Merge tag '2024.10.1' into feature/2024.10
This commit is contained in:
dakkar
commit
f079edaf3c
454 changed files with 9728 additions and 3363 deletions
|
|
@ -10,6 +10,9 @@ import { SignupService } from '@/core/SignupService.js';
|
|||
import { UserEntityService } from '@/core/entities/UserEntityService.js';
|
||||
import { InstanceActorService } from '@/core/InstanceActorService.js';
|
||||
import { localUsernameSchema, passwordSchema } from '@/models/User.js';
|
||||
import { DI } from '@/di-symbols.js';
|
||||
import type { Config } from '@/config.js';
|
||||
import { ApiError } from '@/server/api/error.js';
|
||||
import { Packed } from '@/misc/json-schema.js';
|
||||
import { RoleService } from '@/core/RoleService.js';
|
||||
import { ApiError } from '@/server/api/error.js';
|
||||
|
|
@ -17,19 +20,19 @@ import { ApiError } from '@/server/api/error.js';
|
|||
export const meta = {
|
||||
tags: ['admin'],
|
||||
|
||||
res: {
|
||||
type: 'object',
|
||||
optional: false, nullable: false,
|
||||
ref: 'MeDetailed',
|
||||
properties: {
|
||||
token: {
|
||||
type: 'string',
|
||||
optional: false, nullable: false,
|
||||
},
|
||||
},
|
||||
},
|
||||
|
||||
errors: {
|
||||
accessDenied: {
|
||||
message: 'Access denied.',
|
||||
code: 'ACCESS_DENIED',
|
||||
id: '1fb7cb09-d46a-4fff-b8df-057708cce513',
|
||||
},
|
||||
|
||||
wrongInitialPassword: {
|
||||
message: 'Initial password is incorrect.',
|
||||
code: 'INCORRECT_INITIAL_PASSWORD',
|
||||
id: '97147c55-1ae1-4f6f-91d6-e1c3e0e76d62',
|
||||
},
|
||||
|
||||
// From ApiCallService.ts
|
||||
noCredential: {
|
||||
message: 'Credential required.',
|
||||
|
|
@ -51,6 +54,18 @@ export const meta = {
|
|||
},
|
||||
},
|
||||
|
||||
res: {
|
||||
type: 'object',
|
||||
optional: false, nullable: false,
|
||||
ref: 'MeDetailed',
|
||||
properties: {
|
||||
token: {
|
||||
type: 'string',
|
||||
optional: false, nullable: false,
|
||||
},
|
||||
},
|
||||
},
|
||||
|
||||
// Required token permissions, but we need to check them manually.
|
||||
// ApiCallService checks access in a way that would prevent creating the first account.
|
||||
softPermissions: [
|
||||
|
|
@ -64,6 +79,7 @@ export const paramDef = {
|
|||
properties: {
|
||||
username: localUsernameSchema,
|
||||
password: passwordSchema,
|
||||
setupPassword: { type: 'string', nullable: true },
|
||||
},
|
||||
required: ['username', 'password'],
|
||||
} as const;
|
||||
|
|
@ -71,13 +87,49 @@ export const paramDef = {
|
|||
@Injectable()
|
||||
export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-disable-line import/no-default-export
|
||||
constructor(
|
||||
@Inject(DI.config)
|
||||
private config: Config,
|
||||
|
||||
@Inject(DI.usersRepository)
|
||||
private usersRepository: UsersRepository,
|
||||
|
||||
private roleService: RoleService,
|
||||
private userEntityService: UserEntityService,
|
||||
private signupService: SignupService,
|
||||
private instanceActorService: InstanceActorService,
|
||||
) {
|
||||
super(meta, paramDef, async (ps, _me, token) => {
|
||||
await this.ensurePermissions(_me, token);
|
||||
const me = _me ? await this.usersRepository.findOneByOrFail({ id: _me.id }) : null;
|
||||
const realUsers = await this.instanceActorService.realLocalUsersPresent();
|
||||
|
||||
if (!realUsers && me == null && token == null) {
|
||||
// 初回セットアップの場合
|
||||
if (this.config.setupPassword != null) {
|
||||
// 初期パスワードが設定されている場合
|
||||
if (ps.setupPassword !== this.config.setupPassword) {
|
||||
// 初期パスワードが違う場合
|
||||
throw new ApiError(meta.errors.wrongInitialPassword);
|
||||
}
|
||||
} else if (ps.setupPassword != null && ps.setupPassword.trim() !== '') {
|
||||
// 初期パスワードが設定されていないのに初期パスワードが入力された場合
|
||||
throw new ApiError(meta.errors.wrongInitialPassword);
|
||||
}
|
||||
} else {
|
||||
if (token && !meta.softPermissions.every(p => token.permission.includes(p))) {
|
||||
// Tokens have scoped permissions which may be *less* than the user's official role, so we need to check.
|
||||
throw new ApiError(meta.errors.noPermission);
|
||||
}
|
||||
|
||||
if (me && !await this.roleService.isAdministrator(me)) {
|
||||
// Only administrators (including root) can create users.
|
||||
throw new ApiError(meta.errors.noAdmin);
|
||||
}
|
||||
|
||||
// Anonymous access is only allowed for initial instance setup (this check may be redundant)
|
||||
if (!me && realUsers) {
|
||||
throw new ApiError(meta.errors.noCredential);
|
||||
}
|
||||
}
|
||||
|
||||
const { account, secret } = await this.signupService.signup({
|
||||
username: ps.username,
|
||||
|
|
@ -96,21 +148,4 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
|
|||
return res;
|
||||
});
|
||||
}
|
||||
|
||||
private async ensurePermissions(me: MiUser | null, token: MiAccessToken | null): Promise<void> {
|
||||
// Tokens have scoped permissions which may be *less* than the user's official role, so we need to check.
|
||||
if (token && !meta.softPermissions.every(p => token.permission.includes(p))) {
|
||||
throw new ApiError(meta.errors.noPermission);
|
||||
}
|
||||
|
||||
// Only administrators (including root) can create users.
|
||||
if (me && !await this.roleService.isAdministrator(me)) {
|
||||
throw new ApiError(meta.errors.noAdmin);
|
||||
}
|
||||
|
||||
// Anonymous access is only allowed for initial instance setup.
|
||||
if (!me && await this.instanceActorService.realLocalUsersPresent()) {
|
||||
throw new ApiError(meta.errors.noCredential);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue