allow admins to create approved users

This commit is contained in:
Hazelnoot 2024-10-26 16:47:39 -04:00
parent 1520bc1715
commit f36a1a5701
2 changed files with 21 additions and 15 deletions

View File

@ -55,6 +55,7 @@ export class SignupService {
host?: string | null; host?: string | null;
reason?: string | null; reason?: string | null;
ignorePreservedUsernames?: boolean; ignorePreservedUsernames?: boolean;
approved?: boolean;
}) { }) {
const { username, password, passwordHash, host, reason } = opts; const { username, password, passwordHash, host, reason } = opts;
let hash = passwordHash; let hash = passwordHash;
@ -115,9 +116,6 @@ export class SignupService {
)); ));
let account!: MiUser; let account!: MiUser;
let defaultApproval = false;
if (!this.meta.approvalRequiredForSignup) defaultApproval = true;
// Start transaction // Start transaction
await this.db.transaction(async transactionalEntityManager => { await this.db.transaction(async transactionalEntityManager => {
@ -135,7 +133,7 @@ export class SignupService {
host: this.utilityService.toPunyNullable(host), host: this.utilityService.toPunyNullable(host),
token: secret, token: secret,
isRoot: isTheFirstUser, isRoot: isTheFirstUser,
approved: defaultApproval, approved: opts.approved ?? !this.meta.approvalRequiredForSignup,
signupReason: reason, signupReason: reason,
})); }));

View File

@ -3,16 +3,15 @@
* SPDX-License-Identifier: AGPL-3.0-only * SPDX-License-Identifier: AGPL-3.0-only
*/ */
import { Inject, Injectable } from '@nestjs/common'; import { Injectable } from '@nestjs/common';
import { IsNull } from 'typeorm';
import { Endpoint } from '@/server/api/endpoint-base.js'; import { Endpoint } from '@/server/api/endpoint-base.js';
import type { UsersRepository } from '@/models/_.js'; import { MiUser } from '@/models/_.js';
import { SignupService } from '@/core/SignupService.js'; import { SignupService } from '@/core/SignupService.js';
import { UserEntityService } from '@/core/entities/UserEntityService.js'; import { UserEntityService } from '@/core/entities/UserEntityService.js';
import { InstanceActorService } from '@/core/InstanceActorService.js'; import { InstanceActorService } from '@/core/InstanceActorService.js';
import { localUsernameSchema, passwordSchema } from '@/models/User.js'; import { localUsernameSchema, passwordSchema } from '@/models/User.js';
import { DI } from '@/di-symbols.js';
import { Packed } from '@/misc/json-schema.js'; import { Packed } from '@/misc/json-schema.js';
import { RoleService } from '@/core/RoleService.js';
export const meta = { export const meta = {
tags: ['admin'], tags: ['admin'],
@ -42,22 +41,21 @@ export const paramDef = {
@Injectable() @Injectable()
export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-disable-line import/no-default-export export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-disable-line import/no-default-export
constructor( constructor(
@Inject(DI.usersRepository) private roleService: RoleService,
private usersRepository: UsersRepository,
private userEntityService: UserEntityService, private userEntityService: UserEntityService,
private signupService: SignupService, private signupService: SignupService,
private instanceActorService: InstanceActorService, private instanceActorService: InstanceActorService,
) { ) {
super(meta, paramDef, async (ps, _me, token) => { super(meta, paramDef, async (ps, _me) => {
const me = _me ? await this.usersRepository.findOneByOrFail({ id: _me.id }) : null; if (!await this.canCreate(_me)) {
const realUsers = await this.instanceActorService.realLocalUsersPresent(); throw new Error('access denied');
if ((realUsers && !me?.isRoot) || token !== null) throw new Error('access denied'); }
const { account, secret } = await this.signupService.signup({ const { account, secret } = await this.signupService.signup({
username: ps.username, username: ps.username,
password: ps.password, password: ps.password,
ignorePreservedUsernames: true, ignorePreservedUsernames: true,
approved: true,
}); });
const res = await this.userEntityService.pack(account, account, { const res = await this.userEntityService.pack(account, account, {
@ -70,4 +68,14 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
return res; return res;
}); });
} }
private async canCreate(me: MiUser | null): Promise<boolean> {
// Allow the first user to be created without authentication, as part of normal setup flow
if (!me) {
return !await this.instanceActorService.realLocalUsersPresent();
}
// Administrators (including root) can always create users
return await this.roleService.isAdministrator(me);
}
} }