From f36a1a57011ff88d482b2da837737230fd500fc4 Mon Sep 17 00:00:00 2001
From: Hazelnoot <acomputerdog@gmail.com>
Date: Sat, 26 Oct 2024 16:47:39 -0400
Subject: [PATCH 1/3] allow admins to create approved users

---
 packages/backend/src/core/SignupService.ts    |  6 ++--
 .../api/endpoints/admin/accounts/create.ts    | 30 ++++++++++++-------
 2 files changed, 21 insertions(+), 15 deletions(-)

diff --git a/packages/backend/src/core/SignupService.ts b/packages/backend/src/core/SignupService.ts
index 7250d1c24d..78b97401fd 100644
--- a/packages/backend/src/core/SignupService.ts
+++ b/packages/backend/src/core/SignupService.ts
@@ -55,6 +55,7 @@ export class SignupService {
 		host?: string | null;
 		reason?: string | null;
 		ignorePreservedUsernames?: boolean;
+		approved?: boolean;
 	}) {
 		const { username, password, passwordHash, host, reason } = opts;
 		let hash = passwordHash;
@@ -115,9 +116,6 @@ export class SignupService {
 			));
 
 		let account!: MiUser;
-		let defaultApproval = false;
-
-		if (!this.meta.approvalRequiredForSignup) defaultApproval = true;
 
 		// Start transaction
 		await this.db.transaction(async transactionalEntityManager => {
@@ -135,7 +133,7 @@ export class SignupService {
 				host: this.utilityService.toPunyNullable(host),
 				token: secret,
 				isRoot: isTheFirstUser,
-				approved: defaultApproval,
+				approved: opts.approved ?? !this.meta.approvalRequiredForSignup,
 				signupReason: reason,
 			}));
 
diff --git a/packages/backend/src/server/api/endpoints/admin/accounts/create.ts b/packages/backend/src/server/api/endpoints/admin/accounts/create.ts
index a7e8a3b018..3cb4029780 100644
--- a/packages/backend/src/server/api/endpoints/admin/accounts/create.ts
+++ b/packages/backend/src/server/api/endpoints/admin/accounts/create.ts
@@ -3,16 +3,15 @@
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 
-import { Inject, Injectable } from '@nestjs/common';
-import { IsNull } from 'typeorm';
+import { Injectable } from '@nestjs/common';
 import { Endpoint } from '@/server/api/endpoint-base.js';
-import type { UsersRepository } from '@/models/_.js';
+import { MiUser } from '@/models/_.js';
 import { SignupService } from '@/core/SignupService.js';
 import { UserEntityService } from '@/core/entities/UserEntityService.js';
 import { InstanceActorService } from '@/core/InstanceActorService.js';
 import { localUsernameSchema, passwordSchema } from '@/models/User.js';
-import { DI } from '@/di-symbols.js';
 import { Packed } from '@/misc/json-schema.js';
+import { RoleService } from '@/core/RoleService.js';
 
 export const meta = {
 	tags: ['admin'],
@@ -42,22 +41,21 @@ export const paramDef = {
 @Injectable()
 export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-disable-line import/no-default-export
 	constructor(
-		@Inject(DI.usersRepository)
-		private usersRepository: UsersRepository,
-
+		private roleService: RoleService,
 		private userEntityService: UserEntityService,
 		private signupService: SignupService,
 		private instanceActorService: InstanceActorService,
 	) {
-		super(meta, paramDef, async (ps, _me, token) => {
-			const me = _me ? await this.usersRepository.findOneByOrFail({ id: _me.id }) : null;
-			const realUsers = await this.instanceActorService.realLocalUsersPresent();
-			if ((realUsers && !me?.isRoot) || token !== null) throw new Error('access denied');
+		super(meta, paramDef, async (ps, _me) => {
+			if (!await this.canCreate(_me)) {
+				throw new Error('access denied');
+			}
 
 			const { account, secret } = await this.signupService.signup({
 				username: ps.username,
 				password: ps.password,
 				ignorePreservedUsernames: true,
+				approved: true,
 			});
 
 			const res = await this.userEntityService.pack(account, account, {
@@ -70,4 +68,14 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 			return res;
 		});
 	}
+
+	private async canCreate(me: MiUser | null): Promise<boolean> {
+		// Allow the first user to be created without authentication, as part of normal setup flow
+		if (!me) {
+			return !await this.instanceActorService.realLocalUsersPresent();
+		}
+
+		// Administrators (including root) can always create users
+		return await this.roleService.isAdministrator(me);
+	}
 }

From 37ff2bb0ca39cadfe82f972b01b3dddb9669fe8c Mon Sep 17 00:00:00 2001
From: Hazelnoot <acomputerdog@gmail.com>
Date: Sat, 26 Oct 2024 16:50:40 -0400
Subject: [PATCH 2/3] always approve the first / root user

---
 packages/backend/src/core/SignupService.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/backend/src/core/SignupService.ts b/packages/backend/src/core/SignupService.ts
index 78b97401fd..1b0b1e5bbd 100644
--- a/packages/backend/src/core/SignupService.ts
+++ b/packages/backend/src/core/SignupService.ts
@@ -133,7 +133,7 @@ export class SignupService {
 				host: this.utilityService.toPunyNullable(host),
 				token: secret,
 				isRoot: isTheFirstUser,
-				approved: opts.approved ?? !this.meta.approvalRequiredForSignup,
+				approved: isTheFirstUser || (opts.approved ?? !this.meta.approvalRequiredForSignup),
 				signupReason: reason,
 			}));
 

From ade801ec58f1fe589d011b1bbb1731a7faddbd7d Mon Sep 17 00:00:00 2001
From: Hazelnoot <acomputerdog@gmail.com>
Date: Fri, 1 Nov 2024 10:12:28 -0400
Subject: [PATCH 3/3] check token permissions in admin/accounts/create.ts

---
 .../api/endpoints/admin/accounts/create.ts    | 57 +++++++++++++++----
 1 file changed, 46 insertions(+), 11 deletions(-)

diff --git a/packages/backend/src/server/api/endpoints/admin/accounts/create.ts b/packages/backend/src/server/api/endpoints/admin/accounts/create.ts
index 3cb4029780..7754899b95 100644
--- a/packages/backend/src/server/api/endpoints/admin/accounts/create.ts
+++ b/packages/backend/src/server/api/endpoints/admin/accounts/create.ts
@@ -5,13 +5,14 @@
 
 import { Injectable } from '@nestjs/common';
 import { Endpoint } from '@/server/api/endpoint-base.js';
-import { MiUser } from '@/models/_.js';
+import { MiAccessToken, MiUser } from '@/models/_.js';
 import { SignupService } from '@/core/SignupService.js';
 import { UserEntityService } from '@/core/entities/UserEntityService.js';
 import { InstanceActorService } from '@/core/InstanceActorService.js';
 import { localUsernameSchema, passwordSchema } from '@/models/User.js';
 import { Packed } from '@/misc/json-schema.js';
 import { RoleService } from '@/core/RoleService.js';
+import { ApiError } from '@/server/api/error.js';
 
 export const meta = {
 	tags: ['admin'],
@@ -27,6 +28,35 @@ export const meta = {
 			},
 		},
 	},
+
+	errors: {
+		// From ApiCallService.ts
+		noCredential: {
+			message: 'Credential required.',
+			code: 'CREDENTIAL_REQUIRED',
+			id: '1384574d-a912-4b81-8601-c7b1c4085df1',
+			httpStatusCode: 401,
+		},
+		noAdmin: {
+			message: 'You are not assigned to an administrator role.',
+			code: 'ROLE_PERMISSION_DENIED',
+			kind: 'permission',
+			id: 'c3d38592-54c0-429d-be96-5636b0431a61',
+		},
+		noPermission: {
+			message: 'Your app does not have the necessary permissions to use this endpoint.',
+			code: 'PERMISSION_DENIED',
+			kind: 'permission',
+			id: '1370e5b7-d4eb-4566-bb1d-7748ee6a1838',
+		},
+	},
+
+	// Required token permissions, but we need to check them manually.
+	// ApiCallService checks access in a way that would prevent creating the first account.
+	softPermissions: [
+		'write:admin:account',
+		'write:admin:approve-user',
+	],
 } as const;
 
 export const paramDef = {
@@ -46,10 +76,8 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 		private signupService: SignupService,
 		private instanceActorService: InstanceActorService,
 	) {
-		super(meta, paramDef, async (ps, _me) => {
-			if (!await this.canCreate(_me)) {
-				throw new Error('access denied');
-			}
+		super(meta, paramDef, async (ps, _me, token) => {
+			await this.ensurePermissions(_me, token);
 
 			const { account, secret } = await this.signupService.signup({
 				username: ps.username,
@@ -69,13 +97,20 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 		});
 	}
 
-	private async canCreate(me: MiUser | null): Promise<boolean> {
-		// Allow the first user to be created without authentication, as part of normal setup flow
-		if (!me) {
-			return !await this.instanceActorService.realLocalUsersPresent();
+	private async ensurePermissions(me: MiUser | null, token: MiAccessToken | null): Promise<void> {
+		// Tokens have scoped permissions which may be *less* than the user's official role, so we need to check.
+		if (token && !meta.softPermissions.every(p => token.permission.includes(p))) {
+			throw new ApiError(meta.errors.noPermission);
 		}
 
-		// Administrators (including root) can always create users
-		return await this.roleService.isAdministrator(me);
+		// Only administrators (including root) can create users.
+		if (me && !await this.roleService.isAdministrator(me)) {
+			throw new ApiError(meta.errors.noAdmin);
+		}
+
+		// Anonymous access is only allowed for initial instance setup.
+		if (!me && await this.instanceActorService.realLocalUsersPresent()) {
+			throw new ApiError(meta.errors.noCredential);
+		}
 	}
 }