First

1 files changed, 44 insertions, 0 deletions

diff --git a/lib/pleroma/web/plugs/ensure_privileged_plug.ex b/lib/pleroma/web/plugs/ensure_privileged_plug.ex
new file mode 100644
index 0000000..f886c87
--- /dev/null
+++ b/lib/pleroma/web/plugs/ensure_privileged_plug.ex
@@ -0,0 +1,44 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2022 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Web.Plugs.EnsurePrivilegedPlug do
+  @moduledoc """
+  Ensures staff are privileged enough to do certain tasks.
+  """
+  import Pleroma.Web.TranslationHelpers
+  import Plug.Conn
+
+  alias Pleroma.Config
+  alias Pleroma.User
+
+  def init(options) do
+    options
+  end
+
+  def call(%{assigns: %{user: %User{is_admin: false, is_moderator: false}}} = conn, _) do
+    conn
+    |> render_error(:forbidden, "User isn't privileged.")
+    |> halt()
+  end
+
+  def call(
+        %{assigns: %{user: %User{is_admin: is_admin, is_moderator: is_moderator}}} = conn,
+        privilege
+      ) do
+    if (is_admin and privilege in Config.get([:instance, :admin_privileges])) or
+         (is_moderator and privilege in Config.get([:instance, :moderator_privileges])) do
+      conn
+    else
+      conn
+      |> render_error(:forbidden, "User isn't privileged.")
+      |> halt()
+    end
+  end
+
+  def call(conn, _) do
+    conn
+    |> render_error(:forbidden, "User isn't privileged.")
+    |> halt()
+  end
+end