From 0395da028505c7b7d63f3f2eb4263074e708301b Mon Sep 17 00:00:00 2001
From: interru <mail@interru.io>
Date: Sat, 4 Nov 2023 21:43:18 +0100
Subject: [PATCH] Add admin check using the provided username for firefish

---
 fediseer/apis/v1/whitelist.py |  4 +++-
 fediseer/fediverse.py         | 16 +++++++++++++++-
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/fediseer/apis/v1/whitelist.py b/fediseer/apis/v1/whitelist.py
index d4fe684..bf477fb 100644
--- a/fediseer/apis/v1/whitelist.py
+++ b/fediseer/apis/v1/whitelist.py
@@ -98,11 +98,13 @@ class WhitelistDomain(Resource):
             guarantor_instance = database.find_instance_by_domain(self.args.guarantor)
             if not guarantor_instance:
                 raise e.BadRequest(f"Requested guarantor domain {self.args.guarantor} is not registered with the Fediseer yet!")
-        if self.args.admin not in instance_info.admin_usernames:
+
+        if not instance_info.is_admin(self.args.admin):
             if len(instance_info.admin_usernames) == 0:
                 raise e.Unauthorized(f"We could not discover any admins for this instance software. Please Ensure your software exposes this info. If it's exposed in a novel manner, consider sending us a PR to be able to retrieve this infomation.")
             else:
                 raise e.Forbidden(f"Only admins of that {instance.software} are allowed to claim it.")
+
         existing_claim = database.find_claim(f"@{self.args.admin}@{domain}")
         if existing_claim:
             raise e.Forbidden(f"You have already claimed this instance as this admin. Please use the PATCH method to reset your API key.")
diff --git a/fediseer/fediverse.py b/fediseer/fediverse.py
index 2549660..dd66949 100644
--- a/fediseer/fediverse.py
+++ b/fediseer/fediverse.py
@@ -275,6 +275,20 @@ class InstanceInfo():
         else:
             software_map[self.software]()
 
+    def is_admin(self, user):
+        admin = user in self.admin_usernames
+
+        if not admin and self.software == "firefish":
+            payload = {
+                "username": user
+            }
+            user_info = requests.post(f"https://{self.domain}/api/users/show", timeout=self._req_timeout, json=payload).json()
+            admin = user_info.get('isAdmin', False)
+            if admin:
+                self.admin_usernames.add(user)
+
+        return admin
+
     @staticmethod
     def get_nodeinfo(domain, req_timeout=3):
         headers = {
@@ -323,4 +337,4 @@ class InstanceInfo():
 # else:
 #     logger.error("Domain does not exist")
 # import sys
-# sys.exit()
\ No newline at end of file
+# sys.exit()