From 8b514986a4930fd5683b4c904671767c411635b0 Mon Sep 17 00:00:00 2001
From: Laura Hausmann <laura@hausmann.dev>
Date: Mon, 17 Feb 2025 23:28:51 +0100
Subject: [PATCH] [backend/middleware] Require administrator role for masto
 admin scope endpoints

This isn't currently used anywhere, but may become relevant in the future.
---
 Iceshrimp.Backend/Core/Middleware/AuthenticationMiddleware.cs | 4 ++--
 Iceshrimp.Backend/Core/Middleware/AuthorizationMiddleware.cs  | 2 ++
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/Iceshrimp.Backend/Core/Middleware/AuthenticationMiddleware.cs b/Iceshrimp.Backend/Core/Middleware/AuthenticationMiddleware.cs
index 0dd1cf3f..35dae18f 100644
--- a/Iceshrimp.Backend/Core/Middleware/AuthenticationMiddleware.cs
+++ b/Iceshrimp.Backend/Core/Middleware/AuthenticationMiddleware.cs
@@ -62,8 +62,8 @@ public class AuthenticationMiddleware(
 			}
 
 			if ((attribute.AdminRole && !oauthToken.User.IsAdmin) ||
-			    (attribute.ModeratorRole &&
-			     oauthToken.User is { IsAdmin: false, IsModerator: false }))
+			    (attribute.ModeratorRole && oauthToken.User is { IsAdmin: false, IsModerator: false }) ||
+			    (attribute.Scopes.Any(p => p is "admin" || p.StartsWith("admin:")) && !oauthToken.User.IsAdmin))
 			{
 				await next(ctx);
 				return;
diff --git a/Iceshrimp.Backend/Core/Middleware/AuthorizationMiddleware.cs b/Iceshrimp.Backend/Core/Middleware/AuthorizationMiddleware.cs
index 15327720..390ba750 100644
--- a/Iceshrimp.Backend/Core/Middleware/AuthorizationMiddleware.cs
+++ b/Iceshrimp.Backend/Core/Middleware/AuthorizationMiddleware.cs
@@ -26,6 +26,8 @@ public class AuthorizationMiddleware(RequestDelegate next) : ConditionalMiddlewa
 				throw GracefulException.Forbidden("This action is outside the authorized scopes");
 			if (attribute.ModeratorRole && token.User is { IsAdmin: false, IsModerator: false })
 				throw GracefulException.Forbidden("This action is outside the authorized scopes");
+			if (attribute.Scopes.Any(p => p is "admin" || p.StartsWith("admin:") && !token.User.IsAdmin))
+				throw GracefulException.Forbidden("This action is outside the authorized scopes");
 		}
 		else
 		{