[feature] Implement Mastodon-compatible roles (#3136)

* Implement Mastodon-compatible roles

- `Account.role` should only be available through verify_credentials for checking current user's permissions
- `Account.role` now carries a Mastodon-compatible permissions bitmap and a marker for whether it should be shown to the public
- `Account.roles` added for *public* display roles (undocumented but stable since Mastodon 4.1)
- Web template now uses only public display roles (no user-visible change here, we already special-cased the `user` role)

* Handle verify_credentials case for default role

* Update JSON exact-match tests

* Address review comments

* Add blocks bit to admin permissions bitmap
This commit is contained in:
Vyr Cossont 2024-07-31 09:26:09 -07:00 committed by GitHub
parent 2f7d654380
commit fd837776e2
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
12 changed files with 765 additions and 209 deletions

View File

@ -304,6 +304,15 @@ definitions:
x-go-name: Note
role:
$ref: '#/definitions/accountRole'
roles:
description: |-
Roles lists the public roles of the account on this instance.
Unlike Role, this is always available, but never includes permissions details.
Key/value omitted for remote accounts.
items:
$ref: '#/definitions/accountDisplayRole'
type: array
x-go-name: Roles
source:
$ref: '#/definitions/Source'
statuses_count:
@ -333,6 +342,29 @@ definitions:
type: object
x-go-name: Account
x-go-package: github.com/superseriousbusiness/gotosocial/internal/api/model
accountDisplayRole:
description: This is a subset of AccountRole.
properties:
color:
description: |-
Color is a 6-digit CSS-style hex color code with leading `#`, or an empty string if this role has no color.
Since GotoSocial doesn't use role colors, we leave this empty.
type: string
x-go-name: Color
id:
description: |-
ID of the role.
Not used by GotoSocial, but we set it to the role name, just in case a client expects a unique ID.
type: string
x-go-name: ID
name:
description: Name of the role.
type: string
x-go-name: Name
title: AccountDisplayRole models a public, displayable role of an account.
type: object
x-go-name: AccountDisplayRole
x-go-package: github.com/superseriousbusiness/gotosocial/internal/api/model
accountExportStats:
description: |-
AccountExportStats models an account's stats
@ -448,9 +480,32 @@ definitions:
x-go-package: github.com/superseriousbusiness/gotosocial/internal/api/model
accountRole:
properties:
color:
description: |-
Color is a 6-digit CSS-style hex color code with leading `#`, or an empty string if this role has no color.
Since GotoSocial doesn't use role colors, we leave this empty.
type: string
x-go-name: Color
highlighted:
description: |-
Highlighted indicates whether the role is publicly visible on the user profile.
This is always true for GotoSocial's built-in admin and moderator roles, and false otherwise.
type: boolean
x-go-name: Highlighted
id:
description: |-
ID of the role.
Not used by GotoSocial, but we set it to the role name, just in case a client expects a unique ID.
type: string
x-go-name: ID
name:
description: Name of the role.
type: string
x-go-name: Name
permissions:
description: Permissions is a bitmap serialized as a numeric string, indicating which admin/moderation actions a user can perform.
type: string
x-go-name: Permissions
title: AccountRole models the role of an account.
type: object
x-go-name: AccountRole
@ -2209,6 +2264,15 @@ definitions:
x-go-name: Note
role:
$ref: '#/definitions/accountRole'
roles:
description: |-
Roles lists the public roles of the account on this instance.
Unlike Role, this is always available, but never includes permissions details.
Key/value omitted for remote accounts.
items:
$ref: '#/definitions/accountDisplayRole'
type: array
x-go-name: Roles
source:
$ref: '#/definitions/Source'
statuses_count:

View File

@ -0,0 +1,118 @@
// GoToSocial
// Copyright (C) GoToSocial Authors admin@gotosocial.org
// SPDX-License-Identifier: AGPL-3.0-or-later
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
package accounts_test
import (
"encoding/json"
"io"
"net/http"
"net/http/httptest"
"testing"
"github.com/gin-gonic/gin"
"github.com/stretchr/testify/suite"
"github.com/superseriousbusiness/gotosocial/internal/api/client/accounts"
apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model"
)
type AccountGetTestSuite struct {
AccountStandardTestSuite
}
// accountVerifyGet calls the get account API method for a given account fixture name.
func (suite *AccountGetTestSuite) getAccount(id string) *apimodel.Account {
recorder := httptest.NewRecorder()
ctx := suite.newContext(recorder, http.MethodGet, nil, accounts.BasePath+"/"+id, "")
ctx.Params = gin.Params{
gin.Param{
Key: accounts.IDKey,
Value: id,
},
}
// call the handler
suite.accountsModule.AccountGETHandler(ctx)
// 1. we should have OK because our request was valid
suite.Equal(http.StatusOK, recorder.Code)
// 2. we should have no error message in the result body
result := recorder.Result()
defer result.Body.Close()
// check the response
b, err := io.ReadAll(result.Body)
if err != nil {
suite.FailNow(err.Error())
}
// unmarshal the returned account
apimodelAccount := &apimodel.Account{}
err = json.Unmarshal(b, apimodelAccount)
if err != nil {
suite.FailNow(err.Error())
}
return apimodelAccount
}
// Fetching the currently logged-in account shows extra info,
// so we should see permissions, but this account is a regular user and should have no display role.
func (suite *AccountGetTestSuite) TestGetDisplayRoleForSelf() {
apimodelAccount := suite.getAccount(suite.testAccounts["local_account_1"].ID)
// Role should be set, but permissions should be empty.
if suite.NotNil(apimodelAccount.Role) {
role := apimodelAccount.Role
suite.Equal("user", string(role.Name))
suite.Zero(role.Permissions)
}
// Roles should not have anything in it.
suite.Empty(apimodelAccount.Roles)
}
// We should not see a display role for an ordinary local account.
func (suite *AccountGetTestSuite) TestGetDisplayRoleForUserAccount() {
apimodelAccount := suite.getAccount(suite.testAccounts["local_account_2"].ID)
// Role should not be set.
suite.Nil(apimodelAccount.Role)
// Roles should not have anything in it.
suite.Empty(apimodelAccount.Roles)
}
// We should be able to get a display role for an admin account.
func (suite *AccountGetTestSuite) TestGetDisplayRoleForAdminAccount() {
apimodelAccount := suite.getAccount(suite.testAccounts["admin_account"].ID)
// Role should not be set.
suite.Nil(apimodelAccount.Role)
// Roles should have exactly one display role.
if suite.Len(apimodelAccount.Roles, 1) {
role := apimodelAccount.Roles[0]
suite.Equal("admin", string(role.Name))
suite.NotEmpty(role.ID)
}
}
func TestAccountGetTestSuite(t *testing.T) {
suite.Run(t, new(AccountGetTestSuite))
}

View File

@ -19,30 +19,35 @@ package accounts_test
import (
"encoding/json"
"io/ioutil"
"io"
"net/http"
"net/http/httptest"
"testing"
"time"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/suite"
"github.com/superseriousbusiness/gotosocial/internal/api/client/accounts"
apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model"
"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
"github.com/superseriousbusiness/gotosocial/internal/oauth"
)
type AccountVerifyTestSuite struct {
AccountStandardTestSuite
}
func (suite *AccountVerifyTestSuite) TestAccountVerifyGet() {
testAccount := suite.testAccounts["local_account_1"]
// accountVerifyGet calls the verify_credentials API method for a given account fixture name.
// Assumes token and user fixture names are the same as the account fixture name.
func (suite *AccountVerifyTestSuite) accountVerifyGet(fixtureName string) *apimodel.Account {
// set up the request
recorder := httptest.NewRecorder()
ctx := suite.newContext(recorder, http.MethodGet, nil, accounts.VerifyPath, "")
// override the account that we're authenticated as
ctx.Set(oauth.SessionAuthorizedAccount, suite.testAccounts[fixtureName])
ctx.Set(oauth.SessionAuthorizedToken, oauth.DBTokenToToken(suite.testTokens[fixtureName]))
ctx.Set(oauth.SessionAuthorizedUser, suite.testUsers[fixtureName])
// call the handler
suite.accountsModule.AccountVerifyGETHandler(ctx)
@ -54,13 +59,27 @@ func (suite *AccountVerifyTestSuite) TestAccountVerifyGet() {
defer result.Body.Close()
// check the response
b, err := ioutil.ReadAll(result.Body)
assert.NoError(suite.T(), err)
b, err := io.ReadAll(result.Body)
if err != nil {
suite.FailNow(err.Error())
}
// unmarshal the returned account
apimodelAccount := &apimodel.Account{}
err = json.Unmarshal(b, apimodelAccount)
suite.NoError(err)
if err != nil {
suite.FailNow(err.Error())
}
return apimodelAccount
}
// We should see public account information and profile source for a normal user.
func (suite *AccountVerifyTestSuite) TestAccountVerifyGet() {
fixtureName := "local_account_1"
testAccount := suite.testAccounts[fixtureName]
apimodelAccount := suite.accountVerifyGet(fixtureName)
createdAt, err := time.Parse(time.RFC3339, apimodelAccount.CreatedAt)
suite.NoError(err)
@ -85,6 +104,43 @@ func (suite *AccountVerifyTestSuite) TestAccountVerifyGet() {
suite.Equal(testAccount.NoteRaw, apimodelAccount.Source.Note)
}
// testAccountVerifyGetRole calls the verify_credentials API method for a given account fixture name,
// and checks the response for permissions appropriate to the role.
func (suite *AccountVerifyTestSuite) testAccountVerifyGetRole(fixtureName string) {
testUser := suite.testUsers[fixtureName]
apimodelAccount := suite.accountVerifyGet(fixtureName)
if suite.NotNil(apimodelAccount.Role) {
switch {
case *testUser.Admin:
suite.Equal("admin", string(apimodelAccount.Role.Name))
suite.NotZero(apimodelAccount.Role.Permissions)
suite.True(apimodelAccount.Role.Highlighted)
case *testUser.Moderator:
suite.Equal("moderator", string(apimodelAccount.Role.Name))
suite.Zero(apimodelAccount.Role.Permissions)
suite.True(apimodelAccount.Role.Highlighted)
default:
suite.Equal("user", string(apimodelAccount.Role.Name))
suite.Zero(apimodelAccount.Role.Permissions)
suite.False(apimodelAccount.Role.Highlighted)
}
}
}
// We should see a role for a normal user, and that role should not have any permissions.
func (suite *AccountVerifyTestSuite) TestAccountVerifyGetRoleUser() {
suite.testAccountVerifyGetRole("local_account_1")
}
// We should see a role for an admin user, and that role should have some permissions.
func (suite *AccountVerifyTestSuite) TestAccountVerifyGetRoleAdmin() {
suite.testAccountVerifyGetRole("admin_account")
}
func TestAccountVerifyTestSuite(t *testing.T) {
suite.Run(t, new(AccountVerifyTestSuite))
}

View File

@ -70,7 +70,11 @@ func (suite *AccountsGetTestSuite) TestAccountsGetFromTop() {
"locale": "en",
"invite_request": null,
"role": {
"name": "user"
"id": "user",
"name": "user",
"color": "",
"permissions": "0",
"highlighted": false
},
"confirmed": true,
"approved": true,
@ -109,10 +113,7 @@ func (suite *AccountsGetTestSuite) TestAccountsGetFromTop() {
"verified_at": null
}
],
"hide_collections": true,
"role": {
"name": "user"
}
"hide_collections": true
},
"created_by_application_id": "01F8MGY43H3N2C8EWPR2FPYEXG"
},
@ -127,7 +128,11 @@ func (suite *AccountsGetTestSuite) TestAccountsGetFromTop() {
"locale": "en",
"invite_request": null,
"role": {
"name": "admin"
"id": "admin",
"name": "admin",
"color": "",
"permissions": "546033",
"highlighted": true
},
"confirmed": true,
"approved": true,
@ -156,9 +161,13 @@ func (suite *AccountsGetTestSuite) TestAccountsGetFromTop() {
"emojis": [],
"fields": [],
"enable_rss": true,
"role": {
"name": "admin"
}
"roles": [
{
"id": "admin",
"name": "admin",
"color": ""
}
]
},
"created_by_application_id": "01F8MGXQRHYF5QPMTMXP78QC2F"
},
@ -173,7 +182,11 @@ func (suite *AccountsGetTestSuite) TestAccountsGetFromTop() {
"locale": "",
"invite_request": null,
"role": {
"name": "user"
"id": "user",
"name": "user",
"color": "",
"permissions": "0",
"highlighted": false
},
"confirmed": false,
"approved": false,
@ -214,7 +227,11 @@ func (suite *AccountsGetTestSuite) TestAccountsGetFromTop() {
"locale": "en",
"invite_request": "I wanna be on this damned webbed site so bad! Please! Wow",
"role": {
"name": "user"
"id": "user",
"name": "user",
"color": "",
"permissions": "0",
"highlighted": false
},
"confirmed": true,
"approved": true,
@ -244,10 +261,7 @@ func (suite *AccountsGetTestSuite) TestAccountsGetFromTop() {
"last_status_at": "2024-01-10T09:24:00.000Z",
"emojis": [],
"fields": [],
"enable_rss": true,
"role": {
"name": "user"
}
"enable_rss": true
},
"created_by_application_id": "01F8MGY43H3N2C8EWPR2FPYEXG"
},
@ -262,7 +276,11 @@ func (suite *AccountsGetTestSuite) TestAccountsGetFromTop() {
"locale": "en",
"invite_request": "hi, please let me in! I'm looking for somewhere neato bombeato to hang out.",
"role": {
"name": "user"
"id": "user",
"name": "user",
"color": "",
"permissions": "0",
"highlighted": false
},
"confirmed": false,
"approved": false,
@ -289,10 +307,7 @@ func (suite *AccountsGetTestSuite) TestAccountsGetFromTop() {
"statuses_count": 0,
"last_status_at": null,
"emojis": [],
"fields": [],
"role": {
"name": "user"
}
"fields": []
},
"created_by_application_id": "01F8MGY43H3N2C8EWPR2FPYEXG"
},
@ -307,7 +322,11 @@ func (suite *AccountsGetTestSuite) TestAccountsGetFromTop() {
"locale": "",
"invite_request": null,
"role": {
"name": "user"
"id": "user",
"name": "user",
"color": "",
"permissions": "0",
"highlighted": false
},
"confirmed": false,
"approved": false,
@ -348,7 +367,11 @@ func (suite *AccountsGetTestSuite) TestAccountsGetFromTop() {
"locale": "",
"invite_request": null,
"role": {
"name": "user"
"id": "user",
"name": "user",
"color": "",
"permissions": "0",
"highlighted": false
},
"confirmed": false,
"approved": false,
@ -389,7 +412,11 @@ func (suite *AccountsGetTestSuite) TestAccountsGetFromTop() {
"locale": "",
"invite_request": null,
"role": {
"name": "user"
"id": "user",
"name": "user",
"color": "",
"permissions": "0",
"highlighted": false
},
"confirmed": false,
"approved": false,
@ -431,7 +458,11 @@ func (suite *AccountsGetTestSuite) TestAccountsGetFromTop() {
"locale": "",
"invite_request": null,
"role": {
"name": "user"
"id": "user",
"name": "user",
"color": "",
"permissions": "0",
"highlighted": false
},
"confirmed": false,
"approved": false,
@ -511,7 +542,11 @@ func (suite *AccountsGetTestSuite) TestAccountsMinID() {
"locale": "",
"invite_request": null,
"role": {
"name": "user"
"id": "user",
"name": "user",
"color": "",
"permissions": "0",
"highlighted": false
},
"confirmed": false,
"approved": false,

View File

@ -157,7 +157,11 @@ func (suite *ReportsGetTestSuite) TestReportsGetAll() {
"locale": "",
"invite_request": null,
"role": {
"name": "user"
"id": "user",
"name": "user",
"color": "",
"permissions": "0",
"highlighted": false
},
"confirmed": false,
"approved": false,
@ -198,7 +202,11 @@ func (suite *ReportsGetTestSuite) TestReportsGetAll() {
"locale": "en",
"invite_request": null,
"role": {
"name": "user"
"id": "user",
"name": "user",
"color": "",
"permissions": "0",
"highlighted": false
},
"confirmed": true,
"approved": true,
@ -237,10 +245,7 @@ func (suite *ReportsGetTestSuite) TestReportsGetAll() {
"verified_at": null
}
],
"hide_collections": true,
"role": {
"name": "user"
}
"hide_collections": true
},
"created_by_application_id": "01F8MGY43H3N2C8EWPR2FPYEXG"
},
@ -255,7 +260,11 @@ func (suite *ReportsGetTestSuite) TestReportsGetAll() {
"locale": "en",
"invite_request": null,
"role": {
"name": "admin"
"id": "admin",
"name": "admin",
"color": "",
"permissions": "546033",
"highlighted": true
},
"confirmed": true,
"approved": true,
@ -284,9 +293,13 @@ func (suite *ReportsGetTestSuite) TestReportsGetAll() {
"emojis": [],
"fields": [],
"enable_rss": true,
"role": {
"name": "admin"
}
"roles": [
{
"id": "admin",
"name": "admin",
"color": ""
}
]
},
"created_by_application_id": "01F8MGXQRHYF5QPMTMXP78QC2F"
},
@ -301,7 +314,11 @@ func (suite *ReportsGetTestSuite) TestReportsGetAll() {
"locale": "en",
"invite_request": null,
"role": {
"name": "admin"
"id": "admin",
"name": "admin",
"color": "",
"permissions": "546033",
"highlighted": true
},
"confirmed": true,
"approved": true,
@ -330,9 +347,13 @@ func (suite *ReportsGetTestSuite) TestReportsGetAll() {
"emojis": [],
"fields": [],
"enable_rss": true,
"role": {
"name": "admin"
}
"roles": [
{
"id": "admin",
"name": "admin",
"color": ""
}
]
},
"created_by_application_id": "01F8MGXQRHYF5QPMTMXP78QC2F"
},
@ -360,7 +381,11 @@ func (suite *ReportsGetTestSuite) TestReportsGetAll() {
"locale": "en",
"invite_request": null,
"role": {
"name": "user"
"id": "user",
"name": "user",
"color": "",
"permissions": "0",
"highlighted": false
},
"confirmed": true,
"approved": true,
@ -399,10 +424,7 @@ func (suite *ReportsGetTestSuite) TestReportsGetAll() {
"verified_at": null
}
],
"hide_collections": true,
"role": {
"name": "user"
}
"hide_collections": true
},
"created_by_application_id": "01F8MGY43H3N2C8EWPR2FPYEXG"
},
@ -417,7 +439,11 @@ func (suite *ReportsGetTestSuite) TestReportsGetAll() {
"locale": "",
"invite_request": null,
"role": {
"name": "user"
"id": "user",
"name": "user",
"color": "",
"permissions": "0",
"highlighted": false
},
"confirmed": false,
"approved": false,
@ -605,7 +631,11 @@ func (suite *ReportsGetTestSuite) TestReportsGetCreatedByAccount() {
"locale": "en",
"invite_request": null,
"role": {
"name": "user"
"id": "user",
"name": "user",
"color": "",
"permissions": "0",
"highlighted": false
},
"confirmed": true,
"approved": true,
@ -644,10 +674,7 @@ func (suite *ReportsGetTestSuite) TestReportsGetCreatedByAccount() {
"verified_at": null
}
],
"hide_collections": true,
"role": {
"name": "user"
}
"hide_collections": true
},
"created_by_application_id": "01F8MGY43H3N2C8EWPR2FPYEXG"
},
@ -662,7 +689,11 @@ func (suite *ReportsGetTestSuite) TestReportsGetCreatedByAccount() {
"locale": "",
"invite_request": null,
"role": {
"name": "user"
"id": "user",
"name": "user",
"color": "",
"permissions": "0",
"highlighted": false
},
"confirmed": false,
"approved": false,
@ -850,7 +881,11 @@ func (suite *ReportsGetTestSuite) TestReportsGetTargetAccount() {
"locale": "en",
"invite_request": null,
"role": {
"name": "user"
"id": "user",
"name": "user",
"color": "",
"permissions": "0",
"highlighted": false
},
"confirmed": true,
"approved": true,
@ -889,10 +924,7 @@ func (suite *ReportsGetTestSuite) TestReportsGetTargetAccount() {
"verified_at": null
}
],
"hide_collections": true,
"role": {
"name": "user"
}
"hide_collections": true
},
"created_by_application_id": "01F8MGY43H3N2C8EWPR2FPYEXG"
},
@ -907,7 +939,11 @@ func (suite *ReportsGetTestSuite) TestReportsGetTargetAccount() {
"locale": "",
"invite_request": null,
"role": {
"name": "user"
"id": "user",
"name": "user",
"color": "",
"permissions": "0",
"highlighted": false
},
"confirmed": false,
"approved": false,

View File

@ -176,9 +176,13 @@ func (suite *InstancePatchTestSuite) TestInstancePatch1() {
"emojis": [],
"fields": [],
"enable_rss": true,
"role": {
"name": "admin"
}
"roles": [
{
"id": "admin",
"name": "admin",
"color": ""
}
]
},
"max_toot_chars": 5000,
"rules": [
@ -312,9 +316,13 @@ func (suite *InstancePatchTestSuite) TestInstancePatch2() {
"emojis": [],
"fields": [],
"enable_rss": true,
"role": {
"name": "admin"
}
"roles": [
{
"id": "admin",
"name": "admin",
"color": ""
}
]
},
"max_toot_chars": 5000,
"rules": [
@ -448,9 +456,13 @@ func (suite *InstancePatchTestSuite) TestInstancePatch3() {
"emojis": [],
"fields": [],
"enable_rss": true,
"role": {
"name": "admin"
}
"roles": [
{
"id": "admin",
"name": "admin",
"color": ""
}
]
},
"max_toot_chars": 5000,
"rules": [
@ -635,9 +647,13 @@ func (suite *InstancePatchTestSuite) TestInstancePatch6() {
"emojis": [],
"fields": [],
"enable_rss": true,
"role": {
"name": "admin"
}
"roles": [
{
"id": "admin",
"name": "admin",
"color": ""
}
]
},
"max_toot_chars": 5000,
"rules": [
@ -797,9 +813,13 @@ func (suite *InstancePatchTestSuite) TestInstancePatch8() {
"emojis": [],
"fields": [],
"enable_rss": true,
"role": {
"name": "admin"
}
"roles": [
{
"id": "admin",
"name": "admin",
"color": ""
}
]
},
"max_toot_chars": 5000,
"rules": [
@ -970,9 +990,13 @@ func (suite *InstancePatchTestSuite) TestInstancePatch9() {
"emojis": [],
"fields": [],
"enable_rss": true,
"role": {
"name": "admin"
}
"roles": [
{
"id": "admin",
"name": "admin",
"color": ""
}
]
},
"max_toot_chars": 5000,
"rules": [

View File

@ -118,10 +118,7 @@ func (suite *StatusHistoryTestSuite) TestGetHistory() {
"last_status_at": "2024-01-10T09:24:00.000Z",
"emojis": [],
"fields": [],
"enable_rss": true,
"role": {
"name": "user"
}
"enable_rss": true
},
"poll": null,
"media_attachments": [],

View File

@ -136,10 +136,7 @@ func (suite *StatusMuteTestSuite) TestMuteUnmuteStatus() {
"last_status_at": "2024-01-10T09:24:00.000Z",
"emojis": [],
"fields": [],
"enable_rss": true,
"role": {
"name": "user"
}
"enable_rss": true
},
"media_attachments": [],
"mentions": [],
@ -224,10 +221,7 @@ func (suite *StatusMuteTestSuite) TestMuteUnmuteStatus() {
"last_status_at": "2024-01-10T09:24:00.000Z",
"emojis": [],
"fields": [],
"enable_rss": true,
"role": {
"name": "user"
}
"enable_rss": true
},
"media_attachments": [],
"mentions": [],

View File

@ -18,8 +18,11 @@
package model
import (
"encoding/json"
"errors"
"mime/multipart"
"net"
"strconv"
)
// Account models a fediverse account.
@ -105,8 +108,13 @@ type Account struct {
// Key/value omitted if false.
HideCollections bool `json:"hide_collections,omitempty"`
// Role of the account on this instance.
// Only available through the `verify_credentials` API method.
// Key/value omitted for remote accounts.
Role *AccountRole `json:"role,omitempty"`
// Roles lists the public roles of the account on this instance.
// Unlike Role, this is always available, but never includes permissions details.
// Key/value omitted for remote accounts.
Roles []AccountDisplayRole `json:"roles,omitempty"`
// If set, indicates that this account is currently inactive, and has migrated to the given account.
// Key/value omitted for accounts that haven't moved, and for suspended accounts.
Moved *Account `json:"moved,omitempty"`
@ -286,11 +294,35 @@ type AccountAliasRequest struct {
AlsoKnownAsURIs []string `form:"also_known_as_uris" json:"also_known_as_uris" xml:"also_known_as_uris"`
}
// AccountDisplayRole models a public, displayable role of an account.
// This is a subset of AccountRole.
//
// swagger:model accountDisplayRole
type AccountDisplayRole struct {
// ID of the role.
// Not used by GotoSocial, but we set it to the role name, just in case a client expects a unique ID.
ID string `json:"id"`
// Name of the role.
Name AccountRoleName `json:"name"`
// Color is a 6-digit CSS-style hex color code with leading `#`, or an empty string if this role has no color.
// Since GotoSocial doesn't use role colors, we leave this empty.
Color string `json:"color"`
}
// AccountRole models the role of an account.
//
// swagger:model accountRole
type AccountRole struct {
Name AccountRoleName `json:"name"`
AccountDisplayRole
// Permissions is a bitmap serialized as a numeric string, indicating which admin/moderation actions a user can perform.
Permissions AccountRolePermissions `json:"permissions"`
// Highlighted indicates whether the role is publicly visible on the user profile.
// This is always true for GotoSocial's built-in admin and moderator roles, and false otherwise.
Highlighted bool `json:"highlighted"`
}
// AccountRoleName represent the name of the role of an account.
@ -305,6 +337,103 @@ const (
AccountRoleUnknown AccountRoleName = "" // We don't know / remote account
)
// AccountRolePermissions is a bitmap representing a set of user permissions.
// It's used for Mastodon API compatibility: internally, GotoSocial only tracks admins and moderators.
//
// swagger:type string
type AccountRolePermissions int
// MarshalJSON serializes an AccountRolePermissions as a numeric string.
func (a *AccountRolePermissions) MarshalJSON() ([]byte, error) {
return json.Marshal(strconv.Itoa(int(*a)))
}
// UnmarshalJSON deserializes an AccountRolePermissions from a number or numeric string.
func (a *AccountRolePermissions) UnmarshalJSON(b []byte) error {
if string(b) == "null" {
return nil
}
i := 0
if err := json.Unmarshal(b, &i); err != nil {
s := ""
if err := json.Unmarshal(b, &s); err != nil {
return errors.New("not a number or string")
}
i, err = strconv.Atoi(s)
if err != nil {
return errors.New("not a numeric string")
}
}
*a = AccountRolePermissions(i)
return nil
}
const (
// AccountRolePermissionsNone represents an empty set of permissions.
AccountRolePermissionsNone AccountRolePermissions = 0
// AccountRolePermissionsAdministrator ignores all permission checks.
AccountRolePermissionsAdministrator AccountRolePermissions = 1 << (iota - 1)
// AccountRolePermissionsDevops is not used by GotoSocial.
AccountRolePermissionsDevops
// AccountRolePermissionsViewAuditLog is not used by GotoSocial.
AccountRolePermissionsViewAuditLog
// AccountRolePermissionsViewDashboard is not used by GotoSocial.
AccountRolePermissionsViewDashboard
// AccountRolePermissionsManageReports indicates that the user can view and resolve reports.
AccountRolePermissionsManageReports
// AccountRolePermissionsManageFederation indicates that the user can edit federation allows and blocks.
AccountRolePermissionsManageFederation
// AccountRolePermissionsManageSettings indicates that the user can edit instance metadata.
AccountRolePermissionsManageSettings
// AccountRolePermissionsManageBlocks indicates that the user can manage non-federation blocks, currently including HTTP header blocks.
AccountRolePermissionsManageBlocks
// AccountRolePermissionsManageTaxonomies is not used by GotoSocial.
AccountRolePermissionsManageTaxonomies
// AccountRolePermissionsManageAppeals is not used by GotoSocial.
AccountRolePermissionsManageAppeals
// AccountRolePermissionsManageUsers indicates that the user can view user details and perform user moderation actions.
AccountRolePermissionsManageUsers
// AccountRolePermissionsManageInvites is not used by GotoSocial.
AccountRolePermissionsManageInvites
// AccountRolePermissionsManageRules indicates that the user can edit instance rules.
AccountRolePermissionsManageRules
// AccountRolePermissionsManageAnnouncements is not used by GotoSocial.
AccountRolePermissionsManageAnnouncements
// AccountRolePermissionsManageCustomEmojis indicates that the user can edit custom emoji.
AccountRolePermissionsManageCustomEmojis
// AccountRolePermissionsManageWebhooks is not used by GotoSocial.
AccountRolePermissionsManageWebhooks
// AccountRolePermissionsInviteUsers is not used by GotoSocial.
AccountRolePermissionsInviteUsers
// AccountRolePermissionsManageRoles is not used by GotoSocial.
AccountRolePermissionsManageRoles
// AccountRolePermissionsManageUserAccess is not used by GotoSocial.
AccountRolePermissionsManageUserAccess
// AccountRolePermissionsDeleteUserData indicates that the user can permanently delete user data.
AccountRolePermissionsDeleteUserData
// FUTURE: If we decide to assign our own permissions bits,
// they should start at the other end of the int to avoid conflicts with future Mastodon permissions.
// AccountRolePermissionsForAdminRole includes all of the permissions assigned to GotoSocial's built-in administrator role.
AccountRolePermissionsForAdminRole = AccountRolePermissionsAdministrator |
AccountRolePermissionsManageReports |
AccountRolePermissionsManageFederation |
AccountRolePermissionsManageSettings |
AccountRolePermissionsManageBlocks |
AccountRolePermissionsManageUsers |
AccountRolePermissionsManageRules |
AccountRolePermissionsManageCustomEmojis |
AccountRolePermissionsDeleteUserData
// AccountRolePermissionsForModeratorRole includes all of the permissions assigned to GotoSocial's built-in moderator role.
// (Currently, there aren't any.)
AccountRolePermissionsForModeratorRole = AccountRolePermissionsNone
)
// AccountNoteRequest models a request to update the private note for an account.
//
// swagger:ignore

View File

@ -100,13 +100,13 @@ func (c *Converter) UserToAPIUser(ctx context.Context, u *gtsmodel.User) *apimod
return user
}
// AppToAPIAppSensitive takes a db model application as a param, and returns a populated apitype application, or an error
// AccountToAPIAccountSensitive takes a db model application as a param, and returns a populated apitype application, or an error
// if something goes wrong. The returned application should be ready to serialize on an API level, and may have sensitive fields
// (such as client id and client secret), so serve it only to an authorized user who should have permission to see it.
func (c *Converter) AccountToAPIAccountSensitive(ctx context.Context, a *gtsmodel.Account) (*apimodel.Account, error) {
// We can build this sensitive account model
// by first getting the public account, and
// then adding the Source object to it.
// then adding the Source object and role permissions bitmap to it.
apiAccount, err := c.AccountToAPIAccountPublic(ctx, a)
if err != nil {
return nil, err
@ -122,6 +122,13 @@ func (c *Converter) AccountToAPIAccountSensitive(ctx context.Context, a *gtsmode
}
}
// Populate the account's role permissions bitmap and highlightedness from its public role.
if len(apiAccount.Roles) > 0 {
apiAccount.Role = c.APIAccountDisplayRoleToAPIAccountRoleSensitive(&apiAccount.Roles[0])
} else {
apiAccount.Role = c.APIAccountDisplayRoleToAPIAccountRoleSensitive(nil)
}
statusContentType := string(apimodel.StatusContentTypeDefault)
if a.Settings.StatusContentType != "" {
statusContentType = a.Settings.StatusContentType
@ -299,7 +306,7 @@ func (c *Converter) accountToAPIAccountPublic(ctx context.Context, a *gtsmodel.A
var (
acct string
role *apimodel.AccountRole
roles []apimodel.AccountDisplayRole
enableRSS bool
theme string
customCSS string
@ -324,14 +331,8 @@ func (c *Converter) accountToAPIAccountPublic(ctx context.Context, a *gtsmodel.A
if err != nil {
return nil, gtserror.Newf("error getting user from database for account id %s: %w", a.ID, err)
}
switch {
case *user.Admin:
role = &apimodel.AccountRole{Name: apimodel.AccountRoleAdmin}
case *user.Moderator:
role = &apimodel.AccountRole{Name: apimodel.AccountRoleModerator}
default:
role = &apimodel.AccountRole{Name: apimodel.AccountRoleUser}
if role := c.UserToAPIAccountDisplayRole(user); role != nil {
roles = append(roles, *role)
}
enableRSS = *a.Settings.EnableRSS
@ -380,7 +381,7 @@ func (c *Converter) accountToAPIAccountPublic(ctx context.Context, a *gtsmodel.A
CustomCSS: customCSS,
EnableRSS: enableRSS,
HideCollections: hideCollections,
Role: role,
Roles: roles,
}
// Bodge default avatar + header in,
@ -391,6 +392,56 @@ func (c *Converter) accountToAPIAccountPublic(ctx context.Context, a *gtsmodel.A
return accountFrontend, nil
}
// UserToAPIAccountDisplayRole returns the API representation of a user's display role.
// This will accept a nil user but does not always return a value:
// the default "user" role is considered uninteresting and not returned.
func (c *Converter) UserToAPIAccountDisplayRole(user *gtsmodel.User) *apimodel.AccountDisplayRole {
switch {
case user == nil:
return nil
case *user.Admin:
return &apimodel.AccountDisplayRole{
ID: string(apimodel.AccountRoleAdmin),
Name: apimodel.AccountRoleAdmin,
}
case *user.Moderator:
return &apimodel.AccountDisplayRole{
ID: string(apimodel.AccountRoleModerator),
Name: apimodel.AccountRoleModerator,
}
default:
return nil
}
}
// APIAccountDisplayRoleToAPIAccountRoleSensitive returns the API representation of a user's role,
// with permission bitmap. This will accept a nil display role and always returns a value.
func (c *Converter) APIAccountDisplayRoleToAPIAccountRoleSensitive(display *apimodel.AccountDisplayRole) *apimodel.AccountRole {
// Default to user role.
role := &apimodel.AccountRole{
AccountDisplayRole: apimodel.AccountDisplayRole{
ID: string(apimodel.AccountRoleUser),
Name: apimodel.AccountRoleUser,
},
Permissions: apimodel.AccountRolePermissionsNone,
Highlighted: false,
}
// If there's a display role, use that instead.
if display != nil {
role.AccountDisplayRole = *display
role.Highlighted = true
switch display.Name {
case apimodel.AccountRoleAdmin:
role.Permissions = apimodel.AccountRolePermissionsForAdminRole
case apimodel.AccountRoleModerator:
role.Permissions = apimodel.AccountRolePermissionsForModeratorRole
}
}
return role
}
func (c *Converter) fieldsToAPIFields(f []*gtsmodel.Field) []apimodel.Field {
fields := make([]apimodel.Field, len(f))
@ -416,8 +467,8 @@ func (c *Converter) fieldsToAPIFields(f []*gtsmodel.Field) []apimodel.Field {
// when someone wants to view an account they've blocked.
func (c *Converter) AccountToAPIAccountBlocked(ctx context.Context, a *gtsmodel.Account) (*apimodel.Account, error) {
var (
acct string
role *apimodel.AccountRole
acct string
roles []apimodel.AccountDisplayRole
)
if a.IsRemote() {
@ -438,14 +489,8 @@ func (c *Converter) AccountToAPIAccountBlocked(ctx context.Context, a *gtsmodel.
if err != nil {
return nil, gtserror.Newf("error getting user from database for account id %s: %w", a.ID, err)
}
switch {
case *user.Admin:
role = &apimodel.AccountRole{Name: apimodel.AccountRoleAdmin}
case *user.Moderator:
role = &apimodel.AccountRole{Name: apimodel.AccountRoleModerator}
default:
role = &apimodel.AccountRole{Name: apimodel.AccountRoleUser}
if role := c.UserToAPIAccountDisplayRole(user); role != nil {
roles = append(roles, *role)
}
}
@ -464,7 +509,7 @@ func (c *Converter) AccountToAPIAccountBlocked(ctx context.Context, a *gtsmodel.
// Empty array (not nillable).
Fields: make([]apimodel.Field, 0),
Suspended: !a.SuspendedAt.IsZero(),
Role: role,
Roles: roles,
}
// Don't show the account's actual
@ -487,7 +532,7 @@ func (c *Converter) AccountToAdminAPIAccount(ctx context.Context, a *gtsmodel.Ac
inviteRequest *string
approved bool
disabled bool
role = apimodel.AccountRole{Name: apimodel.AccountRoleUser} // assume user by default
role = *c.APIAccountDisplayRoleToAPIAccountRoleSensitive(nil)
createdByApplicationID string
)
@ -527,11 +572,9 @@ func (c *Converter) AccountToAdminAPIAccount(ctx context.Context, a *gtsmodel.Ac
inviteRequest = &user.Reason
}
if *user.Admin {
role.Name = apimodel.AccountRoleAdmin
} else if *user.Moderator {
role.Name = apimodel.AccountRoleModerator
}
role = *c.APIAccountDisplayRoleToAPIAccountRoleSensitive(
c.UserToAPIAccountDisplayRole(user),
)
confirmed = !user.ConfirmedAt.IsZero()
approved = *user.Approved

View File

@ -68,10 +68,7 @@ func (suite *InternalToFrontendTestSuite) TestAccountToFrontend() {
"last_status_at": "2024-01-10T09:24:00.000Z",
"emojis": [],
"fields": [],
"enable_rss": true,
"role": {
"name": "user"
}
"enable_rss": true
}`, string(b))
}
@ -135,7 +132,11 @@ func (suite *InternalToFrontendTestSuite) TestAccountToFrontendAliasedAndMoved()
},
"enable_rss": true,
"role": {
"name": "user"
"id": "user",
"name": "user",
"color": "",
"permissions": "0",
"highlighted": false
},
"moved": {
"id": "01F8MH5NBDF2MV7CTC4Q5128HF",
@ -169,10 +170,7 @@ func (suite *InternalToFrontendTestSuite) TestAccountToFrontendAliasedAndMoved()
"verified_at": null
}
],
"hide_collections": true,
"role": {
"name": "user"
}
"hide_collections": true
}
}`, string(b))
}
@ -222,10 +220,7 @@ func (suite *InternalToFrontendTestSuite) TestAccountToFrontendWithEmojiStruct()
}
],
"fields": [],
"enable_rss": true,
"role": {
"name": "user"
}
"enable_rss": true
}`, string(b))
}
@ -272,10 +267,7 @@ func (suite *InternalToFrontendTestSuite) TestAccountToFrontendWithEmojiIDs() {
}
],
"fields": [],
"enable_rss": true,
"role": {
"name": "user"
}
"enable_rss": true
}`, string(b))
}
@ -321,7 +313,11 @@ func (suite *InternalToFrontendTestSuite) TestAccountToFrontendSensitive() {
},
"enable_rss": true,
"role": {
"name": "user"
"id": "user",
"name": "user",
"color": "",
"permissions": "0",
"highlighted": false
}
}`, string(b))
}
@ -494,9 +490,13 @@ func (suite *InternalToFrontendTestSuite) TestStatusToFrontend() {
"emojis": [],
"fields": [],
"enable_rss": true,
"role": {
"name": "admin"
}
"roles": [
{
"id": "admin",
"name": "admin",
"color": ""
}
]
},
"media_attachments": [
{
@ -667,9 +667,13 @@ func (suite *InternalToFrontendTestSuite) TestWarnFilteredStatusToFrontend() {
"emojis": [],
"fields": [],
"enable_rss": true,
"role": {
"name": "admin"
}
"roles": [
{
"id": "admin",
"name": "admin",
"color": ""
}
]
},
"media_attachments": [
{
@ -849,10 +853,7 @@ func (suite *InternalToFrontendTestSuite) TestWarnFilteredBoostToFrontend() {
"last_status_at": "2024-01-10T09:24:00.000Z",
"emojis": [],
"fields": [],
"enable_rss": true,
"role": {
"name": "user"
}
"enable_rss": true
},
"media_attachments": [
{
@ -980,9 +981,13 @@ func (suite *InternalToFrontendTestSuite) TestWarnFilteredBoostToFrontend() {
"emojis": [],
"fields": [],
"enable_rss": true,
"role": {
"name": "admin"
}
"roles": [
{
"id": "admin",
"name": "admin",
"color": ""
}
]
},
"media_attachments": [],
"mentions": [],
@ -1518,9 +1523,13 @@ func (suite *InternalToFrontendTestSuite) TestStatusToFrontendUnknownLanguage()
"emojis": [],
"fields": [],
"enable_rss": true,
"role": {
"name": "admin"
}
"roles": [
{
"id": "admin",
"name": "admin",
"color": ""
}
]
},
"media_attachments": [
{
@ -1657,10 +1666,7 @@ func (suite *InternalToFrontendTestSuite) TestStatusToFrontendPartialInteraction
"last_status_at": "2024-01-10T09:24:00.000Z",
"emojis": [],
"fields": [],
"enable_rss": true,
"role": {
"name": "user"
}
"enable_rss": true
},
"media_attachments": [],
"mentions": [],
@ -1853,9 +1859,13 @@ func (suite *InternalToFrontendTestSuite) TestInstanceV1ToFrontend() {
"emojis": [],
"fields": [],
"enable_rss": true,
"role": {
"name": "admin"
}
"roles": [
{
"id": "admin",
"name": "admin",
"color": ""
}
]
},
"max_toot_chars": 5000,
"rules": [],
@ -1989,9 +1999,13 @@ func (suite *InternalToFrontendTestSuite) TestInstanceV2ToFrontend() {
"emojis": [],
"fields": [],
"enable_rss": true,
"role": {
"name": "admin"
}
"roles": [
{
"id": "admin",
"name": "admin",
"color": ""
}
]
}
},
"rules": [],
@ -2158,10 +2172,7 @@ func (suite *InternalToFrontendTestSuite) TestReportToFrontend2() {
"verified_at": null
}
],
"hide_collections": true,
"role": {
"name": "user"
}
"hide_collections": true
}
}`, string(b))
}
@ -2194,7 +2205,11 @@ func (suite *InternalToFrontendTestSuite) TestAdminReportToFrontend1() {
"locale": "",
"invite_request": null,
"role": {
"name": "user"
"id": "user",
"name": "user",
"color": "",
"permissions": "0",
"highlighted": false
},
"confirmed": false,
"approved": false,
@ -2235,7 +2250,11 @@ func (suite *InternalToFrontendTestSuite) TestAdminReportToFrontend1() {
"locale": "en",
"invite_request": null,
"role": {
"name": "user"
"id": "user",
"name": "user",
"color": "",
"permissions": "0",
"highlighted": false
},
"confirmed": true,
"approved": true,
@ -2274,10 +2293,7 @@ func (suite *InternalToFrontendTestSuite) TestAdminReportToFrontend1() {
"verified_at": null
}
],
"hide_collections": true,
"role": {
"name": "user"
}
"hide_collections": true
},
"created_by_application_id": "01F8MGY43H3N2C8EWPR2FPYEXG"
},
@ -2292,7 +2308,11 @@ func (suite *InternalToFrontendTestSuite) TestAdminReportToFrontend1() {
"locale": "en",
"invite_request": null,
"role": {
"name": "admin"
"id": "admin",
"name": "admin",
"color": "",
"permissions": "546033",
"highlighted": true
},
"confirmed": true,
"approved": true,
@ -2321,9 +2341,13 @@ func (suite *InternalToFrontendTestSuite) TestAdminReportToFrontend1() {
"emojis": [],
"fields": [],
"enable_rss": true,
"role": {
"name": "admin"
}
"roles": [
{
"id": "admin",
"name": "admin",
"color": ""
}
]
},
"created_by_application_id": "01F8MGXQRHYF5QPMTMXP78QC2F"
},
@ -2338,7 +2362,11 @@ func (suite *InternalToFrontendTestSuite) TestAdminReportToFrontend1() {
"locale": "en",
"invite_request": null,
"role": {
"name": "admin"
"id": "admin",
"name": "admin",
"color": "",
"permissions": "546033",
"highlighted": true
},
"confirmed": true,
"approved": true,
@ -2367,9 +2395,13 @@ func (suite *InternalToFrontendTestSuite) TestAdminReportToFrontend1() {
"emojis": [],
"fields": [],
"enable_rss": true,
"role": {
"name": "admin"
}
"roles": [
{
"id": "admin",
"name": "admin",
"color": ""
}
]
},
"created_by_application_id": "01F8MGXQRHYF5QPMTMXP78QC2F"
},
@ -2407,7 +2439,11 @@ func (suite *InternalToFrontendTestSuite) TestAdminReportToFrontend2() {
"locale": "en",
"invite_request": null,
"role": {
"name": "user"
"id": "user",
"name": "user",
"color": "",
"permissions": "0",
"highlighted": false
},
"confirmed": true,
"approved": true,
@ -2446,10 +2482,7 @@ func (suite *InternalToFrontendTestSuite) TestAdminReportToFrontend2() {
"verified_at": null
}
],
"hide_collections": true,
"role": {
"name": "user"
}
"hide_collections": true
},
"created_by_application_id": "01F8MGY43H3N2C8EWPR2FPYEXG"
},
@ -2464,7 +2497,11 @@ func (suite *InternalToFrontendTestSuite) TestAdminReportToFrontend2() {
"locale": "",
"invite_request": null,
"role": {
"name": "user"
"id": "user",
"name": "user",
"color": "",
"permissions": "0",
"highlighted": false
},
"confirmed": false,
"approved": false,
@ -2665,7 +2702,11 @@ func (suite *InternalToFrontendTestSuite) TestAdminReportToFrontendSuspendedLoca
"locale": "",
"invite_request": null,
"role": {
"name": "user"
"id": "user",
"name": "user",
"color": "",
"permissions": "0",
"highlighted": false
},
"confirmed": false,
"approved": false,
@ -2706,7 +2747,11 @@ func (suite *InternalToFrontendTestSuite) TestAdminReportToFrontendSuspendedLoca
"locale": "",
"invite_request": null,
"role": {
"name": "user"
"id": "user",
"name": "user",
"color": "",
"permissions": "0",
"highlighted": false
},
"confirmed": true,
"approved": true,
@ -2735,10 +2780,7 @@ func (suite *InternalToFrontendTestSuite) TestAdminReportToFrontendSuspendedLoca
"emojis": [],
"fields": [],
"suspended": true,
"hide_collections": true,
"role": {
"name": "user"
}
"hide_collections": true
}
},
"assigned_account": {
@ -2752,7 +2794,11 @@ func (suite *InternalToFrontendTestSuite) TestAdminReportToFrontendSuspendedLoca
"locale": "en",
"invite_request": null,
"role": {
"name": "admin"
"id": "admin",
"name": "admin",
"color": "",
"permissions": "546033",
"highlighted": true
},
"confirmed": true,
"approved": true,
@ -2781,9 +2827,13 @@ func (suite *InternalToFrontendTestSuite) TestAdminReportToFrontendSuspendedLoca
"emojis": [],
"fields": [],
"enable_rss": true,
"role": {
"name": "admin"
}
"roles": [
{
"id": "admin",
"name": "admin",
"color": ""
}
]
},
"created_by_application_id": "01F8MGXQRHYF5QPMTMXP78QC2F"
},
@ -2798,7 +2848,11 @@ func (suite *InternalToFrontendTestSuite) TestAdminReportToFrontendSuspendedLoca
"locale": "en",
"invite_request": null,
"role": {
"name": "admin"
"id": "admin",
"name": "admin",
"color": "",
"permissions": "546033",
"highlighted": true
},
"confirmed": true,
"approved": true,
@ -2827,9 +2881,13 @@ func (suite *InternalToFrontendTestSuite) TestAdminReportToFrontendSuspendedLoca
"emojis": [],
"fields": [],
"enable_rss": true,
"role": {
"name": "admin"
}
"roles": [
{
"id": "admin",
"name": "admin",
"color": ""
}
]
},
"created_by_application_id": "01F8MGXQRHYF5QPMTMXP78QC2F"
},

View File

@ -173,9 +173,11 @@
<dt class="sr-only">Username</dt>
<dd class="username text-cutoff">@{{- .account.Username -}}@{{- .instance.AccountDomain -}}</dd>
</div>
{{- if and (.account.Role) (ne .account.Role.Name "user") }}
{{- if .account.Roles }}
<dt class="sr-only">Role</dt>
<dd class="role {{ .account.Role.Name -}}">{{- .account.Role.Name -}}</dd>
{{- range .account.Roles }}
<dd class="role {{ .Name -}}">{{- .Name -}}</dd>
{{- end }}
{{- end }}
</dl>
</div>