add "only platform admin can create groups" and "only groups can create events" restrictions

2021-10-06 18:00:50 +02:00 · 2021-10-06 18:00:50 +02:00 · 7940d69d5a
parent 7885151220
commit 7940d69d5a
13 changed files with 135 additions and 34 deletions
--- a/config/config.exs
+++ b/config/config.exs
@ -40,9 +40,11 @@ config :mobilizon, :instance,
  email_reply_to: "noreply@localhost"
 config :mobilizon, :groups, enabled: true
 config :mobilizon, :events, creation: true
 config :mobilizon, :restrictions, only_admin_can_create_groups: false
 config :mobilizon, :restrictions, only_groups_can_create_events: false
 # Configures the endpoint
 config :mobilizon, Mobilizon.Web.Endpoint,
  url: [
--- a/js/src/components/NavBar.vue
+++ b/js/src/components/NavBar.vue
@ -44,6 +44,7 @@
        "
      >
        <b-button
          v-if="!hideCreateEventsButton"
          tag="router-link"
          :to="{ name: RouteName.CREATE_EVENT }"
          type="is-primary"
@ -313,6 +314,10 @@ export default class NavBar extends Vue {
    });
    return changeIdentity(this.$apollo.provider.defaultClient, identity);
  }
  get hideCreateEventsButton(): boolean {
    return !!this.config?.restrictions?.onlyGroupsCanCreateEvents;
  }
 }
 </script>
 <style lang="scss" scoped>
--- a/js/src/graphql/config.ts
+++ b/js/src/graphql/config.ts
@ -69,6 +69,10 @@ export const CONFIG = gql`
        eventCreation
        koenaConnect
      }
      restrictions {
        onlyAdminCanCreateGroups
        onlyGroupsCanCreateEvents
      }
      auth {
        ldap
        oauthProviders {
--- a/js/src/types/config.model.ts
+++ b/js/src/types/config.model.ts
@ -84,6 +84,10 @@ export interface IConfig {
    groups: boolean;
    koenaConnect: boolean;
  };
  restrictions: {
    onlyAdminCanCreateGroups: boolean;
    onlyGroupsCanCreateEvents: boolean;
  };
  federating: boolean;
  version: string;
  auth: {
--- a/js/src/views/Admin/GroupProfiles.vue
+++ b/js/src/views/Admin/GroupProfiles.vue
@ -14,6 +14,13 @@
        </li>
      </ul>
    </nav>
    <div class="buttons" v-if="showCreateGroupsButton">
      <router-link
        class="button is-primary"
        :to="{ name: RouteName.CREATE_GROUP }"
        >{{ $t("Create group") }}</router-link
      >
    </div>
    <div v-if="groups">
      <b-switch v-model="local">{{ $t("Local") }}</b-switch>
      <b-switch v-model="suspended">{{ $t("Suspended") }}</b-switch>
@ -100,6 +107,8 @@
 </template>
 <script lang="ts">
 import { Component, Vue } from "vue-property-decorator";
 import { CONFIG } from "@/graphql/config";
 import { IConfig } from "@/types/config.model";
 import { LIST_GROUPS } from "@/graphql/group";
 import RouteName from "../../router/name";
 import EmptyContent from "../../components/Utils/EmptyContent.vue";
@ -110,6 +119,7 @@ const PROFILES_PER_PAGE = 10;
@Component({
  apollo: {
    config: CONFIG,
    groups: {
      query: LIST_GROUPS,
      variables() {
@ -139,6 +149,7 @@ export default class GroupProfiles extends Vue {
  PROFILES_PER_PAGE = PROFILES_PER_PAGE;
  config!: IConfig;
  RouteName = RouteName;
  async onPageChange(): Promise<void> {
@ -185,6 +196,10 @@ export default class GroupProfiles extends Vue {
    this.pushRouter({ suspended: suspended ? "1" : "0" });
  }
  get showCreateGroupsButton(): boolean {
    return !!this.config?.restrictions?.onlyAdminCanCreateGroups;
  }
  onFiltersChange({
    preferredUsername,
    domain,
--- a/js/src/views/Event/MyEvents.vue
+++ b/js/src/views/Event/MyEvents.vue
@ -10,7 +10,7 @@
        )
      }}
    </p>
-    <div class="buttons">
+    <div class="buttons" v-if="!hideCreateEventButton">
      <router-link
        class="button is-primary"
        :to="{ name: RouteName.CREATE_EVENT }"
@ -126,6 +126,8 @@
 </template>
 <script lang="ts">
 import { CONFIG } from "../../graphql/config";
 import { IConfig } from "../../types/config.model";
 import { Component, Vue } from "vue-property-decorator";
 import { ParticipantRole } from "@/types/enums";
 import RouteName from "@/router/name";
@ -147,6 +149,7 @@ import Subtitle from "../../components/Utils/Subtitle.vue";
    EventListCard,
  },
  apollo: {
    config: CONFIG,
    futureParticipations: {
      query: LOGGED_USER_PARTICIPATIONS,
      fetchPolicy: "cache-and-network",
@ -197,6 +200,8 @@ export default class MyEvents extends Vue {
  limit = 10;
  config!: IConfig;
  futureParticipations: IParticipant[] = [];
  hasMoreFutureParticipations = true;
@ -286,6 +291,10 @@ export default class MyEvents extends Vue {
      (participation) => participation.event.id !== eventid
    );
  }
  get hideCreateEventButton(): boolean {
    return !!this.config?.restrictions?.onlyGroupsCanCreateEvents;
  }
 }
 </script>
--- a/js/src/views/Group/MyGroups.vue
+++ b/js/src/views/Group/MyGroups.vue
@ -8,7 +8,7 @@
        )
      }}
    </p>
-    <div class="buttons">
+    <div class="buttons" v-if="!hideCreateGroupButton">
      <router-link
        class="button is-primary"
        :to="{ name: RouteName.CREATE_GROUP }"
@ -72,6 +72,8 @@
 <script lang="ts">
 import { Component, Vue } from "vue-property-decorator";
 import { CONFIG } from "@/graphql/config";
 import { IConfig } from "@/types/config.model";
 import { LOGGED_USER_MEMBERSHIPS } from "@/graphql/actor";
 import { LEAVE_GROUP } from "@/graphql/group";
 import GroupMemberCard from "@/components/Group/GroupMemberCard.vue";
@ -90,6 +92,9 @@ import RouteName from "../../router/name";
    Invitations,
  },
  apollo: {
    config: {
      query: CONFIG,
    },
    membershipsPages: {
      query: LOGGED_USER_MEMBERSHIPS,
      fetchPolicy: "cache-and-network",
@ -114,6 +119,8 @@ export default class MyGroups extends Vue {
  RouteName = RouteName;
  config!: IConfig;
  page = 1;
  limit = 10;
@ -177,6 +184,10 @@ export default class MyGroups extends Vue {
        ![MemberRole.INVITED, MemberRole.REJECTED].includes(member.role)
    );
  }
  get hideCreateGroupButton(): boolean {
    return !!this.config?.restrictions?.onlyAdminCanCreateGroups;
  }
 }
 </script>
--- a/js/tests/unit/specs/mocks/config.ts
+++ b/js/tests/unit/specs/mocks/config.ts
@ -56,6 +56,11 @@ export const configMock = {
        groups: true,
        koenaConnect: false,
      },
      restrictions: {
        __typename: "Restrictions",
        onlyAdminCanCreateGroups: false,
        onlyGroupsCanCreateEvents: false,
      },
      geocoding: {
        __typename: "Geocoding",
        autocomplete: true,
--- a/lib/graphql/resolvers/config.ex
+++ b/lib/graphql/resolvers/config.ex
@ -134,6 +134,10 @@ defmodule Mobilizon.GraphQL.Resolvers.Config do
        event_creation: Config.instance_event_creation_enabled?(),
        koena_connect: Config.get([:instance, :koena_connect_link], false)
      },
      restrictions: %{
        only_admin_can_create_groups: Config.only_admin_can_create_groups?(),
        only_groups_can_create_events: Config.only_groups_can_create_events?()
      },
      rules: Config.instance_rules(),
      version: Config.instance_version(),
      federating: Config.instance_federating(),
--- a/lib/graphql/resolvers/event.ex
+++ b/lib/graphql/resolvers/event.ex
@ -265,29 +265,33 @@ defmodule Mobilizon.GraphQL.Resolvers.Event do
        %{context: %{current_user: user}} = _resolution
      ) do
    # See https://github.com/absinthe-graphql/absinthe/issues/490
-    with {:is_owned, %Actor{} = organizer_actor} <- User.owns_actor(user, organizer_actor_id),
+    if Config.only_groups_can_create_events?() and Map.get(args, :attributed_to_id) == nil do
-         args <- Map.put(args, :options, args[:options] || %{}),
+      {:error, "only groups can create events"}
         {:group_check, true} <- {:group_check, is_organizer_group_member?(args)},
         args_with_organizer <- Map.put(args, :organizer_actor, organizer_actor),
         {:ok, %Activity{data: %{"object" => %{"type" => "Event"}}}, %Event{} = event} <-
           API.Events.create_event(args_with_organizer) do
      {:ok, event}
    else
-      {:group_check, false} ->
+      with {:is_owned, %Actor{} = organizer_actor} <- User.owns_actor(user, organizer_actor_id),
-        {:error,
+           args <- Map.put(args, :options, args[:options] || %{}),
-         dgettext(
+           {:group_check, true} <- {:group_check, is_organizer_group_member?(args)},
-           "errors",
+           args_with_organizer <- Map.put(args, :organizer_actor, organizer_actor),
-           "Organizer profile doesn't have permission to create an event on behalf of this group"
+           {:ok, %Activity{data: %{"object" => %{"type" => "Event"}}}, %Event{} = event} <-
-         )}
+             API.Events.create_event(args_with_organizer) do
        {:ok, event}
      else
        {:group_check, false} ->
          {:error,
           dgettext(
             "errors",
             "Organizer profile doesn't have permission to create an event on behalf of this group"
           )}
-      {:is_owned, nil} ->
+        {:is_owned, nil} ->
-        {:error, dgettext("errors", "Organizer profile is not owned by the user")}
+          {:error, dgettext("errors", "Organizer profile is not owned by the user")}
-      {:error, _, %Ecto.Changeset{} = error, _} ->
+        {:error, _, %Ecto.Changeset{} = error, _} ->
-        {:error, error}
+          {:error, error}
-      {:error, %Ecto.Changeset{} = error} ->
+        {:error, %Ecto.Changeset{} = error} ->
-        {:error, error}
+          {:error, error}
      end
    end
  end
--- a/lib/graphql/resolvers/group.ex
+++ b/lib/graphql/resolvers/group.ex
@ -4,6 +4,7 @@ defmodule Mobilizon.GraphQL.Resolvers.Group do
  """
  import Mobilizon.Users.Guards
  alias Mobilizon.Config
  alias Mobilizon.{Actors, Events}
  alias Mobilizon.Actors.{Actor, Member}
  alias Mobilizon.Federation.ActivityPub.Actions
@ -137,23 +138,29 @@ defmodule Mobilizon.GraphQL.Resolvers.Group do
        args,
        %{
          context: %{
-            current_actor: %Actor{id: creator_actor_id} = creator_actor
+            current_actor: %Actor{id: creator_actor_id} = creator_actor,
            current_user: %User{role: role} = _resolution
          }
        }
      ) do
-    with args when is_map(args) <- Map.update(args, :preferred_username, "", &String.downcase/1),
+    if Config.only_admin_can_create_groups?() and not is_admin(role) do
-         args when is_map(args) <- Map.put(args, :creator_actor, creator_actor),
+      {:error, "only admins can create groups"}
         args when is_map(args) <- Map.put(args, :creator_actor_id, creator_actor_id),
         {:picture, args} when is_map(args) <- {:picture, save_attached_pictures(args)},
         {:ok, _activity, %Actor{type: :Group} = group} <-
           API.Groups.create_group(args) do
      {:ok, group}
    else
-      {:picture, {:error, :file_too_large}} ->
+      with args when is_map(args) <-
-        {:error, dgettext("errors", "The provided picture is too heavy")}
+             Map.update(args, :preferred_username, "", &String.downcase/1),
           args when is_map(args) <- Map.put(args, :creator_actor, creator_actor),
           args when is_map(args) <- Map.put(args, :creator_actor_id, creator_actor_id),
           {:picture, args} when is_map(args) <- {:picture, save_attached_pictures(args)},
           {:ok, _activity, %Actor{type: :Group} = group} <-
             API.Groups.create_group(args) do
        {:ok, group}
      else
        {:picture, {:error, :file_too_large}} ->
          {:error, dgettext("errors", "The provided picture is too heavy")}
-      {:error, err} when is_binary(err) ->
+        {:error, err} when is_binary(err) ->
-        {:error, err}
+          {:error, err}
      end
    end
  end
--- a/lib/graphql/schema/config.ex
+++ b/lib/graphql/schema/config.ex
@ -37,6 +37,7 @@ defmodule Mobilizon.GraphQL.Schema.ConfigType do
    field(:timezones, list_of(:string), description: "The instance's available timezones")
    field(:features, :features, description: "The instance's features")
    field(:restrictions, :restrictions, description: "The instance's restrictions")
    field(:version, :string, description: "The instance's version")
    field(:federating, :boolean, description: "Whether this instance is federation")
@ -275,6 +276,19 @@ defmodule Mobilizon.GraphQL.Schema.ConfigType do
    field(:koena_connect, :boolean, description: "Activate link to Koena Connect")
  end
  @desc """
  The instance's restrictions
  """
  object :restrictions do
    field(:only_admin_can_create_groups, :boolean,
      description: "Whether groups creation is allowed only for admin, not for all users"
    )
    field(:only_groups_can_create_events, :boolean,
      description: "Whether events creation is allowed only for groups, not for persons"
    )
  end
  @desc """
  The instance's auth configuration
  """
--- a/lib/mobilizon/config.ex
+++ b/lib/mobilizon/config.ex
@ -288,6 +288,9 @@ defmodule Mobilizon.Config do
    end
  end
  # config :mobilizon, :groups, enabled: true
  # config :mobilizon, :events, creation: true
  @spec instance_group_feature_enabled? :: boolean
  def instance_group_feature_enabled?,
    do: :mobilizon |> Application.get_env(:groups) |> Keyword.get(:enabled)
@ -303,6 +306,20 @@ defmodule Mobilizon.Config do
    }
  end
  @spec only_admin_can_create_groups? :: boolean
  def only_admin_can_create_groups?,
    do:
      :mobilizon
      |> Application.get_env(:restrictions)
      |> Keyword.get(:only_admin_can_create_groups)
  @spec only_groups_can_create_events? :: boolean
  def only_groups_can_create_events?,
    do:
      :mobilizon
      |> Application.get_env(:restrictions)
      |> Keyword.get(:only_groups_can_create_events)
  @spec anonymous_actor_id :: integer
  def anonymous_actor_id, do: get_cached_value(:anonymous_actor_id)
  @spec relay_actor_id :: integer