[feature] Implement Mastodon-compatible roles (#3136)

* Implement Mastodon-compatible roles

- `Account.role` should only be available through verify_credentials for checking current user's permissions
- `Account.role` now carries a Mastodon-compatible permissions bitmap and a marker for whether it should be shown to the public
- `Account.roles` added for *public* display roles (undocumented but stable since Mastodon 4.1)
- Web template now uses only public display roles (no user-visible change here, we already special-cased the `user` role)

* Handle verify_credentials case for default role

* Update JSON exact-match tests

* Address review comments

* Add blocks bit to admin permissions bitmap

8 files changed, 485 insertions, 96 deletions

diff --git a/internal/api/client/accounts/accountget_test.go b/internal/api/client/accounts/accountget_test.go
new file mode 100644
index 000000000..421de0d64
--- /dev/null
+++ b/internal/api/client/accounts/accountget_test.go
@@ -0,0 +1,118 @@
+// GoToSocial
+// Copyright (C) GoToSocial Authors admin@gotosocial.org
+// SPDX-License-Identifier: AGPL-3.0-or-later
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package accounts_test
+
+import (
+	"encoding/json"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/gin-gonic/gin"
+	"github.com/stretchr/testify/suite"
+	"github.com/superseriousbusiness/gotosocial/internal/api/client/accounts"
+	apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model"
+)
+
+type AccountGetTestSuite struct {
+	AccountStandardTestSuite
+}
+
+// accountVerifyGet calls the get account API method for a given account fixture name.
+func (suite *AccountGetTestSuite) getAccount(id string) *apimodel.Account {
+	recorder := httptest.NewRecorder()
+	ctx := suite.newContext(recorder, http.MethodGet, nil, accounts.BasePath+"/"+id, "")
+	ctx.Params = gin.Params{
+		gin.Param{
+			Key:   accounts.IDKey,
+			Value: id,
+		},
+	}
+
+	// call the handler
+	suite.accountsModule.AccountGETHandler(ctx)
+
+	// 1. we should have OK because our request was valid
+	suite.Equal(http.StatusOK, recorder.Code)
+
+	// 2. we should have no error message in the result body
+	result := recorder.Result()
+	defer result.Body.Close()
+
+	// check the response
+	b, err := io.ReadAll(result.Body)
+	if err != nil {
+		suite.FailNow(err.Error())
+	}
+
+	// unmarshal the returned account
+	apimodelAccount := &apimodel.Account{}
+	err = json.Unmarshal(b, apimodelAccount)
+	if err != nil {
+		suite.FailNow(err.Error())
+	}
+
+	return apimodelAccount
+}
+
+// Fetching the currently logged-in account shows extra info,
+// so we should see permissions, but this account is a regular user and should have no display role.
+func (suite *AccountGetTestSuite) TestGetDisplayRoleForSelf() {
+	apimodelAccount := suite.getAccount(suite.testAccounts["local_account_1"].ID)
+
+	// Role should be set, but permissions should be empty.
+	if suite.NotNil(apimodelAccount.Role) {
+		role := apimodelAccount.Role
+		suite.Equal("user", string(role.Name))
+		suite.Zero(role.Permissions)
+	}
+
+	// Roles should not have anything in it.
+	suite.Empty(apimodelAccount.Roles)
+}
+
+// We should not see a display role for an ordinary local account.
+func (suite *AccountGetTestSuite) TestGetDisplayRoleForUserAccount() {
+	apimodelAccount := suite.getAccount(suite.testAccounts["local_account_2"].ID)
+
+	// Role should not be set.
+	suite.Nil(apimodelAccount.Role)
+
+	// Roles should not have anything in it.
+	suite.Empty(apimodelAccount.Roles)
+}
+
+// We should be able to get a display role for an admin account.
+func (suite *AccountGetTestSuite) TestGetDisplayRoleForAdminAccount() {
+	apimodelAccount := suite.getAccount(suite.testAccounts["admin_account"].ID)
+
+	// Role should not be set.
+	suite.Nil(apimodelAccount.Role)
+
+	// Roles should have exactly one display role.
+	if suite.Len(apimodelAccount.Roles, 1) {
+		role := apimodelAccount.Roles[0]
+		suite.Equal("admin", string(role.Name))
+		suite.NotEmpty(role.ID)
+	}
+}
+
+func TestAccountGetTestSuite(t *testing.T) {
+	suite.Run(t, new(AccountGetTestSuite))
+}
diff --git a/internal/api/client/accounts/accountverify_test.go b/internal/api/client/accounts/accountverify_test.go
index 9308cc92a..af8c2346c 100644
--- a/internal/api/client/accounts/accountverify_test.go
+++ b/internal/api/client/accounts/accountverify_test.go
@@ -19,30 +19,35 @@ package accounts_test
 
 import (
 	"encoding/json"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"net/http/httptest"
 	"testing"
 	"time"
 
-	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/suite"
 	"github.com/superseriousbusiness/gotosocial/internal/api/client/accounts"
 	apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model"
 	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
+	"github.com/superseriousbusiness/gotosocial/internal/oauth"
 )
 
 type AccountVerifyTestSuite struct {
 	AccountStandardTestSuite
 }
 
-func (suite *AccountVerifyTestSuite) TestAccountVerifyGet() {
-	testAccount := suite.testAccounts["local_account_1"]
-
+// accountVerifyGet calls the verify_credentials API method for a given account fixture name.
+// Assumes token and user fixture names are the same as the account fixture name.
+func (suite *AccountVerifyTestSuite) accountVerifyGet(fixtureName string) *apimodel.Account {
 	// set up the request
 	recorder := httptest.NewRecorder()
 	ctx := suite.newContext(recorder, http.MethodGet, nil, accounts.VerifyPath, "")
 
+	// override the account that we're authenticated as
+	ctx.Set(oauth.SessionAuthorizedAccount, suite.testAccounts[fixtureName])
+	ctx.Set(oauth.SessionAuthorizedToken, oauth.DBTokenToToken(suite.testTokens[fixtureName]))
+	ctx.Set(oauth.SessionAuthorizedUser, suite.testUsers[fixtureName])
+
 	// call the handler
 	suite.accountsModule.AccountVerifyGETHandler(ctx)
 
@@ -54,13 +59,27 @@ func (suite *AccountVerifyTestSuite) TestAccountVerifyGet() {
 	defer result.Body.Close()
 
 	// check the response
-	b, err := ioutil.ReadAll(result.Body)
-	assert.NoError(suite.T(), err)
+	b, err := io.ReadAll(result.Body)
+	if err != nil {
+		suite.FailNow(err.Error())
+	}
 
 	// unmarshal the returned account
 	apimodelAccount := &apimodel.Account{}
 	err = json.Unmarshal(b, apimodelAccount)
-	suite.NoError(err)
+	if err != nil {
+		suite.FailNow(err.Error())
+	}
+
+	return apimodelAccount
+}
+
+// We should see public account information and profile source for a normal user.
+func (suite *AccountVerifyTestSuite) TestAccountVerifyGet() {
+	fixtureName := "local_account_1"
+	testAccount := suite.testAccounts[fixtureName]
+
+	apimodelAccount := suite.accountVerifyGet(fixtureName)
 
 	createdAt, err := time.Parse(time.RFC3339, apimodelAccount.CreatedAt)
 	suite.NoError(err)
@@ -85,6 +104,43 @@ func (suite *AccountVerifyTestSuite) TestAccountVerifyGet() {
 	suite.Equal(testAccount.NoteRaw, apimodelAccount.Source.Note)
 }
 
+// testAccountVerifyGetRole calls the verify_credentials API method for a given account fixture name,
+// and checks the response for permissions appropriate to the role.
+func (suite *AccountVerifyTestSuite) testAccountVerifyGetRole(fixtureName string) {
+	testUser := suite.testUsers[fixtureName]
+
+	apimodelAccount := suite.accountVerifyGet(fixtureName)
+
+	if suite.NotNil(apimodelAccount.Role) {
+		switch {
+		case *testUser.Admin:
+			suite.Equal("admin", string(apimodelAccount.Role.Name))
+			suite.NotZero(apimodelAccount.Role.Permissions)
+			suite.True(apimodelAccount.Role.Highlighted)
+
+		case *testUser.Moderator:
+			suite.Equal("moderator", string(apimodelAccount.Role.Name))
+			suite.Zero(apimodelAccount.Role.Permissions)
+			suite.True(apimodelAccount.Role.Highlighted)
+
+		default:
+			suite.Equal("user", string(apimodelAccount.Role.Name))
+			suite.Zero(apimodelAccount.Role.Permissions)
+			suite.False(apimodelAccount.Role.Highlighted)
+		}
+	}
+}
+
+// We should see a role for a normal user, and that role should not have any permissions.
+func (suite *AccountVerifyTestSuite) TestAccountVerifyGetRoleUser() {
+	suite.testAccountVerifyGetRole("local_account_1")
+}
+
+// We should see a role for an admin user, and that role should have some permissions.
+func (suite *AccountVerifyTestSuite) TestAccountVerifyGetRoleAdmin() {
+	suite.testAccountVerifyGetRole("admin_account")
+}
+
 func TestAccountVerifyTestSuite(t *testing.T) {
 	suite.Run(t, new(AccountVerifyTestSuite))
 }
diff --git a/internal/api/client/admin/accountsgetv2_test.go b/internal/api/client/admin/accountsgetv2_test.go
index 15eb8534b..83f394803 100644
--- a/internal/api/client/admin/accountsgetv2_test.go
+++ b/internal/api/client/admin/accountsgetv2_test.go
@@ -70,7 +70,11 @@ func (suite *AccountsGetTestSuite) TestAccountsGetFromTop() {
     "locale": "en",
     "invite_request": null,
     "role": {
-      "name": "user"
+      "id": "user",
+      "name": "user",
+      "color": "",
+      "permissions": "0",
+      "highlighted": false
     },
     "confirmed": true,
     "approved": true,
@@ -109,10 +113,7 @@ func (suite *AccountsGetTestSuite) TestAccountsGetFromTop() {
           "verified_at": null
         }
       ],
-      "hide_collections": true,
-      "role": {
-        "name": "user"
-      }
+      "hide_collections": true
     },
     "created_by_application_id": "01F8MGY43H3N2C8EWPR2FPYEXG"
   },
@@ -127,7 +128,11 @@ func (suite *AccountsGetTestSuite) TestAccountsGetFromTop() {
     "locale": "en",
     "invite_request": null,
     "role": {
-      "name": "admin"
+      "id": "admin",
+      "name": "admin",
+      "color": "",
+      "permissions": "546033",
+      "highlighted": true
     },
     "confirmed": true,
     "approved": true,
@@ -156,9 +161,13 @@ func (suite *AccountsGetTestSuite) TestAccountsGetFromTop() {
       "emojis": [],
       "fields": [],
       "enable_rss": true,
-      "role": {
-        "name": "admin"
-      }
+      "roles": [
+        {
+          "id": "admin",
+          "name": "admin",
+          "color": ""
+        }
+      ]
     },
     "created_by_application_id": "01F8MGXQRHYF5QPMTMXP78QC2F"
   },
@@ -173,7 +182,11 @@ func (suite *AccountsGetTestSuite) TestAccountsGetFromTop() {
     "locale": "",
     "invite_request": null,
     "role": {
-      "name": "user"
+      "id": "user",
+      "name": "user",
+      "color": "",
+      "permissions": "0",
+      "highlighted": false
     },
     "confirmed": false,
     "approved": false,
@@ -214,7 +227,11 @@ func (suite *AccountsGetTestSuite) TestAccountsGetFromTop() {
     "locale": "en",
     "invite_request": "I wanna be on this damned webbed site so bad! Please! Wow",
     "role": {
-      "name": "user"
+      "id": "user",
+      "name": "user",
+      "color": "",
+      "permissions": "0",
+      "highlighted": false
     },
     "confirmed": true,
     "approved": true,
@@ -244,10 +261,7 @@ func (suite *AccountsGetTestSuite) TestAccountsGetFromTop() {
       "last_status_at": "2024-01-10T09:24:00.000Z",
       "emojis": [],
       "fields": [],
-      "enable_rss": true,
-      "role": {
-        "name": "user"
-      }
+      "enable_rss": true
     },
     "created_by_application_id": "01F8MGY43H3N2C8EWPR2FPYEXG"
   },
@@ -262,7 +276,11 @@ func (suite *AccountsGetTestSuite) TestAccountsGetFromTop() {
     "locale": "en",
     "invite_request": "hi, please let me in! I'm looking for somewhere neato bombeato to hang out.",
     "role": {
-      "name": "user"
+      "id": "user",
+      "name": "user",
+      "color": "",
+      "permissions": "0",
+      "highlighted": false
     },
     "confirmed": false,
     "approved": false,
@@ -289,10 +307,7 @@ func (suite *AccountsGetTestSuite) TestAccountsGetFromTop() {
       "statuses_count": 0,
       "last_status_at": null,
       "emojis": [],
-      "fields": [],
-      "role": {
-        "name": "user"
-      }
+      "fields": []
     },
     "created_by_application_id": "01F8MGY43H3N2C8EWPR2FPYEXG"
   },
@@ -307,7 +322,11 @@ func (suite *AccountsGetTestSuite) TestAccountsGetFromTop() {
     "locale": "",
     "invite_request": null,
     "role": {
-      "name": "user"
+      "id": "user",
+      "name": "user",
+      "color": "",
+      "permissions": "0",
+      "highlighted": false
     },
     "confirmed": false,
     "approved": false,
@@ -348,7 +367,11 @@ func (suite *AccountsGetTestSuite) TestAccountsGetFromTop() {
     "locale": "",
     "invite_request": null,
     "role": {
-      "name": "user"
+      "id": "user",
+      "name": "user",
+      "color": "",
+      "permissions": "0",
+      "highlighted": false
     },
     "confirmed": false,
     "approved": false,
@@ -389,7 +412,11 @@ func (suite *AccountsGetTestSuite) TestAccountsGetFromTop() {
     "locale": "",
     "invite_request": null,
     "role": {
-      "name": "user"
+      "id": "user",
+      "name": "user",
+      "color": "",
+      "permissions": "0",
+      "highlighted": false
     },
     "confirmed": false,
     "approved": false,
@@ -431,7 +458,11 @@ func (suite *AccountsGetTestSuite) TestAccountsGetFromTop() {
     "locale": "",
     "invite_request": null,
     "role": {
-      "name": "user"
+      "id": "user",
+      "name": "user",
+      "color": "",
+      "permissions": "0",
+      "highlighted": false
     },
     "confirmed": false,
     "approved": false,
@@ -511,7 +542,11 @@ func (suite *AccountsGetTestSuite) TestAccountsMinID() {
     "locale": "",
     "invite_request": null,
     "role": {
-      "name": "user"
+      "id": "user",
+      "name": "user",
+      "color": "",
+      "permissions": "0",
+      "highlighted": false
     },
     "confirmed": false,
     "approved": false,
diff --git a/internal/api/client/admin/reportsget_test.go b/internal/api/client/admin/reportsget_test.go
index 5dead789a..5213dd574 100644
--- a/internal/api/client/admin/reportsget_test.go
+++ b/internal/api/client/admin/reportsget_test.go
@@ -157,7 +157,11 @@ func (suite *ReportsGetTestSuite) TestReportsGetAll() {
       "locale": "",
       "invite_request": null,
       "role": {
-        "name": "user"
+        "id": "user",
+        "name": "user",
+        "color": "",
+        "permissions": "0",
+        "highlighted": false
       },
       "confirmed": false,
       "approved": false,
@@ -198,7 +202,11 @@ func (suite *ReportsGetTestSuite) TestReportsGetAll() {
       "locale": "en",
       "invite_request": null,
       "role": {
-        "name": "user"
+        "id": "user",
+        "name": "user",
+        "color": "",
+        "permissions": "0",
+        "highlighted": false
       },
       "confirmed": true,
       "approved": true,
@@ -237,10 +245,7 @@ func (suite *ReportsGetTestSuite) TestReportsGetAll() {
             "verified_at": null
           }
         ],
-        "hide_collections": true,
-        "role": {
-          "name": "user"
-        }
+        "hide_collections": true
       },
       "created_by_application_id": "01F8MGY43H3N2C8EWPR2FPYEXG"
     },
@@ -255,7 +260,11 @@ func (suite *ReportsGetTestSuite) TestReportsGetAll() {
       "locale": "en",
       "invite_request": null,
       "role": {
-        "name": "admin"
+        "id": "admin",
+        "name": "admin",
+        "color": "",
+        "permissions": "546033",
+        "highlighted": true
       },
       "confirmed": true,
       "approved": true,
@@ -284,9 +293,13 @@ func (suite *ReportsGetTestSuite) TestReportsGetAll() {
         "emojis": [],
         "fields": [],
         "enable_rss": true,
-        "role": {
-          "name": "admin"
-        }
+        "roles": [
+          {
+            "id": "admin",
+            "name": "admin",
+            "color": ""
+          }
+        ]
       },
       "created_by_application_id": "01F8MGXQRHYF5QPMTMXP78QC2F"
     },
@@ -301,7 +314,11 @@ func (suite *ReportsGetTestSuite) TestReportsGetAll() {
       "locale": "en",
       "invite_request": null,
       "role": {
-        "name": "admin"
+        "id": "admin",
+        "name": "admin",
+        "color": "",
+        "permissions": "546033",
+        "highlighted": true
       },
       "confirmed": true,
       "approved": true,
@@ -330,9 +347,13 @@ func (suite *ReportsGetTestSuite) TestReportsGetAll() {
         "emojis": [],
         "fields": [],
         "enable_rss": true,
-        "role": {
-          "name": "admin"
-        }
+        "roles": [
+          {
+            "id": "admin",
+            "name": "admin",
+            "color": ""
+          }
+        ]
       },
       "created_by_application_id": "01F8MGXQRHYF5QPMTMXP78QC2F"
     },
@@ -360,7 +381,11 @@ func (suite *ReportsGetTestSuite) TestReportsGetAll() {
       "locale": "en",
       "invite_request": null,
       "role": {
-        "name": "user"
+        "id": "user",
+        "name": "user",
+        "color": "",
+        "permissions": "0",
+        "highlighted": false
       },
       "confirmed": true,
       "approved": true,
@@ -399,10 +424,7 @@ func (suite *ReportsGetTestSuite) TestReportsGetAll() {
             "verified_at": null
           }
         ],
-        "hide_collections": true,
-        "role": {
-          "name": "user"
-        }
+        "hide_collections": true
       },
       "created_by_application_id": "01F8MGY43H3N2C8EWPR2FPYEXG"
     },
@@ -417,7 +439,11 @@ func (suite *ReportsGetTestSuite) TestReportsGetAll() {
       "locale": "",
       "invite_request": null,
       "role": {
-        "name": "user"
+        "id": "user",
+        "name": "user",
+        "color": "",
+        "permissions": "0",
+        "highlighted": false
       },
       "confirmed": false,
       "approved": false,
@@ -605,7 +631,11 @@ func (suite *ReportsGetTestSuite) TestReportsGetCreatedByAccount() {
       "locale": "en",
       "invite_request": null,
       "role": {
-        "name": "user"
+        "id": "user",
+        "name": "user",
+        "color": "",
+        "permissions": "0",
+        "highlighted": false
       },
       "confirmed": true,
       "approved": true,
@@ -644,10 +674,7 @@ func (suite *ReportsGetTestSuite) TestReportsGetCreatedByAccount() {
             "verified_at": null
           }
         ],
-        "hide_collections": true,
-        "role": {
-          "name": "user"
-        }
+        "hide_collections": true
       },
       "created_by_application_id": "01F8MGY43H3N2C8EWPR2FPYEXG"
     },
@@ -662,7 +689,11 @@ func (suite *ReportsGetTestSuite) TestReportsGetCreatedByAccount() {
       "locale": "",
       "invite_request": null,
       "role": {
-        "name": "user"
+        "id": "user",
+        "name": "user",
+        "color": "",
+        "permissions": "0",
+        "highlighted": false
       },
       "confirmed": false,
       "approved": false,
@@ -850,7 +881,11 @@ func (suite *ReportsGetTestSuite) TestReportsGetTargetAccount() {
       "locale": "en",
       "invite_request": null,
       "role": {
-        "name": "user"
+        "id": "user",
+        "name": "user",
+        "color": "",
+        "permissions": "0",
+        "highlighted": false
       },
       "confirmed": true,
       "approved": true,
@@ -889,10 +924,7 @@ func (suite *ReportsGetTestSuite) TestReportsGetTargetAccount() {
             "verified_at": null
           }
         ],
-        "hide_collections": true,
-        "role": {
-          "name": "user"
-        }
+        "hide_collections": true
       },
       "created_by_application_id": "01F8MGY43H3N2C8EWPR2FPYEXG"
     },
@@ -907,7 +939,11 @@ func (suite *ReportsGetTestSuite) TestReportsGetTargetAccount() {
       "locale": "",
       "invite_request": null,
       "role": {
-        "name": "user"
+        "id": "user",
+        "name": "user",
+        "color": "",
+        "permissions": "0",
+        "highlighted": false
       },
       "confirmed": false,
       "approved": false,
diff --git a/internal/api/client/instance/instancepatch_test.go b/internal/api/client/instance/instancepatch_test.go
index 095e2e543..f12638f82 100644
--- a/internal/api/client/instance/instancepatch_test.go
+++ b/internal/api/client/instance/instancepatch_test.go
@@ -176,9 +176,13 @@ func (suite *InstancePatchTestSuite) TestInstancePatch1() {
     "emojis": [],
     "fields": [],
     "enable_rss": true,
-    "role": {
-      "name": "admin"
-    }
+    "roles": [
+      {
+        "id": "admin",
+        "name": "admin",
+        "color": ""
+      }
+    ]
   },
   "max_toot_chars": 5000,
   "rules": [
@@ -312,9 +316,13 @@ func (suite *InstancePatchTestSuite) TestInstancePatch2() {
     "emojis": [],
     "fields": [],
     "enable_rss": true,
-    "role": {
-      "name": "admin"
-    }
+    "roles": [
+      {
+        "id": "admin",
+        "name": "admin",
+        "color": ""
+      }
+    ]
   },
   "max_toot_chars": 5000,
   "rules": [
@@ -448,9 +456,13 @@ func (suite *InstancePatchTestSuite) TestInstancePatch3() {
     "emojis": [],
     "fields": [],
     "enable_rss": true,
-    "role": {
-      "name": "admin"
-    }
+    "roles": [
+      {
+        "id": "admin",
+        "name": "admin",
+        "color": ""
+      }
+    ]
   },
   "max_toot_chars": 5000,
   "rules": [
@@ -635,9 +647,13 @@ func (suite *InstancePatchTestSuite) TestInstancePatch6() {
     "emojis": [],
     "fields": [],
     "enable_rss": true,
-    "role": {
-      "name": "admin"
-    }
+    "roles": [
+      {
+        "id": "admin",
+        "name": "admin",
+        "color": ""
+      }
+    ]
   },
   "max_toot_chars": 5000,
   "rules": [
@@ -797,9 +813,13 @@ func (suite *InstancePatchTestSuite) TestInstancePatch8() {
     "emojis": [],
     "fields": [],
     "enable_rss": true,
-    "role": {
-      "name": "admin"
-    }
+    "roles": [
+      {
+        "id": "admin",
+        "name": "admin",
+        "color": ""
+      }
+    ]
   },
   "max_toot_chars": 5000,
   "rules": [
@@ -970,9 +990,13 @@ func (suite *InstancePatchTestSuite) TestInstancePatch9() {
     "emojis": [],
     "fields": [],
     "enable_rss": true,
-    "role": {
-      "name": "admin"
-    }
+    "roles": [
+      {
+        "id": "admin",
+        "name": "admin",
+        "color": ""
+      }
+    ]
   },
   "max_toot_chars": 5000,
   "rules": [
diff --git a/internal/api/client/statuses/statushistory_test.go b/internal/api/client/statuses/statushistory_test.go
index cadf3cb72..bcbeeba7d 100644
--- a/internal/api/client/statuses/statushistory_test.go
+++ b/internal/api/client/statuses/statushistory_test.go
@@ -118,10 +118,7 @@ func (suite *StatusHistoryTestSuite) TestGetHistory() {
       "last_status_at": "2024-01-10T09:24:00.000Z",
       "emojis": [],
       "fields": [],
-      "enable_rss": true,
-      "role": {
-        "name": "user"
-      }
+      "enable_rss": true
     },
     "poll": null,
     "media_attachments": [],
diff --git a/internal/api/client/statuses/statusmute_test.go b/internal/api/client/statuses/statusmute_test.go
index 62be671fa..e506f8717 100644
--- a/internal/api/client/statuses/statusmute_test.go
+++ b/internal/api/client/statuses/statusmute_test.go
@@ -136,10 +136,7 @@ func (suite *StatusMuteTestSuite) TestMuteUnmuteStatus() {
     "last_status_at": "2024-01-10T09:24:00.000Z",
     "emojis": [],
     "fields": [],
-    "enable_rss": true,
-    "role": {
-      "name": "user"
-    }
+    "enable_rss": true
   },
   "media_attachments": [],
   "mentions": [],
@@ -224,10 +221,7 @@ func (suite *StatusMuteTestSuite) TestMuteUnmuteStatus() {
     "last_status_at": "2024-01-10T09:24:00.000Z",
     "emojis": [],
     "fields": [],
-    "enable_rss": true,
-    "role": {
-      "name": "user"
-    }
+    "enable_rss": true
   },
   "media_attachments": [],
   "mentions": [],
diff --git a/internal/api/model/account.go b/internal/api/model/account.go
index c5b629db0..0eaf52734 100644
--- a/internal/api/model/account.go
+++ b/internal/api/model/account.go
@@ -18,8 +18,11 @@
 package model
 
 import (
+	"encoding/json"
+	"errors"
 	"mime/multipart"
 	"net"
+	"strconv"
 )
 
 // Account models a fediverse account.
@@ -105,8 +108,13 @@ type Account struct {
 	// Key/value omitted if false.
 	HideCollections bool `json:"hide_collections,omitempty"`
 	// Role of the account on this instance.
+	// Only available through the `verify_credentials` API method.
 	// Key/value omitted for remote accounts.
 	Role *AccountRole `json:"role,omitempty"`
+	// Roles lists the public roles of the account on this instance.
+	// Unlike Role, this is always available, but never includes permissions details.
+	// Key/value omitted for remote accounts.
+	Roles []AccountDisplayRole `json:"roles,omitempty"`
 	// If set, indicates that this account is currently inactive, and has migrated to the given account.
 	// Key/value omitted for accounts that haven't moved, and for suspended accounts.
 	Moved *Account `json:"moved,omitempty"`
@@ -286,11 +294,35 @@ type AccountAliasRequest struct {
 	AlsoKnownAsURIs []string `form:"also_known_as_uris" json:"also_known_as_uris" xml:"also_known_as_uris"`
 }
 
+// AccountDisplayRole models a public, displayable role of an account.
+// This is a subset of AccountRole.
+//
+// swagger:model accountDisplayRole
+type AccountDisplayRole struct {
+	// ID of the role.
+	// Not used by GotoSocial, but we set it to the role name, just in case a client expects a unique ID.
+	ID string `json:"id"`
+
+	// Name of the role.
+	Name AccountRoleName `json:"name"`
+
+	// Color is a 6-digit CSS-style hex color code with leading `#`, or an empty string if this role has no color.
+	// Since GotoSocial doesn't use role colors, we leave this empty.
+	Color string `json:"color"`
+}
+
 // AccountRole models the role of an account.
 //
 // swagger:model accountRole
 type AccountRole struct {
-	Name AccountRoleName `json:"name"`
+	AccountDisplayRole
+
+	// Permissions is a bitmap serialized as a numeric string, indicating which admin/moderation actions a user can perform.
+	Permissions AccountRolePermissions `json:"permissions"`
+
+	// Highlighted indicates whether the role is publicly visible on the user profile.
+	// This is always true for GotoSocial's built-in admin and moderator roles, and false otherwise.
+	Highlighted bool `json:"highlighted"`
 }
 
 // AccountRoleName represent the name of the role of an account.
@@ -305,6 +337,103 @@ const (
 	AccountRoleUnknown   AccountRoleName = ""          // We don't know / remote account
 )
 
+// AccountRolePermissions is a bitmap representing a set of user permissions.
+// It's used for Mastodon API compatibility: internally, GotoSocial only tracks admins and moderators.
+//
+// swagger:type string
+type AccountRolePermissions int
+
+// MarshalJSON serializes an AccountRolePermissions as a numeric string.
+func (a *AccountRolePermissions) MarshalJSON() ([]byte, error) {
+	return json.Marshal(strconv.Itoa(int(*a)))
+}
+
+// UnmarshalJSON deserializes an AccountRolePermissions from a number or numeric string.
+func (a *AccountRolePermissions) UnmarshalJSON(b []byte) error {
+	if string(b) == "null" {
+		return nil
+	}
+
+	i := 0
+	if err := json.Unmarshal(b, &i); err != nil {
+		s := ""
+		if err := json.Unmarshal(b, &s); err != nil {
+			return errors.New("not a number or string")
+		}
+
+		i, err = strconv.Atoi(s)
+		if err != nil {
+			return errors.New("not a numeric string")
+		}
+	}
+
+	*a = AccountRolePermissions(i)
+	return nil
+}
+
+const (
+	// AccountRolePermissionsNone represents an empty set of permissions.
+	AccountRolePermissionsNone AccountRolePermissions = 0
+	// AccountRolePermissionsAdministrator ignores all permission checks.
+	AccountRolePermissionsAdministrator AccountRolePermissions = 1 << (iota - 1)
+	// AccountRolePermissionsDevops is not used by GotoSocial.
+	AccountRolePermissionsDevops
+	// AccountRolePermissionsViewAuditLog is not used by GotoSocial.
+	AccountRolePermissionsViewAuditLog
+	// AccountRolePermissionsViewDashboard is not used by GotoSocial.
+	AccountRolePermissionsViewDashboard
+	// AccountRolePermissionsManageReports indicates that the user can view and resolve reports.
+	AccountRolePermissionsManageReports
+	// AccountRolePermissionsManageFederation indicates that the user can edit federation allows and blocks.
+	AccountRolePermissionsManageFederation
+	// AccountRolePermissionsManageSettings indicates that the user can edit instance metadata.
+	AccountRolePermissionsManageSettings
+	// AccountRolePermissionsManageBlocks indicates that the user can manage non-federation blocks, currently including HTTP header blocks.
+	AccountRolePermissionsManageBlocks
+	// AccountRolePermissionsManageTaxonomies is not used by GotoSocial.
+	AccountRolePermissionsManageTaxonomies
+	// AccountRolePermissionsManageAppeals is not used by GotoSocial.
+	AccountRolePermissionsManageAppeals
+	// AccountRolePermissionsManageUsers indicates that the user can view user details and perform user moderation actions.
+	AccountRolePermissionsManageUsers
+	// AccountRolePermissionsManageInvites is not used by GotoSocial.
+	AccountRolePermissionsManageInvites
+	// AccountRolePermissionsManageRules indicates that the user can edit instance rules.
+	AccountRolePermissionsManageRules
+	// AccountRolePermissionsManageAnnouncements is not used by GotoSocial.
+	AccountRolePermissionsManageAnnouncements
+	// AccountRolePermissionsManageCustomEmojis indicates that the user can edit custom emoji.
+	AccountRolePermissionsManageCustomEmojis
+	// AccountRolePermissionsManageWebhooks is not used by GotoSocial.
+	AccountRolePermissionsManageWebhooks
+	// AccountRolePermissionsInviteUsers is not used by GotoSocial.
+	AccountRolePermissionsInviteUsers
+	// AccountRolePermissionsManageRoles is not used by GotoSocial.
+	AccountRolePermissionsManageRoles
+	// AccountRolePermissionsManageUserAccess is not used by GotoSocial.
+	AccountRolePermissionsManageUserAccess
+	// AccountRolePermissionsDeleteUserData indicates that the user can permanently delete user data.
+	AccountRolePermissionsDeleteUserData
+
+	// FUTURE: If we decide to assign our own permissions bits,
+	// they should start at the other end of the int to avoid conflicts with future Mastodon permissions.
+
+	// AccountRolePermissionsForAdminRole includes all of the permissions assigned to GotoSocial's built-in administrator role.
+	AccountRolePermissionsForAdminRole = AccountRolePermissionsAdministrator |
+		AccountRolePermissionsManageReports |
+		AccountRolePermissionsManageFederation |
+		AccountRolePermissionsManageSettings |
+		AccountRolePermissionsManageBlocks |
+		AccountRolePermissionsManageUsers |
+		AccountRolePermissionsManageRules |
+		AccountRolePermissionsManageCustomEmojis |
+		AccountRolePermissionsDeleteUserData
+
+	// AccountRolePermissionsForModeratorRole includes all of the permissions assigned to GotoSocial's built-in moderator role.
+	// (Currently, there aren't any.)
+	AccountRolePermissionsForModeratorRole = AccountRolePermissionsNone
+)
+
 // AccountNoteRequest models a request to update the private note for an account.
 //
 // swagger:ignore