git.squeep.com Git - akkoma/blob - lib/pleroma/plugs/user_is_admin_plug.ex

   1 # Pleroma: A lightweight social networking server
   2 # Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
   3 # SPDX-License-Identifier: AGPL-3.0-only
   4
   5 defmodule Pleroma.Plugs.UserIsAdminPlug do
   6   import Pleroma.Web.TranslationHelpers
   7   import Plug.Conn
   8
   9   alias Pleroma.User
  10   alias Pleroma.Web.OAuth
  11
  12   def init(options) do
  13     options
  14   end
  15
  16   def call(%{assigns: %{user: %User{is_admin: true}} = assigns} = conn, _) do
  17     token = assigns[:token]
  18
  19     cond do
  20       not Pleroma.Config.enforce_oauth_admin_scope_usage?() ->
  21         conn
  22
  23       token && OAuth.Scopes.contains_admin_scopes?(token.scopes) ->
  24         # Note: checking for _any_ admin scope presence, not necessarily fitting requested action.
  25         #   Thus, controller must explicitly invoke OAuthScopesPlug to verify scope requirements.
  26         conn
  27
  28       true ->
  29         fail(conn)
  30     end
  31   end
  32
  33   def call(conn, _) do
  34     fail(conn)
  35   end
  36
  37   defp fail(conn) do
  38     conn
  39     |> render_error(:forbidden, "User is not an admin or OAuth admin scope is not granted.")
  40     |> halt()
  41   end
  42 end