add: allow mods to remove associations

2025-08-10 22:26:13 -04:00 · 2025-08-10 22:26:13 -04:00 · ba319130d2
commit ba319130d2
parent bcee3f7763
4 changed files with 64 additions and 12 deletions
--- a/crates/app/src/routes/api/v1/auth/profile.rs
+++ b/crates/app/src/routes/api/v1/auth/profile.rs
@ -283,7 +283,7 @@ pub async fn remove_applied_configuration_request(
 }

 /// Append associations to the current user.
-pub async fn append_associations_request(
+pub async fn append_association_request(
    jar: CookieJar,
    Extension(data): Extension<State>,
    Json(req): Json<AppendAssociations>,
@ -331,6 +331,50 @@ pub async fn append_associations_request(
    }
 }

+/// Remove an association from the given user.
+pub async fn remove_association_request(
+    jar: CookieJar,
+    Extension(data): Extension<State>,
+    Path((uid, association)): Path<(usize, usize)>,
+) -> impl IntoResponse {
+    let data = &(data.read().await).0;
+    let user = match get_user_from_token!(jar, data, oauth::AppScope::UserManageProfile) {
+        Some(ua) => ua,
+        None => return Json(Error::NotAllowed.into()),
+    };
+
+    if !user.permissions.check(FinePermission::MANAGE_USERS) {
+        return Json(Error::NotAllowed.into());
+    }
+
+    // get user
+    let mut other_user = match data.get_user_by_id(uid).await {
+        Ok(x) => x,
+        Err(e) => return Json(e.into()),
+    };
+
+    // find association and remove
+    other_user.associated.remove(
+        match other_user.associated.iter().position(|x| x == &association) {
+            Some(x) => x,
+            None => return Json(Error::GeneralNotFound("association".to_string()).into()),
+        },
+    );
+
+    // ...
+    match data
+        .update_user_associated(other_user.id, other_user.associated)
+        .await
+    {
+        Ok(_) => Json(ApiReturn {
+            ok: true,
+            message: "Associations updated".to_string(),
+            payload: (),
+        }),
+        Err(e) => Json(e.into()),
+    }
+}
+
 /// Update the password of the given user.
 ///
 /// Does not support third-party grants.
--- a/crates/app/src/routes/api/v1/mod.rs
+++ b/crates/app/src/routes/api/v1/mod.rs
@ -397,6 +397,10 @@ pub fn routes() -> Router {
            "/auth/user/{id}/totp/codes",
            post(auth::profile::refresh_totp_codes_request),
        )
+        .route(
+            "/auth/user/{id}/associations/{association}",
+            delete(auth::profile::remove_association_request),
+        )
        .route(
            "/auth/user/{username}/totp/check",
            get(auth::profile::has_totp_enabled_request),
@ -404,7 +408,7 @@ pub fn routes() -> Router {
        .route("/auth/user/me/seen", post(auth::profile::seen_request))
        .route(
            "/auth/user/me/append_associations",
-            put(auth::profile::append_associations_request),
+            put(auth::profile::append_association_request),
        )
        .route("/auth/user/find/{id}", get(auth::profile::redirect_from_id))
        .route(