Only let top admin purge. Fixes #2731 (#2732)

diff --git a/crates/api/src/site/purge/comment.rs b/crates/api/src/site/purge/comment.rs
index 71d2c7889979422b76204f4a7f1f1b2919b12ab4..9664a6288482086a8e1c37a34bd079b8c3778534 100644 (file)
--- a/crates/api/src/site/purge/comment.rs
+++ b/crates/api/src/site/purge/comment.rs
@@ -3,7 +3,7 @@ use actix_web::web::Data;
 use lemmy_api_common::{
   context::LemmyContext,
   site::{PurgeComment, PurgeItemResponse},
-  utils::{get_local_user_view_from_jwt, is_admin},
+  utils::{get_local_user_view_from_jwt, is_top_admin},
 };
 use lemmy_db_schema::{
   source::{
@@ -28,8 +28,8 @@ impl Perform for PurgeComment {
     let local_user_view =
       get_local_user_view_from_jwt(&data.auth, context.pool(), context.secret()).await?;
 
-    // Only let admins purge an item
-    is_admin(&local_user_view)?;
+    // Only let the top admin purge an item
+    is_top_admin(context.pool(), local_user_view.person.id).await?;
 
     let comment_id = data.comment_id;
 

diff --git a/crates/api/src/site/purge/community.rs b/crates/api/src/site/purge/community.rs
index e3a673b74f6d244b5cf8fdc4056fe1b846b66925..abc4ff3284aa5e4bc73b29a92daf31ddb170a476 100644 (file)
--- a/crates/api/src/site/purge/community.rs
+++ b/crates/api/src/site/purge/community.rs
@@ -4,7 +4,7 @@ use lemmy_api_common::{
   context::LemmyContext,
   request::purge_image_from_pictrs,
   site::{PurgeCommunity, PurgeItemResponse},
-  utils::{get_local_user_view_from_jwt, is_admin, purge_image_posts_for_community},
+  utils::{get_local_user_view_from_jwt, is_top_admin, purge_image_posts_for_community},
 };
 use lemmy_db_schema::{
   source::{
@@ -29,8 +29,8 @@ impl Perform for PurgeCommunity {
     let local_user_view =
       get_local_user_view_from_jwt(&data.auth, context.pool(), context.secret()).await?;
 
-    // Only let admins purge an item
-    is_admin(&local_user_view)?;
+    // Only let the top admin purge an item
+    is_top_admin(context.pool(), local_user_view.person.id).await?;
 
     let community_id = data.community_id;
 

diff --git a/crates/api/src/site/purge/person.rs b/crates/api/src/site/purge/person.rs
index 658e50b6dc32fbfa3b040d486207972e28c820d0..94c80a9286935cd6fc66f65dcaec01c639461c17 100644 (file)
--- a/crates/api/src/site/purge/person.rs
+++ b/crates/api/src/site/purge/person.rs
@@ -4,7 +4,7 @@ use lemmy_api_common::{
   context::LemmyContext,
   request::purge_image_from_pictrs,
   site::{PurgeItemResponse, PurgePerson},
-  utils::{get_local_user_view_from_jwt, is_admin, purge_image_posts_for_person},
+  utils::{get_local_user_view_from_jwt, is_top_admin, purge_image_posts_for_person},
 };
 use lemmy_db_schema::{
   source::{
@@ -29,8 +29,8 @@ impl Perform for PurgePerson {
     let local_user_view =
       get_local_user_view_from_jwt(&data.auth, context.pool(), context.secret()).await?;
 
-    // Only let admins purge an item
-    is_admin(&local_user_view)?;
+    // Only let the top admin purge an item
+    is_top_admin(context.pool(), local_user_view.person.id).await?;
 
     // Read the person to get their images
     let person_id = data.person_id;

diff --git a/crates/api/src/site/purge/post.rs b/crates/api/src/site/purge/post.rs
index aa2e74839cbaa4d230c961948185105ff10d67da..27f908188beca73aeb79a461849f178150459d1d 100644 (file)
--- a/crates/api/src/site/purge/post.rs
+++ b/crates/api/src/site/purge/post.rs
@@ -4,7 +4,7 @@ use lemmy_api_common::{
   context::LemmyContext,
   request::purge_image_from_pictrs,
   site::{PurgeItemResponse, PurgePost},
-  utils::{get_local_user_view_from_jwt, is_admin},
+  utils::{get_local_user_view_from_jwt, is_top_admin},
 };
 use lemmy_db_schema::{
   source::{
@@ -29,8 +29,8 @@ impl Perform for PurgePost {
     let local_user_view =
       get_local_user_view_from_jwt(&data.auth, context.pool(), context.secret()).await?;
 
-    // Only let admins purge an item
-    is_admin(&local_user_view)?;
+    // Only let the top admin purge an item
+    is_top_admin(context.pool(), local_user_view.person.id).await?;
 
     let post_id = data.post_id;
 

diff --git a/crates/api_common/src/utils.rs b/crates/api_common/src/utils.rs
index 88908bccdf3112e4b220ff52598fbfe842548430..3bdd94546785dfa756da51d7c66fe5d55496b9c6 100644 (file)
--- a/crates/api_common/src/utils.rs
+++ b/crates/api_common/src/utils.rs
@@ -30,6 +30,7 @@ use lemmy_db_views_actor::structs::{
   CommunityModeratorView,
   CommunityPersonBanView,
   CommunityView,
+  PersonViewSafe,
 };
 use lemmy_utils::{
   claims::Claims,
@@ -60,6 +61,18 @@ pub async fn is_mod_or_admin(
   Ok(())
 }
 
+pub async fn is_top_admin(pool: &DbPool, person_id: PersonId) -> Result<(), LemmyError> {
+  let admins = PersonViewSafe::admins(pool).await?;
+  let top_admin = admins
+    .get(0)
+    .ok_or_else(|| LemmyError::from_message("no admins"))?;
+
+  if top_admin.person.id != person_id {
+    return Err(LemmyError::from_message("not_top_admin"));
+  }
+  Ok(())
+}
+
 pub fn is_admin(local_user_view: &LocalUserView) -> Result<(), LemmyError> {
   if !local_user_view.person.admin {
     return Err(LemmyError::from_message("not_an_admin"));