Merge f767c22cc1 into 752606fe88

2024-11-21 17:42:11 +09:00 · 2024-11-21 17:42:11 +09:00 · 254e9fa91c
parent 752606fe88 f767c22cc1
commit 254e9fa91c
8 changed files with 106 additions and 3 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -51,6 +51,7 @@
  (Based on https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/588)  
  (Cherry-picked from https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/715)
 - Enhance: リモートユーザーの照会をオリジナルにリダイレクトするように
+- Enhance: アクセストークンでアカウントを作成できるように
 - Fix: sharedInboxが無いActorに紐づくリモートユーザーを照会できない
 - Fix: Aproving request from GtS appears with some delay
 - Fix: フォロワーへのメッセージの絵文字をemojisに含めるように
--- a/locales/en-US.yml
+++ b/locales/en-US.yml
@ -2121,6 +2121,7 @@ _permissions:
  "read:flash-likes": "View list of liked Plays"
  "write:flash-likes": "Edit list of liked Plays"
  "read:admin:abuse-user-reports": "View user reports"
+  "write:admin:create-account": "Create user account"
  "write:admin:delete-account": "Delete user account"
  "write:admin:delete-all-files-of-a-user": "Delete all files of a user"
  "read:admin:index-stats": "View database index stats"
--- a/locales/index.d.ts
+++ b/locales/index.d.ts
@ -8250,6 +8250,10 @@ export interface Locale extends ILocale {
         * ユーザーからの通報を見る
         */
        "read:admin:abuse-user-reports": string;
+        /**
+         * ユーザーアカウントを作成する
+         */
+        "write:admin:create-account": string;
        /**
         * ユーザーアカウントを削除する
         */
--- a/locales/ja-JP.yml
+++ b/locales/ja-JP.yml
@ -2166,6 +2166,7 @@ _permissions:
  "read:flash-likes": "Playのいいねを見る"
  "write:flash-likes": "Playのいいねを操作する"
  "read:admin:abuse-user-reports": "ユーザーからの通報を見る"
+  "write:admin:create-account": "ユーザーアカウントを作成する"
  "write:admin:delete-account": "ユーザーアカウントを削除する"
  "write:admin:delete-all-files-of-a-user": "ユーザーのすべてのファイルを削除する"
  "read:admin:index-stats": "データベースインデックスに関する情報を見る"
--- a/packages/backend/src/server/api/endpoints/admin/accounts/create.ts
+++ b/packages/backend/src/server/api/endpoints/admin/accounts/create.ts
@ -15,18 +15,21 @@ import { DI } from '@/di-symbols.js';
 import type { Config } from '@/config.js';
 import { ApiError } from '@/server/api/error.js';
 import { Packed } from '@/misc/json-schema.js';
+import { RoleService } from '@/core/RoleService.js';

 export const meta = {
 	tags: ['admin'],

 	errors: {
 		accessDenied: {
+			httpStatusCode: 403,
 			message: 'Access denied.',
 			code: 'ACCESS_DENIED',
 			id: '1fb7cb09-d46a-4fff-b8df-057708cce513',
 		},

 		wrongInitialPassword: {
+			httpStatusCode: 401,
 			message: 'Initial password is incorrect.',
 			code: 'INCORRECT_INITIAL_PASSWORD',
 			id: '97147c55-1ae1-4f6f-91d6-e1c3e0e76d62',
@ -65,6 +68,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 		@Inject(DI.usersRepository)
 		private usersRepository: UsersRepository,

+		private roleService: RoleService,
 		private userEntityService: UserEntityService,
 		private signupService: SignupService,
 		private instanceActorService: InstanceActorService,
@ -85,8 +89,11 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 					// 初期パスワードが設定されていないのに初期パスワードが入力された場合
 					throw new ApiError(meta.errors.wrongInitialPassword);
 				}
-			} else if ((realUsers && !me?.isRoot) || token !== null) {
-				// 初回セットアップではなく、管理者でない場合 or 外部トークンを使用している場合
+			} else if (!(me?.isRoot) && !await this.roleService.isAdministrator(me)) {
+				// 管理者でない場合
+				throw new ApiError(meta.errors.accessDenied);
+			} else if (token && !token?.permission.includes('write:admin:create-account')) {
+				// access token を使うときは write:admin:create-account 権限が必要
 				throw new ApiError(meta.errors.accessDenied);
 			}

--- a/packages/backend/test/e2e/admin-create-account.ts
+++ b/packages/backend/test/e2e/admin-create-account.ts
@ -0,0 +1,88 @@
+/*
+ * SPDX-FileCopyrightText: syuilo and misskey-project
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+process.env.NODE_ENV = 'test';
+
+import * as assert from 'assert';
+
+import type * as misskey from 'misskey-js';
+import { api, role, signup } from '../utils.js';
+
+describe('Admin Create User', () => {
+    let admin: misskey.entities.SignupResponse;
+    let user: misskey.entities.SignupResponse;
+    let formerAdmin: misskey.entities.SignupResponse;
+    let adminRole : misskey.entities.Role;
+    let formerAdminRole : misskey.entities.Role;
+
+    beforeAll(async () => {
+        admin = await signup({ username: 'admin' });
+        formerAdmin = await signup({ username: 'former_admin' });
+        user = await signup({ username: 'user' });
+        adminRole = await role(admin, {
+            name: 'admin',
+            isAdministrator: true
+        });
+        formerAdminRole = await role(admin, {
+            name: 'former_admin',
+            isAdministrator: true
+        });
+        const addAdminRole = await api('admin/roles/assign', {
+            userId: admin.id,
+            roleId: adminRole.id
+        }, admin);
+        assert.strictEqual(addAdminRole.status, 204);
+
+        const addFormerAdminRole = await api('admin/roles/assign', {
+            userId: formerAdmin.id,
+            roleId: formerAdminRole.id
+        }, admin);
+        assert.strictEqual(addFormerAdminRole.status, 204);
+    }, 1000 * 60 * 2);
+
+    test('Create User', async () => {
+        const newUser1 = await api('admin/accounts/create', {
+            username: 'new_user1',
+            password: 'password',
+        }, admin);
+        assert.strictEqual(newUser1.status, 200);
+
+        const newUser2 = await api('admin/accounts/create', {
+            username: 'new_user2',
+            password: 'password',
+        }, formerAdmin);
+        assert.strictEqual(newUser2.status, 200);
+
+        const newUser3 = await api('admin/accounts/create', {
+            username: 'new_user3',
+            password: 'password',
+        }, user);
+        assert.strictEqual(newUser3.status, 403);
+    });
+
+    test('Revoking Admin Role', async () => {
+        const res = await api('admin/roles/delete', {roleId: formerAdminRole.id}, admin);
+        assert.strictEqual(res.status, 204);
+
+        const res2 = await api('admin/roles/delete', {roleId: adminRole.id}, formerAdmin);
+        assert.strictEqual(res2.status, 403);
+    });
+
+    test('Revoked User Should Not Create User', async () => {
+        const newUser4 = await api('admin/accounts/create', {
+            username: 'new_user4',
+            password: 'password',
+        }, formerAdmin);
+
+        assert.strictEqual(newUser4.status, 403);
+
+        const newUser5 = await api('admin/accounts/create', {
+            username: 'new_user5',
+            password: 'password',
+        }, admin);
+
+        assert.strictEqual(newUser5.status, 200);
+    });
+})
--- a/packages/misskey-js/etc/misskey-js.api.md
+++ b/packages/misskey-js/etc/misskey-js.api.md
@ -2880,7 +2880,7 @@ type PartialRolePolicyOverride = Partial<{
 }>;

 // @public (undocumented)
-export const permissions: readonly ["read:account", "write:account", "read:blocks", "write:blocks", "read:drive", "write:drive", "read:favorites", "write:favorites", "read:following", "write:following", "read:messaging", "write:messaging", "read:mutes", "write:mutes", "write:notes", "read:notifications", "write:notifications", "read:reactions", "write:reactions", "write:votes", "read:pages", "write:pages", "write:page-likes", "read:page-likes", "read:user-groups", "write:user-groups", "read:channels", "write:channels", "read:gallery", "write:gallery", "read:gallery-likes", "write:gallery-likes", "read:flash", "write:flash", "read:flash-likes", "write:flash-likes", "read:admin:abuse-user-reports", "write:admin:delete-account", "write:admin:delete-all-files-of-a-user", "read:admin:index-stats", "read:admin:table-stats", "read:admin:user-ips", "read:admin:meta", "write:admin:reset-password", "write:admin:resolve-abuse-user-report", "write:admin:send-email", "read:admin:server-info", "read:admin:show-moderation-log", "read:admin:show-user", "write:admin:suspend-user", "write:admin:unset-user-avatar", "write:admin:unset-user-banner", "write:admin:unsuspend-user", "write:admin:meta", "write:admin:user-note", "write:admin:roles", "read:admin:roles", "write:admin:relays", "read:admin:relays", "write:admin:invite-codes", "read:admin:invite-codes", "write:admin:announcements", "read:admin:announcements", "write:admin:avatar-decorations", "read:admin:avatar-decorations", "write:admin:federation", "write:admin:account", "read:admin:account", "write:admin:emoji", "read:admin:emoji", "write:admin:queue", "read:admin:queue", "write:admin:promo", "write:admin:drive", "read:admin:drive", "write:admin:ad", "read:admin:ad", "write:invite-codes", "read:invite-codes", "write:clip-favorite", "read:clip-favorite", "read:federation", "write:report-abuse"];
+export const permissions: readonly ["read:account", "write:account", "read:blocks", "write:blocks", "read:drive", "write:drive", "read:favorites", "write:favorites", "read:following", "write:following", "read:messaging", "write:messaging", "read:mutes", "write:mutes", "write:notes", "read:notifications", "write:notifications", "read:reactions", "write:reactions", "write:votes", "read:pages", "write:pages", "write:page-likes", "read:page-likes", "read:user-groups", "write:user-groups", "read:channels", "write:channels", "read:gallery", "write:gallery", "read:gallery-likes", "write:gallery-likes", "read:flash", "write:flash", "read:flash-likes", "write:flash-likes", "read:admin:abuse-user-reports", "write:admin:create-account", "write:admin:delete-account", "write:admin:delete-all-files-of-a-user", "read:admin:index-stats", "read:admin:table-stats", "read:admin:user-ips", "read:admin:meta", "write:admin:reset-password", "write:admin:resolve-abuse-user-report", "write:admin:send-email", "read:admin:server-info", "read:admin:show-moderation-log", "read:admin:show-user", "write:admin:suspend-user", "write:admin:unset-user-avatar", "write:admin:unset-user-banner", "write:admin:unsuspend-user", "write:admin:meta", "write:admin:user-note", "write:admin:roles", "read:admin:roles", "write:admin:relays", "read:admin:relays", "write:admin:invite-codes", "read:admin:invite-codes", "write:admin:announcements", "read:admin:announcements", "write:admin:avatar-decorations", "read:admin:avatar-decorations", "write:admin:federation", "write:admin:account", "read:admin:account", "write:admin:emoji", "read:admin:emoji", "write:admin:queue", "read:admin:queue", "write:admin:promo", "write:admin:drive", "read:admin:drive", "write:admin:ad", "read:admin:ad", "write:invite-codes", "read:invite-codes", "write:clip-favorite", "read:clip-favorite", "read:federation", "write:report-abuse"];

 // @public (undocumented)
 type PingResponse = operations['ping']['responses']['200']['content']['application/json'];
--- a/packages/misskey-js/src/consts.ts
+++ b/packages/misskey-js/src/consts.ts
@ -64,6 +64,7 @@ export const permissions = [
 	'read:flash-likes',
 	'write:flash-likes',
 	'read:admin:abuse-user-reports',
+	'write:admin:create-account',
 	'write:admin:delete-account',
 	'write:admin:delete-all-files-of-a-user',
 	'read:admin:index-stats',