:account"]}], security: [%{"oAuth" => ["read:backups"]}],
operationId: "PleromaAPI.BackupController.index", operationId: "PleromaAPI.BackupController.index",
responses: %{ responses: %{
200 => 200 =>
@ -37,7 +37,7 @@ defmodule Pleroma.Web.ApiSpec.PleromaBackupOperation do
%Operation{ %Operation{
tags: ["Backups"], tags: ["Backups"],
summary: "Create a backup", summary: "Create a backup",
security: [%{"oAuth" => ["read:account"]}], security: [%{"oAuth" => ["read:backups"]}],
operationId: "PleromaAPI.BackupController.create", operationId: "PleromaAPI.BackupController.create",
responses: %{ responses: %{
200 => 200 =>

View file

@ -9,7 +9,7 @@ defmodule Pleroma.Web.PleromaAPI.BackupController do
alias Pleroma.Web.Plugs.OAuthScopesPlug alias Pleroma.Web.Plugs.OAuthScopesPlug
action_fallback(Pleroma.Web.MastodonAPI.FallbackController) action_fallback(Pleroma.Web.MastodonAPI.FallbackController)
plug(OAuthScopesPlug, %{scopes: ["read:accounts"]} when action in [:index, :create]) plug(OAuthScopesPlug, %{scopes: ["read:backups"]} when action in [:index, :create])
plug(Pleroma.Web.ApiSpec.CastAndValidate) plug(Pleroma.Web.ApiSpec.CastAndValidate)
defdelegate open_api_operation(action), to: Pleroma.Web.ApiSpec.PleromaBackupOperation defdelegate open_api_operation(action), to: Pleroma.Web.ApiSpec.PleromaBackupOperation

View file

@ -11,7 +11,7 @@ defmodule Pleroma.Web.PleromaAPI.BackupControllerTest do
setup do setup do
clear_config([Pleroma.Upload, :uploader]) clear_config([Pleroma.Upload, :uploader])
clear_config([Backup, :limit_days]) clear_config([Backup, :limit_days])
oauth_access(["read:accounts"]) oauth_access(["read:backups"])
end end
test "GET /api/v1/pleroma/backups", %{user: user, conn: conn} do test "GET /api/v1/pleroma/backups", %{user: user, conn: conn} do
@ -85,7 +85,7 @@ defmodule Pleroma.Web.PleromaAPI.BackupControllerTest do
test "Backup without email address" do test "Backup without email address" do
user = Pleroma.Factory.insert(:user, email: nil) user = Pleroma.Factory.insert(:user, email: nil)
%{conn: conn} = oauth_access(["read:accounts"], user: user) %{conn: conn} = oauth_access(["read:backups"], user: user)
assert is_nil(user.email) assert is_nil(user.email)