From 186b5374c45efb42cb3838c7e948d8e2c5f3e399 Mon Sep 17 00:00:00 2001
From: IanM <16573496+imorland@users.noreply.github.com>
Date: Tue, 13 Feb 2024 12:59:57 +0000
Subject: [PATCH] feat: moderation of linked accounts (#73)

* feat: moderation of linked accounts

* Apply fixes from StyleCI

* chore: export components

---------

Co-authored-by: StyleCI Bot <bot@styleci.io>
---
 README.md                                     |  4 ++
 extend.php                                    | 10 +---
 js/src/admin/index.js                         | 13 ++++-
 js/src/forum/components/LinkStatus.tsx        | 10 ++--
 js/src/forum/components/LinkedAccounts.tsx    |  2 +-
 js/src/forum/components/ProviderInfo.tsx      | 37 ++++++++-----
 js/src/forum/components/index.ts              |  9 ++++
 .../addLinkedAccountsToUserSecurityPage.tsx   |  2 +-
 js/src/forum/index.ts                         |  2 +
 js/src/forum/models/LinkedAccount.ts          |  1 +
 resources/locale/en.yml                       |  3 ++
 src/Api/AddForumAttributes.php                | 28 ++++++++++
 .../DeleteProviderLinkController.php          | 18 +++++--
 .../Controllers/ListProvidersController.php   | 15 ++++--
 src/Events/UnlinkingFromProvider.php          |  8 ++-
 tests/integration/api/ForumSerializerTest.php | 53 ++++++++++++++++++-
 16 files changed, 173 insertions(+), 42 deletions(-)
 create mode 100644 js/src/forum/components/index.ts
 create mode 100644 src/Api/AddForumAttributes.php

diff --git a/README.md b/README.md
index 39afbe2..34d476c 100644
--- a/README.md
+++ b/README.md
@@ -17,6 +17,10 @@ By default these providers are included:
 - LinkedIn
 - Twitter
 
+### Permissions
+
+This extension provides the ability to view the status of linked OAuth providers (intended for admin and/or moderator use). In order for this to function correctly, you must also set the permission `Moderate Access Tokens` to at least the same group as you require for `Moderate user's linked accounts`.
+
 ### Additional providers
 
 Additional OAuth providers are available for this extension. Here's a handy list of known extensions, let us know if you know of any more and we'll get them added!
diff --git a/extend.php b/extend.php
index 3e35059..b9fb153 100644
--- a/extend.php
+++ b/extend.php
@@ -43,20 +43,14 @@
         ->get('/auth/twitter', 'auth.twitter', Controllers\TwitterAuthController::class),
 
     (new Extend\Routes('api'))
-        ->get('/linked-accounts', 'users.provider.list', Api\Controllers\ListProvidersController::class)
+        ->get('/users/{id}/linked-accounts', 'users.provider.list', Api\Controllers\ListProvidersController::class)
         ->delete('/linked-accounts/{id}', 'users.provider.delete', Api\Controllers\DeleteProviderLinkController::class),
 
     (new Extend\ServiceProvider())
         ->register(OAuthServiceProvider::class),
 
     (new Extend\ApiSerializer(ForumSerializer::class))
-        ->attributes(function (ForumSerializer $serializer, $model, array $attributes): array {
-            if ($serializer->getActor()->isGuest()) {
-                $attributes['fof-oauth'] = resolve('fof-oauth.providers.forum');
-            }
-
-            return $attributes;
-        }),
+        ->attributes(Api\AddForumAttributes::class),
 
     (new Extend\Settings())
         ->default('fof-oauth.only_icons', false)
diff --git a/js/src/admin/index.js b/js/src/admin/index.js
index cbf01be..0477c7f 100644
--- a/js/src/admin/index.js
+++ b/js/src/admin/index.js
@@ -1,11 +1,20 @@
 import app from 'flarum/admin/app';
-
 import AuthSettingsPage from './components/AuthSettingsPage';
 import ConfigureWithOAuthPage from './components/ConfigureWithOAuthPage';
 import ConfigureWithOAuthButton from './components/ConfigureWithOAuthButton';
 
 app.initializers.add('fof/oauth', () => {
-  app.extensionData.for('fof-oauth').registerPage(AuthSettingsPage);
+  app.extensionData
+    .for('fof-oauth')
+    .registerPage(AuthSettingsPage)
+    .registerPermission(
+      {
+        icon: 'fas fa-sign-in-alt',
+        label: app.translator.trans('fof-oauth.admin.permissions.moderate_user_providers'),
+        permission: 'moderateUserProviders',
+      },
+      'moderate'
+    );
 });
 
 export { AuthSettingsPage, ConfigureWithOAuthPage, ConfigureWithOAuthButton };
diff --git a/js/src/forum/components/LinkStatus.tsx b/js/src/forum/components/LinkStatus.tsx
index 3e06eee..e67891f 100644
--- a/js/src/forum/components/LinkStatus.tsx
+++ b/js/src/forum/components/LinkStatus.tsx
@@ -8,7 +8,7 @@ import User from 'flarum/common/models/User';
 import ProviderInfo from './ProviderInfo';
 import extractText from 'flarum/common/utils/extractText';
 
-interface IAttrs {
+interface IAttrs extends ComponentAttrs {
   provider: LinkedAccount;
   user: User;
 }
@@ -18,7 +18,7 @@ export default class LinkStatus extends Component<IAttrs> {
     loading: false,
   };
 
-  onbeforeupdate(vnode: Mithril.Vnode<ComponentAttrs, this>) {
+  onbeforeupdate(vnode: Mithril.Vnode<IAttrs, this>) {
     super.onbeforeupdate(vnode);
     if (app.fof_oauth_linkingInProgress && app.fof_oauth_linkingProvider === this.attrs.provider.name()) {
       this.state.loading = true;
@@ -29,7 +29,7 @@ export default class LinkStatus extends Component<IAttrs> {
     }
   }
 
-  view(vnode: Mithril.Vnode<ComponentAttrs, this>): Mithril.Children {
+  view(vnode: Mithril.Vnode<IAttrs, this>): Mithril.Children {
     return (
       <div className={`LinkedAccounts-Account LinkedAccounts-Account--${this.attrs.provider.name()}`}>
         {this.iconView()}
@@ -70,7 +70,7 @@ export default class LinkStatus extends Component<IAttrs> {
           </Button>
         </div>
       );
-    } else if (!provider.orphaned()) {
+    } else if (!provider.orphaned() && (user.id() === app.session.user?.id() || !app.forum.attribute<boolean>('fofOauthModerate'))) {
       return (
         <div className="LinkedAccountsList-item-actions">
           <Button
@@ -101,7 +101,7 @@ export default class LinkStatus extends Component<IAttrs> {
     ) {
       this.state.loading = true;
       await provider.delete();
-      await app.store.find<LinkedAccount[]>('linked-accounts', {});
+      await app.store.find<LinkedAccount[]>('users/' + this.attrs.user.id() + '/linked-accounts', {});
       this.state.loading = false;
       m.redraw();
     }
diff --git a/js/src/forum/components/LinkedAccounts.tsx b/js/src/forum/components/LinkedAccounts.tsx
index 5f1de5f..3761505 100644
--- a/js/src/forum/components/LinkedAccounts.tsx
+++ b/js/src/forum/components/LinkedAccounts.tsx
@@ -58,7 +58,7 @@ export default class LinkedAccounts extends Component<IAttrs, IState> {
   }
 
   async loadLinkedAccounts() {
-    await app.store.find<LinkedAccount[]>('linked-accounts', {});
+    await app.store.find<LinkedAccount[]>('users/' + this.attrs.user.id() + '/linked-accounts', {});
     this.state.loadingAdditional = false;
     m.redraw();
   }
diff --git a/js/src/forum/components/ProviderInfo.tsx b/js/src/forum/components/ProviderInfo.tsx
index 4d4c35a..6e8f3ff 100644
--- a/js/src/forum/components/ProviderInfo.tsx
+++ b/js/src/forum/components/ProviderInfo.tsx
@@ -3,6 +3,8 @@ import Component from 'flarum/common/Component';
 import type LinkedAccount from '../models/LinkedAccount';
 import type Mithril from 'mithril';
 import humanTime from 'flarum/common/helpers/humanTime';
+import LabelValue from 'flarum/common/components/LabelValue';
+import ItemList from 'flarum/common/utils/ItemList';
 
 interface IProviderInfoAttrs {
   provider: LinkedAccount;
@@ -17,7 +19,7 @@ export default class ProviderInfo extends Component<IProviderInfoAttrs> {
         <div>
           <p className="LinkedAccountsList-item-title">{provider.name()}</p>
           <p className="helpText">{app.translator.trans('fof-oauth.forum.user.settings.linked-account.orphaned-account')}</p>
-          {this.renderDates(provider)}
+          <div className="LinkedAccountsList">{this.providerInfoItems(provider).toArray()}</div>
         </div>
       );
     }
@@ -26,7 +28,7 @@ export default class ProviderInfo extends Component<IProviderInfoAttrs> {
       return (
         <div>
           <p className="LinkedAccountsList-item-title">{app.translator.trans(`fof-oauth.forum.providers.${provider.name()}`)}</p>
-          {this.renderDates(provider)}
+          <div className="LinkedAccountsList">{this.providerInfoItems(provider).toArray()}</div>
         </div>
       );
     }
@@ -38,18 +40,27 @@ export default class ProviderInfo extends Component<IProviderInfoAttrs> {
     );
   }
 
-  /**
-   * Render the created and last used dates for a provider.
-   */
-  renderDates(provider: LinkedAccount): Mithril.Children {
-    return (
-      <dl>
-        <dt className="LinkedAccountsList-item-title">{app.translator.trans('fof-oauth.forum.user.settings.linked-account.link-created-label')}</dt>
-        <dd className="LinkedAccountsList-item-value">{humanTime(provider.firstLogin())}</dd>
+  providerInfoItems(provider: LinkedAccount): ItemList<Mithril.Children> {
+    const items = new ItemList<Mithril.Children>();
+
+    items.add(
+      'firstLogin',
+      <LabelValue
+        label={app.translator.trans('fof-oauth.forum.user.settings.linked-account.link-created-label')}
+        value={humanTime(provider.firstLogin())}
+      />,
+      100
+    );
 
-        <dt className="LinkedAccountsList-item-title">{app.translator.trans('fof-oauth.forum.user.settings.linked-account.last-used-label')}</dt>
-        <dd className="LinkedAccountsList-item-value">{humanTime(provider.lastLogin())}</dd>
-      </dl>
+    items.add(
+      'lastLogin',
+      <LabelValue
+        label={app.translator.trans('fof-oauth.forum.user.settings.linked-account.last-used-label')}
+        value={humanTime(provider.lastLogin())}
+      />,
+      90
     );
+
+    return items;
   }
 }
diff --git a/js/src/forum/components/index.ts b/js/src/forum/components/index.ts
new file mode 100644
index 0000000..edc3bcc
--- /dev/null
+++ b/js/src/forum/components/index.ts
@@ -0,0 +1,9 @@
+import LinkStatus from './LinkStatus';
+import LinkedAccounts from './LinkedAccounts';
+import ProviderInfo from './ProviderInfo';
+
+export const components = {
+  ProviderInfo,
+  LinkStatus,
+  LinkedAccounts,
+};
diff --git a/js/src/forum/extenders/addLinkedAccountsToUserSecurityPage.tsx b/js/src/forum/extenders/addLinkedAccountsToUserSecurityPage.tsx
index 58aecd0..85f9f9c 100644
--- a/js/src/forum/extenders/addLinkedAccountsToUserSecurityPage.tsx
+++ b/js/src/forum/extenders/addLinkedAccountsToUserSecurityPage.tsx
@@ -7,7 +7,7 @@ import type Mithril from 'mithril';
 
 export default function addLinkedAccountsToUserSecurityPage() {
   extend(UserSecurityPage.prototype, 'settingsItems', function (items: ItemList<Mithril.Children>) {
-    if (this.user !== app.session.user) {
+    if (this.user !== app.session.user && !app.forum.attribute('fofOauthModerate')) {
       return;
     }
 
diff --git a/js/src/forum/index.ts b/js/src/forum/index.ts
index d49f3ea..eb1a391 100644
--- a/js/src/forum/index.ts
+++ b/js/src/forum/index.ts
@@ -4,6 +4,8 @@ import extendLoginSignup from './extenders/extendLoginSignup';
 
 export { default as extend } from './extend';
 
+export * from './components';
+
 app.initializers.add('fof/oauth', () => {
   extendLoginSignup();
   addLinkedAccountsToUserSecurityPage();
diff --git a/js/src/forum/models/LinkedAccount.ts b/js/src/forum/models/LinkedAccount.ts
index 9855f72..f0d34ac 100644
--- a/js/src/forum/models/LinkedAccount.ts
+++ b/js/src/forum/models/LinkedAccount.ts
@@ -28,6 +28,7 @@ export default class LinkedAccount extends Model {
   providerIdentifier() {
     return Model.attribute<string>('providerIdentifier').call(this);
   }
+
   firstLogin() {
     return Model.attribute('firstLogin', Model.transformDate).call(this);
   }
diff --git a/resources/locale/en.yml b/resources/locale/en.yml
index a3ae6f8..6774052 100644
--- a/resources/locale/en.yml
+++ b/resources/locale/en.yml
@@ -4,6 +4,9 @@ fof-oauth:
     configure_button_label: Configure with FoF OAuth
     settings_accessibility_label: "{name} settings"
 
+    permissions:
+      moderate_user_providers: Moderate user's linked accounts
+
     settings:
       advanced:
         heading: Advanced
diff --git a/src/Api/AddForumAttributes.php b/src/Api/AddForumAttributes.php
new file mode 100644
index 0000000..51cf82c
--- /dev/null
+++ b/src/Api/AddForumAttributes.php
@@ -0,0 +1,28 @@
+<?php
+
+/*
+ * This file is part of fof/oauth.
+ *
+ * Copyright (c) FriendsOfFlarum.
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace FoF\OAuth\Api;
+
+use Flarum\Api\Serializer\ForumSerializer;
+
+class AddForumAttributes
+{
+    public function __invoke(ForumSerializer $serializer, $model, array $attributes): array
+    {
+        if ($serializer->getActor()->isGuest()) {
+            $attributes['fof-oauth'] = resolve('fof-oauth.providers.forum');
+        } else {
+            $attributes['fofOauthModerate'] = $serializer->getActor()->can('moderateUserProviders');
+        }
+
+        return $attributes;
+    }
+}
diff --git a/src/Api/Controllers/DeleteProviderLinkController.php b/src/Api/Controllers/DeleteProviderLinkController.php
index d6a1906..c1d2a5b 100644
--- a/src/Api/Controllers/DeleteProviderLinkController.php
+++ b/src/Api/Controllers/DeleteProviderLinkController.php
@@ -12,9 +12,9 @@
 namespace FoF\OAuth\Api\Controllers;
 
 use Flarum\Api\Controller\AbstractDeleteController;
-use Flarum\Foundation\ValidationException;
 use Flarum\Http\RequestUtil;
 use Flarum\User\LoginProvider;
+use Flarum\User\UserRepository;
 use FoF\OAuth\Events\UnlinkingFromProvider;
 use Illuminate\Contracts\Events\Dispatcher;
 use Illuminate\Support\Arr;
@@ -28,9 +28,15 @@ class DeleteProviderLinkController extends AbstractDeleteController
      */
     protected $events;
 
-    public function __construct(Dispatcher $events)
+    /**
+     * @var UserRepository
+     */
+    protected $users;
+
+    public function __construct(Dispatcher $events, UserRepository $users)
     {
         $this->events = $events;
+        $this->users = $users;
     }
 
     /**
@@ -45,11 +51,13 @@ protected function delete(ServerRequestInterface $request)
 
         $provider = LoginProvider::findOrFail($id);
 
-        if ($provider->user_id !== $actor->id) {
-            throw new ValidationException(['provider' => 'This provider does not belong to you.']);
+        $user = $this->users->findOrFail($provider->user_id);
+
+        if ($user->id !== $actor->id) {
+            $actor->assertCan('moderateUserProviders');
         }
 
-        $this->events->dispatch(new UnlinkingFromProvider($actor, $provider));
+        $this->events->dispatch(new UnlinkingFromProvider($user, $provider, $actor));
 
         $provider->delete();
 
diff --git a/src/Api/Controllers/ListProvidersController.php b/src/Api/Controllers/ListProvidersController.php
index 5011cef..c5eba01 100644
--- a/src/Api/Controllers/ListProvidersController.php
+++ b/src/Api/Controllers/ListProvidersController.php
@@ -46,25 +46,32 @@ public function __construct(UserRepository $users)
     protected function data(ServerRequestInterface $request, Document $document)
     {
         $actor = RequestUtil::getActor($request);
+        $actor->assertRegistered();
+
+        $user = $this->users->findOrFail(Arr::get($request->getQueryParams(), 'id'));
+
+        if ($actor->id !== $user->id) {
+            $actor->assertCan('moderateUserProviders');
+        }
 
         $providers = $this->getProviders();
 
-        $loginProviders = $this->getUserProviders($actor, $providers);
+        $loginProviders = $this->getUserProviders($user, $providers);
 
         $data = new Collection();
 
-        $providers->each(function (array $provider) use ($loginProviders, &$data, $actor) {
+        $providers->each(function (array $provider) use ($loginProviders, &$data, $user) {
             $loginProvider = $loginProviders->where('provider', Arr::get($provider, 'name'))->first();
             $data->add(LoginProviderStatus::build(
                 Arr::get($provider, 'name'),
                 Arr::get($provider, 'icon'),
                 Arr::get($provider, 'priority'),
-                $actor,
+                $user,
                 $loginProvider
             ));
         });
 
-        $this->getOrphanedUserProviders($actor, $providers)->each(function (LoginProvider $loginProvider) use (&$data) {
+        $this->getOrphanedUserProviders($user, $providers)->each(function (LoginProvider $loginProvider) use (&$data) {
             $data->add(LoginProviderStatus::build(
                 $loginProvider->provider,
                 'fas fa-question',
diff --git a/src/Events/UnlinkingFromProvider.php b/src/Events/UnlinkingFromProvider.php
index abbf48a..6c1a11b 100644
--- a/src/Events/UnlinkingFromProvider.php
+++ b/src/Events/UnlinkingFromProvider.php
@@ -26,13 +26,19 @@ class UnlinkingFromProvider
      */
     public $provider;
 
+    /**
+     * @var User|null
+     */
+    public $actor;
+
     /**
      * @param User          $user
      * @param LoginProvider $provider
      */
-    public function __construct(User $user, LoginProvider $provider)
+    public function __construct(User $user, LoginProvider $provider, User $actor = null)
     {
         $this->user = $user;
         $this->provider = $provider;
+        $this->actor = $actor;
     }
 }
diff --git a/tests/integration/api/ForumSerializerTest.php b/tests/integration/api/ForumSerializerTest.php
index f5318e3..35ae4e2 100644
--- a/tests/integration/api/ForumSerializerTest.php
+++ b/tests/integration/api/ForumSerializerTest.php
@@ -12,17 +12,43 @@
 namespace FoF\OAuth\Tests\integration\api;
 
 use Flarum\Extend;
+use Flarum\Testing\integration\RetrievesAuthorizedUsers;
 use Flarum\Testing\integration\TestCase;
 
 class ForumSerializerTest extends TestCase
 {
+    use RetrievesAuthorizedUsers;
+
     public function setUp(): void
     {
+        parent::setUp();
+
         $this->extension('fof-oauth');
 
         $this->extend(
             (new Extend\Csrf())->exemptRoute('login')
         );
+
+        $this->prepareDatabase([
+            'users' => [
+                $this->normalUser(),
+                ['id' => 3, 'username' => 'moderator', 'is_email_confirmed' => true],
+            ],
+            'group_user' => [
+                ['user_id' => 3, 'group_id' => 4],
+            ],
+            'group_permission' => [
+                ['permission' => 'moderateUserProviders', 'group_id' => 4],
+            ],
+        ]);
+    }
+
+    public function authorizedUserProvider()
+    {
+        return [
+            [1],
+            [3],
+        ];
     }
 
     /**
@@ -39,15 +65,36 @@ public function it_includes_providers_in_forum_attributes_for_guests()
         $body = json_decode($response->getBody(), true);
 
         $this->assertArrayHasKey('fof-oauth', $body['data']['attributes']);
+        $this->assertArrayNotHasKey('fofOauthModerate', $body['data']['attributes']);
+    }
+
+    /**
+     * @dataProvider authorizedUserProvider
+     *
+     * @test
+     */
+    public function it_does_not_include_providers_in_forum_attributes_for_logged_in_users(int $userId)
+    {
+        $response = $this->send(
+            $this->request('GET', '/api', ['authenticatedAs' => $userId])
+        );
+
+        $this->assertEquals(200, $response->getStatusCode());
+
+        $body = json_decode($response->getBody()->getContents(), true);
+
+        $this->assertArrayNotHasKey('fof-oauth', $body['data']['attributes']);
+        $this->assertArrayHasKey('fofOauthModerate', $body['data']['attributes']);
+        $this->assertTrue($body['data']['attributes']['fofOauthModerate']);
     }
 
     /**
      * @test
      */
-    public function it_does_not_include_providers_in_forum_attributes_for_logged_in_users()
+    public function normal_user_does_not_have_moderate_flag()
     {
         $response = $this->send(
-            $this->request('GET', '/api', ['authenticatedAs' => 1])
+            $this->request('GET', '/api', ['authenticatedAs' => 2])
         );
 
         $this->assertEquals(200, $response->getStatusCode());
@@ -55,6 +102,8 @@ public function it_does_not_include_providers_in_forum_attributes_for_logged_in_
         $body = json_decode($response->getBody()->getContents(), true);
 
         $this->assertArrayNotHasKey('fof-oauth', $body['data']['attributes']);
+        $this->assertArrayHasKey('fofOauthModerate', $body['data']['attributes']);
+        $this->assertFalse($body['data']['attributes']['fofOauthModerate']);
     }
 
     /**