From a2fcfc78c9dcf33081db47292d96ffa7c7709abb Mon Sep 17 00:00:00 2001
From: Stephanie Wilde-Hobbs <steph@rx14.co.uk>
Date: Tue, 12 May 2020 21:07:33 +0100
Subject: [PATCH] Filter config descriptions by config whitelist

---
 lib/pleroma/docs/json.ex                      |  1 -
 .../web/admin_api/admin_api_controller.ex     | 19 +++++--
 .../admin_api/admin_api_controller_test.exs   | 51 +++++++++++++++----
 3 files changed, 57 insertions(+), 14 deletions(-)

diff --git a/lib/pleroma/docs/json.ex b/lib/pleroma/docs/json.ex
index 74f8b2615..d1cf1f487 100644
--- a/lib/pleroma/docs/json.ex
+++ b/lib/pleroma/docs/json.ex
@@ -18,7 +18,6 @@ defmodule Pleroma.Docs.JSON do
     with config <- Pleroma.Config.Loader.read("config/description.exs") do
       config[:pleroma][:config_description]
       |> Pleroma.Docs.Generator.convert_to_strings()
-      |> Jason.encode!()
     end
   end
 end
diff --git a/lib/pleroma/web/admin_api/admin_api_controller.ex b/lib/pleroma/web/admin_api/admin_api_controller.ex
index 9c5fbfc5d..fa064a8c7 100644
--- a/lib/pleroma/web/admin_api/admin_api_controller.ex
+++ b/lib/pleroma/web/admin_api/admin_api_controller.ex
@@ -37,7 +37,7 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIController do
 
   require Logger
 
-  @descriptions_json Pleroma.Docs.JSON.compile()
+  @descriptions Pleroma.Docs.JSON.compile()
   @users_page_size 50
 
   plug(
@@ -892,9 +892,14 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIController do
   end
 
   def config_descriptions(conn, _params) do
+    descriptions_json =
+      @descriptions
+      |> Enum.filter(&whitelisted_config?/1)
+      |> Jason.encode!()
+
     conn
     |> Plug.Conn.put_resp_content_type("application/json")
-    |> Plug.Conn.send_resp(200, @descriptions_json)
+    |> Plug.Conn.send_resp(200, descriptions_json)
   end
 
   def config_show(conn, %{"only_db" => true}) do
@@ -1012,7 +1017,7 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIController do
     end
   end
 
-  defp whitelisted_config?(%{"group" => group, "key" => key}) do
+  defp whitelisted_config?(group, key) do
     if whitelisted_configs = Config.get(:database_config_whitelist) do
       Enum.any?(whitelisted_configs, fn {whitelisted_group, whitelisted_key} ->
         group == inspect(whitelisted_group) && key == inspect(whitelisted_key)
@@ -1022,6 +1027,14 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIController do
     end
   end
 
+  defp whitelisted_config?(%{"group" => group, "key" => key}) do
+    whitelisted_config?(group, key)
+  end
+
+  defp whitelisted_config?(%{:group => group} = config) do
+    whitelisted_config?(group, config[:key])
+  end
+
   def reload_emoji(conn, _params) do
     Pleroma.Emoji.reload()
 
diff --git a/test/web/admin_api/admin_api_controller_test.exs b/test/web/admin_api/admin_api_controller_test.exs
index 31e73d6a5..7d42a400c 100644
--- a/test/web/admin_api/admin_api_controller_test.exs
+++ b/test/web/admin_api/admin_api_controller_test.exs
@@ -3604,19 +3604,50 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
     end
   end
 
-  test "GET /api/pleroma/admin/config/descriptions", %{conn: conn} do
-    admin = insert(:user, is_admin: true)
+  describe "GET /api/pleroma/admin/config/descriptions" do
+    test "structure", %{conn: conn} do
+      admin = insert(:user, is_admin: true)
 
-    conn =
-      assign(conn, :user, admin)
-      |> get("/api/pleroma/admin/config/descriptions")
+      conn =
+        assign(conn, :user, admin)
+        |> get("/api/pleroma/admin/config/descriptions")
 
-    assert [child | _others] = json_response(conn, 200)
+      assert [child | _others] = json_response(conn, 200)
 
-    assert child["children"]
-    assert child["key"]
-    assert String.starts_with?(child["group"], ":")
-    assert child["description"]
+      assert child["children"]
+      assert child["key"]
+      assert String.starts_with?(child["group"], ":")
+      assert child["description"]
+    end
+
+    test "filters by database configuration whitelist", %{conn: conn} do
+      clear_config(:database_config_whitelist, [
+        {:pleroma, :instance},
+        {:pleroma, :activitypub},
+        {:pleroma, Pleroma.Upload}
+      ])
+
+      admin = insert(:user, is_admin: true)
+
+      conn =
+        assign(conn, :user, admin)
+        |> get("/api/pleroma/admin/config/descriptions")
+
+      children = json_response(conn, 200)
+
+      assert length(children) == 3
+
+      assert Enum.all?(children, fn c -> c["group"] == ":pleroma" end)
+
+      instance = Enum.find(children, fn c -> c["key"] == ":instance" end)
+      assert instance["children"]
+
+      activitypub = Enum.find(children, fn c -> c["key"] == ":activitypub" end)
+      assert activitypub["children"]
+
+      web_endpoint = Enum.find(children, fn c -> c["key"] == "Pleroma.Upload" end)
+      assert web_endpoint["children"]
+    end
   end
 
   describe "/api/pleroma/admin/stats" do