fix(backend): add missing kind definition for admin endpoints to impr…

…ove security

CHANGELOG.md

@@ -93,6 +93,7 @@
 - Fix: アカウントをブロックした際に、自身のユーザーのページでノートが相手に表示される問題を修正
 - Fix: モデレーションログがモデレーターは閲覧できないように修正
 - Fix: HTTP Digestヘッダのアルゴリズム部分に大文字の"SHA-256"しか使えない
+- Fix: 管理者用APIのアクセス権限が適切に設定されていない問題を修正
 
 ## 2023.11.1
 

packages/backend/src/server/api/endpoints/admin/abuse-user-reports.ts

@@ -13,6 +13,8 @@ import { AbuseUserReportEntityService } from '@/core/entities/AbuseUserReportEnt
 export const meta = {
 	tags: ['admin'],
 
+	kind: 'read:admin',
+
 	requireCredential: true,
 	requireModerator: true,
 

packages/backend/src/server/api/endpoints/admin/accounts/create.ts

@@ -15,6 +15,8 @@ import { DI } from '@/di-symbols.js';
 export const meta = {
 	tags: ['admin'],
 
+	kind: 'write:admin',
+
 	res: {
 		type: 'object',
 		optional: false, nullable: false,

packages/backend/src/server/api/endpoints/admin/accounts/delete.ts

@@ -14,6 +14,8 @@ import { UserEntityService } from '@/core/entities/UserEntityService.js';
 export const meta = {
 	tags: ['admin'],
 
+	kind: 'write:admin',
+
 	requireCredential: true,
 	requireAdmin: true,
 } as const;

packages/backend/src/server/api/endpoints/admin/accounts/find-by-email.ts

@@ -13,6 +13,8 @@ import { ApiError } from '@/server/api/error.js';
 export const meta = {
 	tags: ['admin'],
 
+	kind: 'read:admin',
+
 	requireCredential: true,
 	requireAdmin: true,
 

packages/backend/src/server/api/endpoints/admin/ad/create.ts

@@ -13,6 +13,8 @@ import { ModerationLogService } from '@/core/ModerationLogService.js';
 export const meta = {
 	tags: ['admin'],
 
+	kind: 'write:admin',
+
 	requireCredential: true,
 	requireModerator: true,
 } as const;

packages/backend/src/server/api/endpoints/admin/ad/delete.ts

@@ -13,6 +13,8 @@ import { ApiError } from '../../../error.js';
 export const meta = {
 	tags: ['admin'],
 
+	kind: 'write:admin',
+
 	requireCredential: true,
 	requireModerator: true,
 

packages/backend/src/server/api/endpoints/admin/ad/list.ts

@@ -12,6 +12,8 @@ import { DI } from '@/di-symbols.js';
 export const meta = {
 	tags: ['admin'],
 
+	kind: 'read:admin',
+
 	requireCredential: true,
 	requireModerator: true,
 } as const;

packages/backend/src/server/api/endpoints/admin/ad/update.ts

@@ -13,6 +13,8 @@ import { ApiError } from '../../../error.js';
 export const meta = {
 	tags: ['admin'],
 
+	kind: 'write:admin',
+
 	requireCredential: true,
 	requireModerator: true,
 

packages/backend/src/server/api/endpoints/admin/announcements/create.ts

@@ -10,6 +10,8 @@ import { AnnouncementService } from '@/core/AnnouncementService.js';
 export const meta = {
 	tags: ['admin'],
 
+	kind: 'write:admin',
+
 	requireCredential: true,
 	requireModerator: true,
 

packages/backend/src/server/api/endpoints/admin/announcements/delete.ts

@@ -13,6 +13,8 @@ import { ApiError } from '../../../error.js';
 export const meta = {
 	tags: ['admin'],
 
+	kind: 'write:admin',
+
 	requireCredential: true,
 	requireModerator: true,
 

packages/backend/src/server/api/endpoints/admin/announcements/list.ts

@@ -14,6 +14,8 @@ import { IdService } from '@/core/IdService.js';
 export const meta = {
 	tags: ['admin'],
 
+	kind: 'read:admin',
+
 	requireCredential: true,
 	requireModerator: true,
 

packages/backend/src/server/api/endpoints/admin/announcements/update.ts

@@ -13,6 +13,8 @@ import { ApiError } from '../../../error.js';
 export const meta = {
 	tags: ['admin'],
 
+	kind: 'write:admin',
+
 	requireCredential: true,
 	requireModerator: true,
 

packages/backend/src/server/api/endpoints/admin/avatar-decorations/create.ts

@@ -10,6 +10,8 @@ import { AvatarDecorationService } from '@/core/AvatarDecorationService.js';
 export const meta = {
 	tags: ['admin'],
 
+	kind: 'write:admin',
+
 	requireCredential: true,
 	requireRolePolicy: 'canManageAvatarDecorations',
 } as const;

packages/backend/src/server/api/endpoints/admin/avatar-decorations/delete.ts

@@ -12,6 +12,8 @@ import { ApiError } from '../../../error.js';
 export const meta = {
 	tags: ['admin'],
 
+	kind: 'write:admin',
+
 	requireCredential: true,
 	requireRolePolicy: 'canManageAvatarDecorations',
 	errors: {

packages/backend/src/server/api/endpoints/admin/avatar-decorations/list.ts

@@ -15,6 +15,8 @@ import { AvatarDecorationService } from '@/core/AvatarDecorationService.js';
 export const meta = {
 	tags: ['admin'],
 
+	kind: 'read:admin',
+
 	requireCredential: true,
 	requireRolePolicy: 'canManageAvatarDecorations',
 

packages/backend/src/server/api/endpoints/admin/avatar-decorations/update.ts

@@ -12,6 +12,8 @@ import { ApiError } from '../../../error.js';
 export const meta = {
 	tags: ['admin'],
 
+	kind: 'write:admin',
+
 	requireCredential: true,
 	requireRolePolicy: 'canManageAvatarDecorations',
 

packages/backend/src/server/api/endpoints/admin/delete-account.ts

@@ -12,6 +12,8 @@ import { DI } from '@/di-symbols.js';
 export const meta = {
 	tags: ['admin'],
 
+	kind: 'write:admin',
+
 	requireCredential: true,
 	requireAdmin: true,
 

packages/backend/src/server/api/endpoints/admin/delete-all-files-of-a-user.ts

@@ -12,6 +12,8 @@ import { DI } from '@/di-symbols.js';
 export const meta = {
 	tags: ['admin'],
 
+	kind: 'write:admin',
+
 	requireCredential: true,
 	requireAdmin: true,
 } as const;

packages/backend/src/server/api/endpoints/admin/drive/clean-remote-files.ts

@@ -10,6 +10,8 @@ import { QueueService } from '@/core/QueueService.js';
 export const meta = {
 	tags: ['admin'],
 
+	kind: 'write:admin',
+
 	requireCredential: true,
 	requireModerator: true,
 } as const;

packages/backend/src/server/api/endpoints/admin/drive/cleanup.ts

@@ -13,6 +13,8 @@ import { DI } from '@/di-symbols.js';
 export const meta = {
 	tags: ['admin'],
 
+	kind: 'write:admin',
+
 	requireCredential: true,
 	requireModerator: true,
 } as const;

packages/backend/src/server/api/endpoints/admin/drive/files.ts

@@ -13,6 +13,8 @@ import { DriveFileEntityService } from '@/core/entities/DriveFileEntityService.j
 export const meta = {
 	tags: ['admin'],
 
+	kind: 'read:admin',
+
 	requireCredential: true,
 	requireModerator: true,
 

packages/backend/src/server/api/endpoints/admin/drive/show-file.ts

@@ -14,6 +14,8 @@ import { ApiError } from '../../../error.js';
 export const meta = {
 	tags: ['admin'],
 
+	kind: 'read:admin',
+
 	requireCredential: true,
 	requireModerator: true,
 

packages/backend/src/server/api/endpoints/admin/emoji/add-aliases-bulk.ts

@@ -10,6 +10,8 @@ import { CustomEmojiService } from '@/core/CustomEmojiService.js';
 export const meta = {
 	tags: ['admin'],
 
+	kind: 'write:admin',
+
 	requireCredential: true,
 	requireRolePolicy: 'canManageCustomEmojis',
 } as const;

packages/backend/src/server/api/endpoints/admin/emoji/add.ts

@@ -14,6 +14,8 @@ import { ApiError } from '../../../error.js';
 export const meta = {
 	tags: ['admin'],
 
+	kind: 'write:admin',
+
 	requireCredential: true,
 	requireRolePolicy: 'canManageCustomEmojis',
 

packages/backend/src/server/api/endpoints/admin/emoji/copy.ts

@@ -16,6 +16,8 @@ import { ApiError } from '../../../error.js';
 export const meta = {
 	tags: ['admin'],
 
+	kind: 'write:admin',
+
 	requireCredential: true,
 	requireRolePolicy: 'canManageCustomEmojis',
 

packages/backend/src/server/api/endpoints/admin/emoji/delete-bulk.ts

@@ -10,6 +10,8 @@ import { CustomEmojiService } from '@/core/CustomEmojiService.js';
 export const meta = {
 	tags: ['admin'],
 
+	kind: 'write:admin',
+
 	requireCredential: true,
 	requireRolePolicy: 'canManageCustomEmojis',
 } as const;

packages/backend/src/server/api/endpoints/admin/emoji/delete.ts

@@ -10,6 +10,8 @@ import { CustomEmojiService } from '@/core/CustomEmojiService.js';
 export const meta = {
 	tags: ['admin'],
 
+	kind: 'write:admin',
+
 	requireCredential: true,
 	requireRolePolicy: 'canManageCustomEmojis',
 

packages/backend/src/server/api/endpoints/admin/emoji/import-zip.ts

@@ -8,7 +8,7 @@ import { Endpoint } from '@/server/api/endpoint-base.js';
 import { QueueService } from '@/core/QueueService.js';
 
 export const meta = {
-	secure: true,
+	kind: 'write:admin',
 	requireCredential: true,
 	requireRolePolicy: 'canManageCustomEmojis',
 } as const;

packages/backend/src/server/api/endpoints/admin/emoji/list-remote.ts

@@ -15,6 +15,8 @@ import { sqlLikeEscape } from '@/misc/sql-like-escape.js';
 export const meta = {
 	tags: ['admin'],
 
+	kind: 'read:admin',
+
 	requireCredential: true,
 	requireRolePolicy: 'canManageCustomEmojis',
 

packages/backend/src/server/api/endpoints/admin/emoji/list.ts

@@ -15,6 +15,8 @@ import { EmojiEntityService } from '@/core/entities/EmojiEntityService.js';
 export const meta = {
 	tags: ['admin'],
 
+	kind: 'read:admin',
+
 	requireCredential: true,
 	requireRolePolicy: 'canManageCustomEmojis',
 

packages/backend/src/server/api/endpoints/admin/emoji/remove-aliases-bulk.ts

@@ -10,6 +10,8 @@ import { CustomEmojiService } from '@/core/CustomEmojiService.js';
 export const meta = {
 	tags: ['admin'],
 
+	kind: 'write:admin',
+
 	requireCredential: true,
 	requireRolePolicy: 'canManageCustomEmojis',
 } as const;

packages/backend/src/server/api/endpoints/admin/emoji/set-aliases-bulk.ts

@@ -10,6 +10,8 @@ import { CustomEmojiService } from '@/core/CustomEmojiService.js';
 export const meta = {
 	tags: ['admin'],
 
+	kind: 'write:admin',
+
 	requireCredential: true,
 	requireRolePolicy: 'canManageCustomEmojis',
 } as const;

packages/backend/src/server/api/endpoints/admin/emoji/set-category-bulk.ts

@@ -10,6 +10,8 @@ import { CustomEmojiService } from '@/core/CustomEmojiService.js';
 export const meta = {
 	tags: ['admin'],
 
+	kind: 'write:admin',
+
 	requireCredential: true,
 	requireRolePolicy: 'canManageCustomEmojis',
 } as const;

packages/backend/src/server/api/endpoints/admin/emoji/set-license-bulk.ts

@@ -10,6 +10,8 @@ import { CustomEmojiService } from '@/core/CustomEmojiService.js';
 export const meta = {
 	tags: ['admin'],
 
+	kind: 'write:admin',
+
 	requireCredential: true,
 	requireRolePolicy: 'canManageCustomEmojis',
 } as const;

packages/backend/src/server/api/endpoints/admin/emoji/update.ts

@@ -13,6 +13,8 @@ import { ApiError } from '../../../error.js';
 export const meta = {
 	tags: ['admin'],
 
+	kind: 'read:admin',
+
 	requireCredential: true,
 	requireRolePolicy: 'canManageCustomEmojis',
 

packages/backend/src/server/api/endpoints/admin/federation/delete-all-files.ts

@@ -12,6 +12,8 @@ import { DI } from '@/di-symbols.js';
 export const meta = {
 	tags: ['admin'],
 
+	kind: 'write:admin',
+
 	requireCredential: true,
 	requireModerator: true,
 } as const;

packages/backend/src/server/api/endpoints/admin/federation/refresh-remote-instance-metadata.ts

@@ -13,6 +13,8 @@ import { DI } from '@/di-symbols.js';
 export const meta = {
 	tags: ['admin'],
 
+	kind: 'write:admin',
+
 	requireCredential: true,
 	requireModerator: true,
 } as const;

packages/backend/src/server/api/endpoints/admin/federation/remove-all-following.ts

@@ -12,6 +12,8 @@ import { QueueService } from '@/core/QueueService.js';
 export const meta = {
 	tags: ['admin'],
 
+	kind: 'write:admin',
+
 	requireCredential: true,
 	requireModerator: true,
 } as const;

packages/backend/src/server/api/endpoints/admin/federation/update-instance.ts

@@ -14,6 +14,8 @@ import { ModerationLogService } from '@/core/ModerationLogService.js';
 export const meta = {
 	tags: ['admin'],
 
+	kind: 'write:admin',
+
 	requireCredential: true,
 	requireModerator: true,
 } as const;

packages/backend/src/server/api/endpoints/admin/get-index-stats.ts

@@ -12,6 +12,8 @@ export const meta = {
 	requireCredential: true,
 	requireAdmin: true,
 
+	kind: 'read:admin',
+
 	tags: ['admin'],
 } as const;
 

packages/backend/src/server/api/endpoints/admin/get-table-stats.ts

@@ -12,6 +12,8 @@ export const meta = {
 	requireCredential: true,
 	requireAdmin: true,
 
+	kind: 'read:admin',
+
 	tags: ['admin'],
 
 	res: {

packages/backend/src/server/api/endpoints/admin/get-user-ips.ts

@@ -12,6 +12,8 @@ import { IdService } from '@/core/IdService.js';
 export const meta = {
 	tags: ['admin'],
 
+	kind: 'read:admin',
+
 	requireCredential: true,
 	requireModerator: true,
 } as const;

packages/backend/src/server/api/endpoints/admin/invite/create.ts

@@ -16,6 +16,8 @@ import { ApiError } from '../../../error.js';
 export const meta = {
 	tags: ['admin'],
 
+	kind: 'write:admin',
+
 	requireCredential: true,
 	requireModerator: true,