allow admins to create approved users
This commit is contained in:
parent
1520bc1715
commit
f36a1a5701
2 changed files with 21 additions and 15 deletions
|
@ -55,6 +55,7 @@ export class SignupService {
|
|||
host?: string | null;
|
||||
reason?: string | null;
|
||||
ignorePreservedUsernames?: boolean;
|
||||
approved?: boolean;
|
||||
}) {
|
||||
const { username, password, passwordHash, host, reason } = opts;
|
||||
let hash = passwordHash;
|
||||
|
@ -115,9 +116,6 @@ export class SignupService {
|
|||
));
|
||||
|
||||
let account!: MiUser;
|
||||
let defaultApproval = false;
|
||||
|
||||
if (!this.meta.approvalRequiredForSignup) defaultApproval = true;
|
||||
|
||||
// Start transaction
|
||||
await this.db.transaction(async transactionalEntityManager => {
|
||||
|
@ -135,7 +133,7 @@ export class SignupService {
|
|||
host: this.utilityService.toPunyNullable(host),
|
||||
token: secret,
|
||||
isRoot: isTheFirstUser,
|
||||
approved: defaultApproval,
|
||||
approved: opts.approved ?? !this.meta.approvalRequiredForSignup,
|
||||
signupReason: reason,
|
||||
}));
|
||||
|
||||
|
|
|
@ -3,16 +3,15 @@
|
|||
* SPDX-License-Identifier: AGPL-3.0-only
|
||||
*/
|
||||
|
||||
import { Inject, Injectable } from '@nestjs/common';
|
||||
import { IsNull } from 'typeorm';
|
||||
import { Injectable } from '@nestjs/common';
|
||||
import { Endpoint } from '@/server/api/endpoint-base.js';
|
||||
import type { UsersRepository } from '@/models/_.js';
|
||||
import { MiUser } from '@/models/_.js';
|
||||
import { SignupService } from '@/core/SignupService.js';
|
||||
import { UserEntityService } from '@/core/entities/UserEntityService.js';
|
||||
import { InstanceActorService } from '@/core/InstanceActorService.js';
|
||||
import { localUsernameSchema, passwordSchema } from '@/models/User.js';
|
||||
import { DI } from '@/di-symbols.js';
|
||||
import { Packed } from '@/misc/json-schema.js';
|
||||
import { RoleService } from '@/core/RoleService.js';
|
||||
|
||||
export const meta = {
|
||||
tags: ['admin'],
|
||||
|
@ -42,22 +41,21 @@ export const paramDef = {
|
|||
@Injectable()
|
||||
export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-disable-line import/no-default-export
|
||||
constructor(
|
||||
@Inject(DI.usersRepository)
|
||||
private usersRepository: UsersRepository,
|
||||
|
||||
private roleService: RoleService,
|
||||
private userEntityService: UserEntityService,
|
||||
private signupService: SignupService,
|
||||
private instanceActorService: InstanceActorService,
|
||||
) {
|
||||
super(meta, paramDef, async (ps, _me, token) => {
|
||||
const me = _me ? await this.usersRepository.findOneByOrFail({ id: _me.id }) : null;
|
||||
const realUsers = await this.instanceActorService.realLocalUsersPresent();
|
||||
if ((realUsers && !me?.isRoot) || token !== null) throw new Error('access denied');
|
||||
super(meta, paramDef, async (ps, _me) => {
|
||||
if (!await this.canCreate(_me)) {
|
||||
throw new Error('access denied');
|
||||
}
|
||||
|
||||
const { account, secret } = await this.signupService.signup({
|
||||
username: ps.username,
|
||||
password: ps.password,
|
||||
ignorePreservedUsernames: true,
|
||||
approved: true,
|
||||
});
|
||||
|
||||
const res = await this.userEntityService.pack(account, account, {
|
||||
|
@ -70,4 +68,14 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
|
|||
return res;
|
||||
});
|
||||
}
|
||||
|
||||
private async canCreate(me: MiUser | null): Promise<boolean> {
|
||||
// Allow the first user to be created without authentication, as part of normal setup flow
|
||||
if (!me) {
|
||||
return !await this.instanceActorService.realLocalUsersPresent();
|
||||
}
|
||||
|
||||
// Administrators (including root) can always create users
|
||||
return await this.roleService.isAdministrator(me);
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue