From 4afe72e62f63122ca12bc98fa798ceb5a30168bf Mon Sep 17 00:00:00 2001 From: Emelia Smith Date: Sat, 30 Mar 2024 00:16:06 +0100 Subject: [PATCH] Add oauth protection to admin domain blocks API --- .../Api/V1/Admin/DomainBlocksController.php | 6 +++++ app/Http/Kernel.php | 3 +++ app/Http/Middleware/Api/Admin.php | 26 +++++++++++++++++++ app/Providers/AuthServiceProvider.php | 2 ++ 4 files changed, 37 insertions(+) create mode 100644 app/Http/Middleware/Api/Admin.php diff --git a/app/Http/Controllers/Api/V1/Admin/DomainBlocksController.php b/app/Http/Controllers/Api/V1/Admin/DomainBlocksController.php index 287ba58e2..66bd2f3a8 100644 --- a/app/Http/Controllers/Api/V1/Admin/DomainBlocksController.php +++ b/app/Http/Controllers/Api/V1/Admin/DomainBlocksController.php @@ -10,6 +10,12 @@ use App\Services\InstanceService; use App\Http\Resources\MastoApi\Admin\DomainBlockResource; class DomainBlocksController extends ApiController { + + public function __construct() { + $this->middleware(['auth:api', 'api.admin', 'scope:admin:read,admin:read:domain_blocks'])->only(['index', 'show']); + $this->middleware(['auth:api', 'api.admin', 'scope:admin:write,admin:write:domain_blocks'])->only(['create', 'update', 'delete']); + } + public function index(Request $request) { $this->validate($request, [ 'limit' => 'sometimes|integer|max:100|min:1', diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php index 5cc99014b..bb1931555 100644 --- a/app/Http/Kernel.php +++ b/app/Http/Kernel.php @@ -54,6 +54,7 @@ class Kernel extends HttpKernel * @var array */ protected $routeMiddleware = [ + 'api.admin' => \App\Http\Middleware\Api\Admin::class, 'admin' => \App\Http\Middleware\Admin::class, 'auth' => \Illuminate\Auth\Middleware\Authenticate::class, 'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class, @@ -68,6 +69,8 @@ class Kernel extends HttpKernel 'twofactor' => \App\Http\Middleware\TwoFactorAuth::class, 'validemail' => \App\Http\Middleware\EmailVerificationCheck::class, 'interstitial' => \App\Http\Middleware\AccountInterstitial::class, + 'scopes' => \Laravel\Passport\Http\Middleware\CheckScopes::class, + 'scope' => \Laravel\Passport\Http\Middleware\CheckForAnyScope::class, // 'restricted' => \App\Http\Middleware\RestrictedAccess::class, ]; } diff --git a/app/Http/Middleware/Api/Admin.php b/app/Http/Middleware/Api/Admin.php new file mode 100644 index 000000000..65d24758d --- /dev/null +++ b/app/Http/Middleware/Api/Admin.php @@ -0,0 +1,26 @@ +is_admin == false) { + return abort(403, "You must be an administrator to do that"); + } + + return $next($request); + } +} diff --git a/app/Providers/AuthServiceProvider.php b/app/Providers/AuthServiceProvider.php index 52e992ce0..4301fc818 100644 --- a/app/Providers/AuthServiceProvider.php +++ b/app/Providers/AuthServiceProvider.php @@ -37,7 +37,9 @@ class AuthServiceProvider extends ServiceProvider 'write' => 'Full write access to your account', 'follow' => 'Ability to follow other profiles', 'admin:read' => 'Read all data on the server', + 'admin:read:domain_blocks' => 'Read sensitive information of all domain blocks', 'admin:write' => 'Modify all data on the server', + 'admin:write:domain_blocks' => 'Perform moderation actions on domain blocks', 'push' => 'Receive your push notifications' ]);