feat(backend/ApiCallService): allow limited access for suspend accounts

2024-09-23 02:01:59 +03:00 · 2023-08-13 15:30:19 +02:00 · 2023-08-13 15:30:19 +02:00 · c28e0abb75
parent ab58b651f7
commit c28e0abb75
49 changed files with 109 additions and 55 deletions
--- a/packages/backend/src/server/api/ApiCallService.ts
+++ b/packages/backend/src/server/api/ApiCallService.ts
@ -276,17 +276,10 @@ export class ApiCallService implements OnApplicationShutdown {
 					id: '1384574d-a912-4b81-8601-c7b1c4085df1',
 					httpStatusCode: 401,
 				});
-			} else if (user!.isSuspended) {
-				throw new ApiError({
-					message: 'Your account has been suspended.',
-					code: 'YOUR_ACCOUNT_SUSPENDED',
-					kind: 'permission',
-					id: 'a8c724b3-6e9c-4b46-b1a8-bc3ed6258370',
-				});
 			}
 		}

-		if (ep.meta.prohibitMoved) {
+		if (ep.meta.prohibitDeactivated) {
 			if (user?.movedToUri) {
 				throw new ApiError({
 					message: 'You have moved your account.',
@ -295,6 +288,14 @@ export class ApiCallService implements OnApplicationShutdown {
 					id: '56f20ec9-fd06-4fa5-841b-edd6d7d4fa31',
 				});
 			}
+			if (user?.isSuspended) {
+				throw new ApiError({
+					message: 'Your account has been suspended.',
+					code: 'YOUR_ACCOUNT_SUSPENDED',
+					kind: 'permission',
+					id: 'a8c724b3-6e9c-4b46-b1a8-bc3ed6258370',
+				});
+			}
 		}

 		if ((ep.meta.requireModerator || ep.meta.requireAdmin) && !user!.isRoot) {
--- a/packages/backend/src/server/api/endpoints.ts
+++ b/packages/backend/src/server/api/endpoints.ts
@ -729,7 +729,7 @@ export interface IEndpointMeta {
 	 * 引っ越し済みのユーザーによるリクエストを禁止するか
 	 * 省略した場合は false として解釈されます。
 	 */
-	readonly prohibitMoved?: boolean;
+	readonly prohibitDeactivated?: boolean;

 	/**
 	 * エンドポイントのリミテーションに関するやつ
--- a/packages/backend/src/server/api/endpoints/antennas/create.ts
+++ b/packages/backend/src/server/api/endpoints/antennas/create.ts
@ -18,7 +18,7 @@ export const meta = {

 	requireCredential: true,

-	prohibitMoved: true,
+	prohibitDeactivated: true,

 	kind: 'write:account',

--- a/packages/backend/src/server/api/endpoints/antennas/update.ts
+++ b/packages/backend/src/server/api/endpoints/antennas/update.ts
@ -16,7 +16,7 @@ export const meta = {

 	requireCredential: true,

-	prohibitMoved: true,
+	prohibitDeactivated: true,

 	kind: 'write:account',

--- a/packages/backend/src/server/api/endpoints/channels/create.ts
+++ b/packages/backend/src/server/api/endpoints/channels/create.ts
@ -18,7 +18,7 @@ export const meta = {

 	requireCredential: true,

-	prohibitMoved: true,
+	prohibitDeactivated: true,

 	kind: 'write:channels',

--- a/packages/backend/src/server/api/endpoints/channels/favorite.ts
+++ b/packages/backend/src/server/api/endpoints/channels/favorite.ts
@ -15,7 +15,7 @@ export const meta = {

 	requireCredential: true,

-	prohibitMoved: true,
+	prohibitDeactivated: true,

 	kind: 'write:channels',

--- a/packages/backend/src/server/api/endpoints/channels/follow.ts
+++ b/packages/backend/src/server/api/endpoints/channels/follow.ts
@ -15,7 +15,7 @@ export const meta = {

 	requireCredential: true,

-	prohibitMoved: true,
+	prohibitDeactivated: true,

 	kind: 'write:channels',

--- a/packages/backend/src/server/api/endpoints/channels/unfavorite.ts
+++ b/packages/backend/src/server/api/endpoints/channels/unfavorite.ts
@ -14,7 +14,7 @@ export const meta = {

 	requireCredential: true,

-	prohibitMoved: true,
+	prohibitDeactivated: true,

 	kind: 'write:channels',

--- a/packages/backend/src/server/api/endpoints/channels/unfollow.ts
+++ b/packages/backend/src/server/api/endpoints/channels/unfollow.ts
@ -14,7 +14,7 @@ export const meta = {

 	requireCredential: true,

-	prohibitMoved: true,
+	prohibitDeactivated: true,

 	kind: 'write:channels',

--- a/packages/backend/src/server/api/endpoints/clips/add-note.ts
+++ b/packages/backend/src/server/api/endpoints/clips/add-note.ts
@ -18,7 +18,7 @@ export const meta = {

 	requireCredential: true,

-	prohibitMoved: true,
+	prohibitDeactivated: true,

 	kind: 'write:account',

--- a/packages/backend/src/server/api/endpoints/clips/create.ts
+++ b/packages/backend/src/server/api/endpoints/clips/create.ts
@ -17,7 +17,7 @@ export const meta = {

 	requireCredential: true,

-	prohibitMoved: true,
+	prohibitDeactivated: true,

 	kind: 'write:account',

--- a/packages/backend/src/server/api/endpoints/clips/favorite.ts
+++ b/packages/backend/src/server/api/endpoints/clips/favorite.ts
@ -15,7 +15,7 @@ export const meta = {

 	requireCredential: true,

-	prohibitMoved: true,
+	prohibitDeactivated: true,

 	kind: 'write:clip-favorite',

--- a/packages/backend/src/server/api/endpoints/clips/remove-note.ts
+++ b/packages/backend/src/server/api/endpoints/clips/remove-note.ts
@ -15,7 +15,7 @@ export const meta = {

 	requireCredential: true,

-	prohibitMoved: true,
+	prohibitDeactivated: true,

 	kind: 'write:account',

--- a/packages/backend/src/server/api/endpoints/clips/unfavorite.ts
+++ b/packages/backend/src/server/api/endpoints/clips/unfavorite.ts
@ -14,7 +14,7 @@ export const meta = {

 	requireCredential: true,

-	prohibitMoved: true,
+	prohibitDeactivated: true,

 	kind: 'write:clip-favorite',

--- a/packages/backend/src/server/api/endpoints/clips/update.ts
+++ b/packages/backend/src/server/api/endpoints/clips/update.ts
@ -15,7 +15,7 @@ export const meta = {

 	requireCredential: true,

-	prohibitMoved: true,
+	prohibitDeactivated: true,

 	kind: 'write:account',

--- a/packages/backend/src/server/api/endpoints/drive/files/create.ts
+++ b/packages/backend/src/server/api/endpoints/drive/files/create.ts
@ -18,7 +18,7 @@ export const meta = {

 	requireCredential: true,

-	prohibitMoved: true,
+	prohibitDeactivated: true,

 	limit: {
 		duration: ms('1hour'),
--- a/packages/backend/src/server/api/endpoints/drive/files/upload-from-url.ts
+++ b/packages/backend/src/server/api/endpoints/drive/files/upload-from-url.ts
@ -22,7 +22,7 @@ export const meta = {

 	requireCredential: true,

-	prohibitMoved: true,
+	prohibitDeactivated: true,

 	kind: 'write:drive',
 } as const;
--- a/packages/backend/src/server/api/endpoints/flash/create.ts
+++ b/packages/backend/src/server/api/endpoints/flash/create.ts
@ -16,7 +16,7 @@ export const meta = {

 	requireCredential: true,

-	prohibitMoved: true,
+	prohibitDeactivated: true,

 	kind: 'write:flash',

--- a/packages/backend/src/server/api/endpoints/flash/like.ts
+++ b/packages/backend/src/server/api/endpoints/flash/like.ts
@ -15,7 +15,7 @@ export const meta = {

 	requireCredential: true,

-	prohibitMoved: true,
+	prohibitDeactivated: true,

 	kind: 'write:flash-likes',

--- a/packages/backend/src/server/api/endpoints/flash/unlike.ts
+++ b/packages/backend/src/server/api/endpoints/flash/unlike.ts
@ -14,7 +14,7 @@ export const meta = {

 	requireCredential: true,

-	prohibitMoved: true,
+	prohibitDeactivated: true,

 	kind: 'write:flash-likes',

--- a/packages/backend/src/server/api/endpoints/flash/update.ts
+++ b/packages/backend/src/server/api/endpoints/flash/update.ts
@ -15,7 +15,7 @@ export const meta = {

 	requireCredential: true,

-	prohibitMoved: true,
+	prohibitDeactivated: true,

 	kind: 'write:flash',

--- a/packages/backend/src/server/api/endpoints/following/create.ts
+++ b/packages/backend/src/server/api/endpoints/following/create.ts
@ -24,7 +24,7 @@ export const meta = {

 	requireCredential: true,

-	prohibitMoved: true,
+	prohibitDeactivated: true,

 	kind: 'write:following',

--- a/packages/backend/src/server/api/endpoints/gallery/posts/create.ts
+++ b/packages/backend/src/server/api/endpoints/gallery/posts/create.ts
@ -18,7 +18,7 @@ export const meta = {

 	requireCredential: true,

-	prohibitMoved: true,
+	prohibitDeactivated: true,

 	kind: 'write:gallery',

--- a/packages/backend/src/server/api/endpoints/gallery/posts/like.ts
+++ b/packages/backend/src/server/api/endpoints/gallery/posts/like.ts
@ -15,7 +15,7 @@ export const meta = {

 	requireCredential: true,

-	prohibitMoved: true,
+	prohibitDeactivated: true,

 	kind: 'write:gallery-likes',

--- a/packages/backend/src/server/api/endpoints/gallery/posts/unlike.ts
+++ b/packages/backend/src/server/api/endpoints/gallery/posts/unlike.ts
@ -14,7 +14,7 @@ export const meta = {

 	requireCredential: true,

-	prohibitMoved: true,
+	prohibitDeactivated: true,

 	kind: 'write:gallery-likes',

--- a/packages/backend/src/server/api/endpoints/gallery/posts/update.ts
+++ b/packages/backend/src/server/api/endpoints/gallery/posts/update.ts
@ -16,7 +16,7 @@ export const meta = {

 	requireCredential: true,

-	prohibitMoved: true,
+	prohibitDeactivated: true,

 	kind: 'write:gallery',

--- a/packages/backend/src/server/api/endpoints/i/claim-achievement.ts
+++ b/packages/backend/src/server/api/endpoints/i/claim-achievement.ts
@ -9,7 +9,7 @@ import { AchievementService, ACHIEVEMENT_TYPES } from '@/core/AchievementService

 export const meta = {
 	requireCredential: true,
-	prohibitMoved: true,
+	prohibitDeactivated: true,
 } as const;

 export const paramDef = {
--- a/packages/backend/src/server/api/endpoints/i/import-antennas.ts
+++ b/packages/backend/src/server/api/endpoints/i/import-antennas.ts
@ -16,7 +16,7 @@ import { ApiError } from '../../error.js';
 export const meta = {
 	secure: true,
 	requireCredential: true,
-	prohibitMoved: true,
+	prohibitDeactivated: true,

 	limit: {
 		duration: ms('1hour'),
--- a/packages/backend/src/server/api/endpoints/i/import-blocking.ts
+++ b/packages/backend/src/server/api/endpoints/i/import-blocking.ts
@ -15,7 +15,7 @@ import { ApiError } from '../../error.js';
 export const meta = {
 	secure: true,
 	requireCredential: true,
-	prohibitMoved: true,
+	prohibitDeactivated: true,

 	limit: {
 		duration: ms('1hour'),
--- a/packages/backend/src/server/api/endpoints/i/import-following.ts
+++ b/packages/backend/src/server/api/endpoints/i/import-following.ts
@ -15,7 +15,7 @@ import { ApiError } from '../../error.js';
 export const meta = {
 	secure: true,
 	requireCredential: true,
-	prohibitMoved: true,
+	prohibitDeactivated: true,
 	limit: {
 		duration: ms('1hour'),
 		max: 1,
--- a/packages/backend/src/server/api/endpoints/i/import-muting.ts
+++ b/packages/backend/src/server/api/endpoints/i/import-muting.ts
@ -15,7 +15,7 @@ import { ApiError } from '../../error.js';
 export const meta = {
 	secure: true,
 	requireCredential: true,
-	prohibitMoved: true,
+	prohibitDeactivated: true,

 	limit: {
 		duration: ms('1hour'),
--- a/packages/backend/src/server/api/endpoints/i/import-user-lists.ts
+++ b/packages/backend/src/server/api/endpoints/i/import-user-lists.ts
@ -15,7 +15,7 @@ import { ApiError } from '../../error.js';
 export const meta = {
 	secure: true,
 	requireCredential: true,
-	prohibitMoved: true,
+	prohibitDeactivated: true,
 	limit: {
 		duration: ms('1hour'),
 		max: 1,
--- a/packages/backend/src/server/api/endpoints/i/move.ts
+++ b/packages/backend/src/server/api/endpoints/i/move.ts
@ -25,7 +25,7 @@ export const meta = {

 	secure: true,
 	requireCredential: true,
-	prohibitMoved: true,
+	prohibitDeactivated: true,
 	limit: {
 		duration: ms('1day'),
 		max: 5,
--- a/packages/backend/src/server/api/endpoints/i/pin.ts
+++ b/packages/backend/src/server/api/endpoints/i/pin.ts
@ -13,7 +13,7 @@ export const meta = {
 	tags: ['account', 'notes'],

 	requireCredential: true,
-	prohibitMoved: true,
+	prohibitDeactivated: true,

 	kind: 'write:account',

--- a/packages/backend/src/server/api/endpoints/mute/create.ts
+++ b/packages/backend/src/server/api/endpoints/mute/create.ts
@ -16,7 +16,7 @@ export const meta = {
 	tags: ['account'],

 	requireCredential: true,
-	prohibitMoved: true,
+	prohibitDeactivated: true,

 	kind: 'write:mutes',

--- a/packages/backend/src/server/api/endpoints/notes/create.ts
+++ b/packages/backend/src/server/api/endpoints/notes/create.ts
@ -23,7 +23,7 @@ export const meta = {

 	requireCredential: true,

-	prohibitMoved: true,
+	prohibitDeactivated: true,

 	limit: {
 		duration: ms('1hour'),
--- a/packages/backend/src/server/api/endpoints/notes/favorites/create.ts
+++ b/packages/backend/src/server/api/endpoints/notes/favorites/create.ts
@ -17,7 +17,7 @@ export const meta = {
 	tags: ['notes', 'favorites'],

 	requireCredential: true,
-	prohibitMoved: true,
+	prohibitDeactivated: true,

 	kind: 'write:favorites',

--- a/packages/backend/src/server/api/endpoints/notes/polls/vote.ts
+++ b/packages/backend/src/server/api/endpoints/notes/polls/vote.ts
@ -22,7 +22,7 @@ export const meta = {

 	requireCredential: true,

-	prohibitMoved: true,
+	prohibitDeactivated: true,

 	kind: 'write:votes',

--- a/packages/backend/src/server/api/endpoints/notes/reactions/create.ts
+++ b/packages/backend/src/server/api/endpoints/notes/reactions/create.ts
@ -14,7 +14,7 @@ export const meta = {

 	requireCredential: true,

-	prohibitMoved: true,
+	prohibitDeactivated: true,

 	kind: 'write:reactions',

--- a/packages/backend/src/server/api/endpoints/pages/create.ts
+++ b/packages/backend/src/server/api/endpoints/pages/create.ts
@ -18,7 +18,7 @@ export const meta = {

 	requireCredential: true,

-	prohibitMoved: true,
+	prohibitDeactivated: true,

 	kind: 'write:pages',

--- a/packages/backend/src/server/api/endpoints/pages/like.ts
+++ b/packages/backend/src/server/api/endpoints/pages/like.ts
@ -15,7 +15,7 @@ export const meta = {

 	requireCredential: true,

-	prohibitMoved: true,
+	prohibitDeactivated: true,

 	kind: 'write:page-likes',

--- a/packages/backend/src/server/api/endpoints/pages/unlike.ts
+++ b/packages/backend/src/server/api/endpoints/pages/unlike.ts
@ -14,7 +14,7 @@ export const meta = {

 	requireCredential: true,

-	prohibitMoved: true,
+	prohibitDeactivated: true,

 	kind: 'write:page-likes',

--- a/packages/backend/src/server/api/endpoints/pages/update.ts
+++ b/packages/backend/src/server/api/endpoints/pages/update.ts
@ -16,7 +16,7 @@ export const meta = {

 	requireCredential: true,

-	prohibitMoved: true,
+	prohibitDeactivated: true,

 	kind: 'write:pages',

--- a/packages/backend/src/server/api/endpoints/renote-mute/create.ts
+++ b/packages/backend/src/server/api/endpoints/renote-mute/create.ts
@ -17,7 +17,7 @@ export const meta = {
 	tags: ['account'],

 	requireCredential: true,
-	prohibitMoved: true,
+	prohibitDeactivated: true,

 	kind: 'write:mutes',

--- a/packages/backend/src/server/api/endpoints/users/lists/create-from-public.ts
+++ b/packages/backend/src/server/api/endpoints/users/lists/create-from-public.ts
@ -17,7 +17,7 @@ import { UserListService } from '@/core/UserListService.js';

 export const meta = {
 	requireCredential: true,
-	prohibitMoved: true,
+	prohibitDeactivated: true,
 	res: {
 		type: 'object',
 		optional: false, nullable: false,
--- a/packages/backend/src/server/api/endpoints/users/lists/create.ts
+++ b/packages/backend/src/server/api/endpoints/users/lists/create.ts
@ -18,7 +18,7 @@ export const meta = {

 	requireCredential: true,

-	prohibitMoved: true,
+	prohibitDeactivated: true,

 	kind: 'write:account',

--- a/packages/backend/src/server/api/endpoints/users/lists/pull.ts
+++ b/packages/backend/src/server/api/endpoints/users/lists/pull.ts
@ -17,7 +17,7 @@ export const meta = {

 	requireCredential: true,

-	prohibitMoved: true,
+	prohibitDeactivated: true,

 	kind: 'write:account',

--- a/packages/backend/src/server/api/endpoints/users/lists/push.ts
+++ b/packages/backend/src/server/api/endpoints/users/lists/push.ts
@ -17,7 +17,7 @@ export const meta = {

 	requireCredential: true,

-	prohibitMoved: true,
+	prohibitDeactivated: true,

 	kind: 'write:account',

--- a/packages/backend/test/e2e/suspend.ts
+++ b/packages/backend/test/e2e/suspend.ts
@ -0,0 +1,53 @@
+/*
+ * SPDX-FileCopyrightText: syuilo and other misskey contributors
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+process.env.NODE_ENV = 'test';
+
+import * as assert from 'assert';
+import { loadConfig } from '@/config.js';
+import { User, UsersRepository } from '@/models/index.js';
+import { jobQueue } from '@/boot/common.js';
+import { secureRndstr } from '@/misc/secure-rndstr.js';
+import { uploadFile, signup, startServer, initTestDb, api, sleep, successfulApiCall } from '../utils.js';
+import type { INestApplicationContext } from '@nestjs/common';
+import type * as misskey from 'misskey-js';
+
+describe('Account Suspension', () => {
+	let app: INestApplicationContext;
+
+	let root: misskey.entities.MeSignup;
+	let alice: misskey.entities.MeSignup;
+
+	beforeAll(async () => {
+		app = await startServer();
+		root = await signup({ username: 'root' });
+		alice = await signup({ username: 'alice' });
+
+		await api('admin/suspend-user', { userId: alice.id }, root);
+	}, 1000 * 60 * 2);
+
+	afterAll(async () => {
+		await app.close();
+	});
+
+	it('Cannot create notes', async () => {
+		const res = await api('notes/create', { text: 'foo' }, alice);
+
+		assert.strictEqual(res.status, 403);
+		assert.strictEqual(res.body.error.code, 'YOUR_ACCOUNT_SUSPENDED');
+		assert.strictEqual(res.body.error.id, 'a8c724b3-6e9c-4b46-b1a8-bc3ed6258370');
+	});
+
+	it('Can see notes', async () => {
+		const createRes = await api('notes/create', { text: 'bar' }, root);
+		assert.strictEqual(createRes.status, 200);
+		assert.strictEqual(createRes.body.createdNote.text, 'bar');
+
+		const showRes = await api('notes/show', { noteId: createRes.body.createdNote.id }, alice);
+		assert.strictEqual(showRes.status, 200);
+		assert.strictEqual(showRes.body.text, 'bar');
+		assert.strictEqual(showRes.body.id, createRes.body.createdNote.id);
+	});
+});