### Changed
- **Breaking:** Elixir >=1.8 is now required (was >= 1.7)
- **Breaking:** attachment links (`config :pleroma, :instance, no_attachment_links` and `config :pleroma, Pleroma.Upload, link_name`) disabled by default
+- **Breaking:** OAuth: defaulted `[:auth, :enforce_oauth_admin_scope_usage]` setting to `true` which demands `admin` OAuth scope to perform admin actions (in addition to `is_admin` flag on User); make sure to use bundled or newer versions of AdminFE & PleromaFE to access admin / moderator features.
- Replaced [pleroma_job_queue](https://git.pleroma.social/pleroma/pleroma_job_queue) and `Pleroma.Web.Federator.RetryQueue` with [Oban](https://github.com/sorentwo/oban) (see [`docs/config.md`](docs/config.md) on migrating customized worker / retry settings)
- Introduced [quantum](https://github.com/quantum-elixir/quantum-core) job scheduler
- Enabled `:instance, extended_nickname_format` in the default config
config :pleroma,
:auth,
- enforce_oauth_admin_scope_usage: false,
+ enforce_oauth_admin_scope_usage: true,
oauth_consumer_strategies: oauth_consumer_strategies
config :pleroma, Pleroma.Emails.Mailer, adapter: Swoosh.Adapters.Sendmail, enabled: false
token && OAuth.Scopes.contains_admin_scopes?(token.scopes) ->
# Note: checking for _any_ admin scope presence, not necessarily fitting requested action.
# Thus, controller must explicitly invoke OAuthScopesPlug to verify scope requirements.
+ # Admin might opt out of admin scope for some apps to block any admin actions from them.
conn
true ->
end
def admin_api_update(user, params) do
- changeset =
- cast(user, params, [
- :is_moderator,
- :is_admin,
- :show_role
- ])
-
- with {:ok, updated_user} <- update_and_set_cache(changeset) do
- if user.is_admin && !updated_user.is_admin do
- # Tokens & authorizations containing any admin scopes must be revoked (revoking all).
- # This is an extra safety measure (tokens' admin scopes won't be accepted for non-admins).
- global_sign_out(user)
- end
-
- {:ok, updated_user}
- end
+ user
+ |> cast(params, [
+ :is_moderator,
+ :is_admin,
+ :show_role
+ ])
+ |> update_and_set_cache()
end
@doc "Signs user out of all applications"
{:user_active, true} <- {:user_active, !user.deactivated},
{:password_reset_pending, false} <-
{:password_reset_pending, user.password_reset_pending},
- {:ok, scopes} <- validate_scopes(app, params, user),
+ {:ok, scopes} <- validate_scopes(app, params),
{:ok, auth} <- Authorization.create_authorization(app, user, scopes),
{:ok, token} <- Token.exchange_token(app, auth) do
json(conn, Token.Response.build(user, token))
{:get_user, (user && {:ok, user}) || Authenticator.get_user(conn)},
%App{} = app <- Repo.get_by(App, client_id: client_id),
true <- redirect_uri in String.split(app.redirect_uris),
- {:ok, scopes} <- validate_scopes(app, auth_attrs, user),
+ {:ok, scopes} <- validate_scopes(app, auth_attrs),
{:auth_active, true} <- {:auth_active, User.auth_active?(user)} do
Authorization.create_authorization(app, user, scopes)
end
defp put_session_registration_id(%Plug.Conn{} = conn, registration_id),
do: put_session(conn, :registration_id, registration_id)
- @spec validate_scopes(App.t(), map(), User.t()) ::
+ @spec validate_scopes(App.t(), map()) ::
{:ok, list()} | {:error, :missing_scopes | :unsupported_scopes}
- defp validate_scopes(%App{} = app, params, %User{} = user) do
+ defp validate_scopes(%App{} = app, params) do
params
|> Scopes.fetch_scopes(app.scopes)
- |> Scopes.validate(app.scopes, user)
+ |> Scopes.validate(app.scopes)
end
def default_redirect_uri(%App{} = app) do
"""
alias Pleroma.Plugs.OAuthScopesPlug
- alias Pleroma.User
@doc """
Fetch scopes from request params.
@doc """
Validates scopes.
"""
- @spec validate(list() | nil, list(), User.t()) ::
+ @spec validate(list() | nil, list()) ::
{:ok, list()} | {:error, :missing_scopes | :unsupported_scopes}
- def validate(blank_scopes, _app_scopes, _user) when blank_scopes in [nil, []],
+ def validate(blank_scopes, _app_scopes) when blank_scopes in [nil, []],
do: {:error, :missing_scopes}
- def validate(scopes, app_scopes, %User{} = user) do
- with {:ok, _} <- ensure_scopes_support(scopes, app_scopes),
- {:ok, scopes} <- authorize_admin_scopes(scopes, app_scopes, user) do
- {:ok, scopes}
- end
- end
-
- defp ensure_scopes_support(scopes, app_scopes) do
+ def validate(scopes, app_scopes) do
case OAuthScopesPlug.filter_descendants(scopes, app_scopes) do
^scopes -> {:ok, scopes}
_ -> {:error, :unsupported_scopes}
end
end
- defp authorize_admin_scopes(scopes, app_scopes, %User{} = user) do
- if user.is_admin || !contains_admin_scopes?(scopes) || !contains_admin_scopes?(app_scopes) do
- {:ok, scopes}
- else
- # Gracefully dropping admin scopes from requested scopes if user isn't an admin (not raising)
- scopes = scopes -- OAuthScopesPlug.filter_descendants(scopes, ["admin"])
- validate(scopes, app_scopes, user)
- end
- end
-
def contains_admin_scopes?(scopes) do
scopes
|> OAuthScopesPlug.filter_descendants(["admin"])
--- /dev/null
+defmodule Pleroma.Repo.Migrations.AddScopesToPleromaFEOAuthRecords do
+ use Ecto.Migration
+
+ def up do
+ update_scopes_clause = "SET scopes = '{read,write,follow,push,admin}'"
+ apps_where = "WHERE apps.client_name like 'PleromaFE_%' or apps.client_name like 'AdminFE_%'"
+ app_id_subquery_where = "WHERE app_id IN (SELECT apps.id FROM apps #{apps_where})"
+
+ execute("UPDATE apps #{update_scopes_clause} #{apps_where}")
+
+ for table <- ["oauth_authorizations", "oauth_tokens"] do
+ execute("UPDATE #{table} #{update_scopes_clause} #{app_id_subquery_where}")
+ end
+ end
+
+ def down, do: :noop
+end
describe "POST /oauth/authorize" do
test "redirects with oauth authorization, " <>
- "keeping only non-admin scopes for non-admin user" do
- app = insert(:oauth_app, scopes: ["read", "write", "admin"])
+ "granting requested app-supported scopes to both admin- and non-admin users" do
+ app_scopes = ["read", "write", "admin", "secret_scope"]
+ app = insert(:oauth_app, scopes: app_scopes)
redirect_uri = OAuthController.default_redirect_uri(app)
non_admin = insert(:user, is_admin: false)
admin = insert(:user, is_admin: true)
+ scopes_subset = ["read:subscope", "write", "admin"]
- for {user, expected_scopes} <- %{
- non_admin => ["read:subscope", "write"],
- admin => ["read:subscope", "write", "admin"]
- } do
+ # In case scope param is missing, expecting _all_ app-supported scopes to be granted
+ for user <- [non_admin, admin],
+ {requested_scopes, expected_scopes} <-
+ %{scopes_subset => scopes_subset, nil => app_scopes} do
conn =
- build_conn()
- |> post("/oauth/authorize", %{
- "authorization" => %{
- "name" => user.nickname,
- "password" => "test",
- "client_id" => app.client_id,
- "redirect_uri" => redirect_uri,
- "scope" => "read:subscope write admin",
- "state" => "statepassed"
+ post(
+ build_conn(),
+ "/oauth/authorize",
+ %{
+ "authorization" => %{
+ "name" => user.nickname,
+ "password" => "test",
+ "client_id" => app.client_id,
+ "redirect_uri" => redirect_uri,
+ "scope" => requested_scopes,
+ "state" => "statepassed"
+ }
}
- })
+ )
target = redirected_to(conn)
assert target =~ redirect_uri
assert result =~ "Invalid Username/Password"
end
- test "returns 401 for missing scopes " <>
- "(including all admin-only scopes for non-admin user)" do
+ test "returns 401 for missing scopes" do
user = insert(:user, is_admin: false)
app = insert(:oauth_app, scopes: ["read", "write", "admin"])
redirect_uri = OAuthController.default_redirect_uri(app)
- for scope_param <- ["", "admin:read admin:write"] do
- result =
- build_conn()
- |> post("/oauth/authorize", %{
- "authorization" => %{
- "name" => user.nickname,
- "password" => "test",
- "client_id" => app.client_id,
- "redirect_uri" => redirect_uri,
- "state" => "statepassed",
- "scope" => scope_param
- }
- })
- |> html_response(:unauthorized)
+ result =
+ build_conn()
+ |> post("/oauth/authorize", %{
+ "authorization" => %{
+ "name" => user.nickname,
+ "password" => "test",
+ "client_id" => app.client_id,
+ "redirect_uri" => redirect_uri,
+ "state" => "statepassed",
+ "scope" => ""
+ }
+ })
+ |> html_response(:unauthorized)
- # Keep the details
- assert result =~ app.client_id
- assert result =~ redirect_uri
+ # Keep the details
+ assert result =~ app.client_id
+ assert result =~ redirect_uri
- # Error message
- assert result =~ "This action is outside the authorized scopes"
- end
+ # Error message
+ assert result =~ "This action is outside the authorized scopes"
end
test "returns 401 for scopes beyond app scopes hierarchy", %{conn: conn} do
"emoji"
)
+ clear_config([:auth, :enforce_oauth_admin_scope_usage]) do
+ Pleroma.Config.put([:auth, :enforce_oauth_admin_scope_usage], false)
+ end
+
test "shared & non-shared pack information in list_packs is ok" do
conn = build_conn()
resp = conn |> get(emoji_api_path(conn, :list_packs)) |> json_response(200)
projects / akkoma / commitdiff