Merge pull request from GHSA-7pxq-6xx9-xpgm

* fix: fix improper authorization when accessing with third-party application * refactor: refactor type definitions * fix: get rid of unnecessary access limitation * enhance: サードパーティアプリケーションがWebsocket APIを使えるように * fix: add missing parentheses * Revert "fix(backend): add missing kind definition for admin endpoints to improve security" This reverts commit 5150053275594278e9eb23e72d98b16593c4c230. * frontend: 翻訳の抜けを訂正, read:adminとwrite:adminはアクセス発行トークンのデフォルトでは非表示にする * enhance(test): misskey-ghsa-7pxq-6xx9-xpgmに関するテストを追加 * enhance(test): Websocket APIに対するテストも追加 * enhance(refactor): `@/misc/api-permissions.ts`を`misskey-js/permissions`に統合 * fix(frontend): アクセストークン発行UIで全ての権限を有効にした際、管理者用APIへのアクセスも許可してしまう問題を修正 * enhance(backend): Websocketの接続に最低限必要な権限を変更 * fix(backend): `/api/admin/meta`をサードパーティアプリケーションからはアクセスできないように * fix(backend): エンドポイントにアクセスするために必要な権限を変更 * fix(frontend/locale): Add missing type declaration * chore: update `misskey-js/src/autogen` --------- Co-authored-by: tamaina <tamaina@hotmail.co.jp>
author: Chocolate Pie <106949016+chocolate-pie@users.noreply.github.com> 2023-12-27 15:08:59 +0900
committer: GitHub <noreply@github.com> 2023-12-27 15:08:59 +0900
commit: c96bc36fedc804dc840ea791a9355d7df0748e64 (patch)
tree: 127f0cc1478cb0248aa03b39e07f051423244c6c /packages/frontend/src/components/MkTokenGenerateWindow.vue
parent: chore(frontend): update team members (diff)
download: sharkey-c96bc36fedc804dc840ea791a9355d7df0748e64.tar.gz
sharkey-c96bc36fedc804dc840ea791a9355d7df0748e64.tar.bz2
sharkey-c96bc36fedc804dc840ea791a9355d7df0748e64.zip
1 files changed, 5 insertions, 4 deletions
diff --git a/packages/frontend/src/components/MkTokenGenerateWindow.vue b/packages/frontend/src/components/MkTokenGenerateWindow.vue
index f5fa86a908..8e8e26ed5f 100644
--- a/packages/frontend/src/components/MkTokenGenerateWindow.vue
+++ b/packages/frontend/src/components/MkTokenGenerateWindow.vue
@@ -33,7 +33,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 				<MkButton inline @click="enableAll">{{ i18n.ts.enableAll }}</MkButton>
 			</div>
 			<div class="_gaps_s">
-				<MkSwitch v-for="kind in (initialPermissions || Misskey.permissions)" :key="kind" v-model="permissions[kind]">{{ i18n.t(`_permissions.${kind}`) }}</MkSwitch>
+				<MkSwitch v-for="kind in Object.keys(permissions)" :key="kind" v-model="permissions[kind]">{{ i18n.t(`_permissions.${kind}`) }}</MkSwitch>
 			</div>
 		</div>
 	</MkSpacer>
@@ -54,7 +54,7 @@ const props = withDefaults(defineProps<{
 	title?: string | null;
 	information?: string | null;
 	initialName?: string | null;
-	initialPermissions?: string[] | null;
+	initialPermissions?: (typeof Misskey.permissions)[number][] | null;
 }>(), {
 	title: null,
 	information: null,
@@ -67,16 +67,17 @@ const emit = defineEmits<{
 	(ev: 'done', result: { name: string | null, permissions: string[] }): void;
 }>();
 
+const defaultPermissions = Misskey.permissions.filter(p => !p.startsWith('read:admin') && !p.startsWith('write:admin'));
 const dialog = shallowRef<InstanceType<typeof MkModalWindow>>();
 const name = ref(props.initialName);
-const permissions = ref({});
+const permissions = ref(<Record<(typeof Misskey.permissions)[number], boolean>>{});
 
 if (props.initialPermissions) {
 	for (const kind of props.initialPermissions) {
 		permissions.value[kind] = true;
 	}
 } else {
-	for (const kind of Misskey.permissions) {
+	for (const kind of defaultPermissions) {
 		permissions.value[kind] = false;
 	}
 }
author	Chocolate Pie <106949016+chocolate-pie@users.noreply.github.com>	2023-12-27 15:08:59 +0900
committer	GitHub <noreply@github.com>	2023-12-27 15:08:59 +0900
commit	c96bc36fedc804dc840ea791a9355d7df0748e64 (patch)
tree	127f0cc1478cb0248aa03b39e07f051423244c6c /packages/frontend/src/components/MkTokenGenerateWindow.vue
parent	chore(frontend): update team members (diff)
download	sharkey-c96bc36fedc804dc840ea791a9355d7df0748e64.tar.gz sharkey-c96bc36fedc804dc840ea791a9355d7df0748e64.tar.bz2 sharkey-c96bc36fedc804dc840ea791a9355d7df0748e64.zip