enforce token rank in API

2025-06-21 10:17:15 -04:00 · 2025-06-21 10:17:15 -04:00 · fae87e03c0
commit fae87e03c0
parent 7c7e9360fa
3 changed files with 9 additions and 4 deletions
--- a/packages/backend/src/core/entities/UserEntityService.ts
+++ b/packages/backend/src/core/entities/UserEntityService.ts
@ -29,6 +29,7 @@ import type {
 	DriveFilesRepository,
 	FollowingsRepository,
 	FollowRequestsRepository,
+	MiAccessToken,
 	MiFollowing,
 	MiInstance,
 	MiMeta,
@ -436,6 +437,7 @@ export class UserEntityService implements OnModuleInit {
 			instances?: Map<string, MiInstance | null>,
 			securityKeyCounts?: Map<string, number>,
 			myFollowings?: Map<string, Omit<MiFollowing, 'isFollowerHibernated'>>,
+			token?: MiAccessToken | null,
 		},
 	): Promise<Packed<S>> {
 		const opts = Object.assign({
@ -529,8 +531,8 @@ export class UserEntityService implements OnModuleInit {
 			(profile.followersVisibility === 'followers') && (relation && relation.isFollowing) ? user.followersCount :
 			null;

-		const isModerator = isMe && isDetailed ? this.roleService.isModerator(user) : null;
-		const isAdmin = isMe && isDetailed ? this.roleService.isAdministrator(user) : null;
+		const isModerator = isMe && isDetailed && (opts.token?.rank == null || opts.token.rank === 'mod') ? this.roleService.isModerator(user) : null;
+		const isAdmin = isMe && isDetailed && (opts.token?.rank == null || opts.token.rank === 'admin') ? this.roleService.isAdministrator(user) : null;
 		const unreadAnnouncements = isMe && isDetailed ?
 			(await this.announcementService.getUnreadAnnouncements(user)).map((announcement) => ({
 				createdAt: this.idService.parse(announcement.id).date.toISOString(),
--- a/packages/backend/src/server/api/ApiCallService.ts
+++ b/packages/backend/src/server/api/ApiCallService.ts
@ -380,7 +380,9 @@ export class ApiCallService implements OnApplicationShutdown {

 		if ((ep.meta.requireModerator || ep.meta.requireAdmin) && (this.meta.rootUserId !== user?.id)) {
 			const myRoles = user ? await this.roleService.getUserRoles(user) : [];
-			if (ep.meta.requireModerator && !myRoles.some(r => r.isModerator || r.isAdministrator)) {
+			const isAdmin = myRoles.some(r => r.isAdministrator) && (token?.rank == null || token.rank === 'admin');
+			const isModerator = myRoles.some(r => r.isAdministrator || r.isModerator) && (token?.rank == null || token.rank === 'admin' || token.rank === 'mod');
+			if (ep.meta.requireModerator && !isModerator) {
 				throw new ApiError({
 					message: 'You are not assigned to a moderator role.',
 					code: 'ROLE_PERMISSION_DENIED',
@ -388,7 +390,7 @@ export class ApiCallService implements OnApplicationShutdown {
 					id: 'd33d5333-db36-423d-a8f9-1a2b9549da41',
 				});
 			}
-			if (ep.meta.requireAdmin && !myRoles.some(r => r.isAdministrator)) {
+			if (ep.meta.requireAdmin && !isAdmin) {
 				throw new ApiError({
 					message: 'You are not assigned to an administrator role.',
 					code: 'ROLE_PERMISSION_DENIED',
--- a/packages/backend/src/server/api/endpoints/i.ts
+++ b/packages/backend/src/server/api/endpoints/i.ts
@ -84,6 +84,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 				schema: 'MeDetailed',
 				includeSecrets: isSecure,
 				userProfile,
+				token,
 			});
 		});
 	}