[feature] granular admin scopes for custom emojis (#4489)

This PR adds admin equivalents of the `read:custom_emojis` OAuth scope: `admin:read:custom_emojis` and `admin:write:custom_emojis`. This is so tools which only touch emojis can run without other admin permissions. (`slurp emojis import` is one such tool.) I've also sorted the admin section of the scopes lists alphabetically like the non-admin section, and updated the Swagger test script to print the same command path that it actually runs. ## API compatibility Neither [Mastodon](https://docs.joinmastodon.org/api/oauth-scopes/) nor Akkoma nor Iceshrimp.NET has an equivalent scope, so there are no alternate scope names to worry about. Co-authored-by: tobi <tobi.smethurst@protonmail.com> Reviewed-on: https://codeberg.org/superseriousbusiness/gotosocial/pulls/4489 Co-authored-by: Vyr Cossont <vyr@noreply.codeberg.org> Co-committed-by: Vyr Cossont <vyr@noreply.codeberg.org>
author: Vyr Cossont <vyr@noreply.codeberg.org> 2025-10-13 19:15:24 +0200
committer: tobi <tobi.smethurst@protonmail.com> 2025-10-17 15:33:15 +0200
commit: c99b89f780f9d561ac0fbc2acf61291006396071 (patch)
tree: 646b04daea29d2b0ffa33bbc2181ebba0ceffb29 /internal/api
parent: [docs] Document setting `OTEL_EXPORTER_PROMETHEUS_HOST` for Docker (#4498) (diff)
download: gotosocial-c99b89f780f9d561ac0fbc2acf61291006396071.tar.xz
7 files changed, 16 insertions, 14 deletions
diff --git a/internal/api/client/admin/emojicategoriesget.go b/internal/api/client/admin/emojicategoriesget.go
index 37d6f12f3..c2a8cbabb 100644
--- a/internal/api/client/admin/emojicategoriesget.go
+++ b/internal/api/client/admin/emojicategoriesget.go
@@ -39,7 +39,7 @@ import (
 //
 //	security:
 //	- OAuth2 Bearer:
-//		- admin:read
+//		- admin:read:custom_emojis
 //
 //	responses:
 //		'200':
@@ -63,7 +63,7 @@ import (
 func (m *Module) EmojiCategoriesGETHandler(c *gin.Context) {
 	authed, errWithCode := apiutil.TokenAuth(c,
 		true, true, true, true,
-		apiutil.ScopeAdminRead,
+		apiutil.ScopeAdminReadCustomEmojis,
 	)
 	if errWithCode != nil {
 		apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
diff --git a/internal/api/client/admin/emojicreate.go b/internal/api/client/admin/emojicreate.go
index c2723042a..04f0602c0 100644
--- a/internal/api/client/admin/emojicreate.go
+++ b/internal/api/client/admin/emojicreate.go
@@ -75,7 +75,7 @@ import (
 //
 //	security:
 //	- OAuth2 Bearer:
-//		- admin:write
+//		- admin:write:custom_emojis
 //
 //	responses:
 //		'200':
@@ -99,7 +99,7 @@ import (
 func (m *Module) EmojiCreatePOSTHandler(c *gin.Context) {
 	authed, errWithCode := apiutil.TokenAuth(c,
 		true, true, true, true,
-		apiutil.ScopeAdminWrite,
+		apiutil.ScopeAdminWriteCustomEmojis,
 	)
 	if errWithCode != nil {
 		apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
diff --git a/internal/api/client/admin/emojidelete.go b/internal/api/client/admin/emojidelete.go
index 7809608e3..83c49a92a 100644
--- a/internal/api/client/admin/emojidelete.go
+++ b/internal/api/client/admin/emojidelete.go
@@ -53,7 +53,7 @@ import (
 //
 //	security:
 //	- OAuth2 Bearer:
-//		- admin:write
+//		- admin:write:custom_emojis
 //
 //	responses:
 //		'200':
@@ -75,7 +75,7 @@ import (
 func (m *Module) EmojiDELETEHandler(c *gin.Context) {
 	authed, errWithCode := apiutil.TokenAuth(c,
 		true, true, true, true,
-		apiutil.ScopeAdminWrite,
+		apiutil.ScopeAdminWriteCustomEmojis,
 	)
 	if errWithCode != nil {
 		apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
diff --git a/internal/api/client/admin/emojiget.go b/internal/api/client/admin/emojiget.go
index 5abed2aaa..1ae7eb9e9 100644
--- a/internal/api/client/admin/emojiget.go
+++ b/internal/api/client/admin/emojiget.go
@@ -47,7 +47,7 @@ import (
 //
 //	security:
 //	- OAuth2 Bearer:
-//		- admin:read
+//		- admin:read:custom_emojis
 //
 //	responses:
 //		'200':
@@ -69,7 +69,7 @@ import (
 func (m *Module) EmojiGETHandler(c *gin.Context) {
 	authed, errWithCode := apiutil.TokenAuth(c,
 		true, true, true, true,
-		apiutil.ScopeAdminRead,
+		apiutil.ScopeAdminReadCustomEmojis,
 	)
 	if errWithCode != nil {
 		apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
diff --git a/internal/api/client/admin/emojisget.go b/internal/api/client/admin/emojisget.go
index d9cf508ce..4dbbd7f53 100644
--- a/internal/api/client/admin/emojisget.go
+++ b/internal/api/client/admin/emojisget.go
@@ -100,7 +100,7 @@ import (
 //
 //	security:
 //	- OAuth2 Bearer:
-//		- admin:read
+//		- admin:read:custom_emojis
 //
 //	responses:
 //		'200':
@@ -128,7 +128,7 @@ import (
 func (m *Module) EmojisGETHandler(c *gin.Context) {
 	authed, errWithCode := apiutil.TokenAuth(c,
 		true, true, true, true,
-		apiutil.ScopeAdminRead,
+		apiutil.ScopeAdminReadCustomEmojis,
 	)
 	if errWithCode != nil {
 		apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
diff --git a/internal/api/client/admin/emojiupdate.go b/internal/api/client/admin/emojiupdate.go
index 807f24844..d1576a15d 100644
--- a/internal/api/client/admin/emojiupdate.go
+++ b/internal/api/client/admin/emojiupdate.go
@@ -104,7 +104,7 @@ import (
 //
 //	security:
 //	- OAuth2 Bearer:
-//		- admin:write
+//		- admin:write:custom_emojis
 //
 //	responses:
 //		'200':
@@ -126,7 +126,7 @@ import (
 func (m *Module) EmojiPATCHHandler(c *gin.Context) {
 	authed, errWithCode := apiutil.TokenAuth(c,
 		true, true, true, true,
-		apiutil.ScopeAdminWrite,
+		apiutil.ScopeAdminWriteCustomEmojis,
 	)
 	if errWithCode != nil {
 		apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
diff --git a/internal/api/util/scopes.go b/internal/api/util/scopes.go
index 492fa9dad..13e547286 100644
--- a/internal/api/util/scopes.go
+++ b/internal/api/util/scopes.go
@@ -86,12 +86,14 @@ const (
 	ScopeWriteStatuses          Scope = ScopeWrite + ":" + scopeStatuses
 	ScopeAdminReadAccounts      Scope = ScopeAdminRead + ":" + scopeAccounts
 	ScopeAdminWriteAccounts     Scope = ScopeAdminWrite + ":" + scopeAccounts
-	ScopeAdminReadReports       Scope = ScopeAdminRead + ":" + scopeReports
-	ScopeAdminWriteReports      Scope = ScopeAdminWrite + ":" + scopeReports
+	ScopeAdminReadCustomEmojis  Scope = ScopeAdminRead + ":" + scopeCustomEmojis
+	ScopeAdminWriteCustomEmojis Scope = ScopeAdminWrite + ":" + scopeCustomEmojis
 	ScopeAdminReadDomainAllows  Scope = ScopeAdminRead + ":" + scopeDomainAllows
 	ScopeAdminWriteDomainAllows Scope = ScopeAdminWrite + ":" + scopeDomainAllows
 	ScopeAdminReadDomainBlocks  Scope = ScopeAdminRead + ":" + scopeDomainBlocks
 	ScopeAdminWriteDomainBlocks Scope = ScopeAdminWrite + ":" + scopeDomainBlocks
+	ScopeAdminReadReports       Scope = ScopeAdminRead + ":" + scopeReports
+	ScopeAdminWriteReports      Scope = ScopeAdminWrite + ":" + scopeReports
 )
 
 // Permits returns true if the
author	Vyr Cossont <vyr@noreply.codeberg.org>	2025-10-13 19:15:24 +0200
committer	tobi <tobi.smethurst@protonmail.com>	2025-10-17 15:33:15 +0200
commit	c99b89f780f9d561ac0fbc2acf61291006396071 (patch)
tree	646b04daea29d2b0ffa33bbc2181ebba0ceffb29 /internal/api
parent	[docs] Document setting `OTEL_EXPORTER_PROMETHEUS_HOST` for Docker (#4498) (diff)
download	gotosocial-c99b89f780f9d561ac0fbc2acf61291006396071.tar.xz