Only allow punished users to be pardoned

Toastbrot236 · Toastbrot236 · commit f7d6ce2d8f9d · 2026-02-21T15:33:52.000+01:00
diff --git a/Refresh.Interfaces.APIv3/Endpoints/Admin/AdminUserPunishmentApiEndpoints.cs b/Refresh.Interfaces.APIv3/Endpoints/Admin/AdminUserPunishmentApiEndpoints.cs
@@ -55,16 +55,16 @@ public ApiOkResponse RestrictUser(RequestContext context, GameDatabaseContext da
     [ApiV3Endpoint("admin/users/{idType}/{id}/pardon", HttpMethods.Post), MinimumRole(GameUserRole.Moderator)]
     [DocSummary("Pardons all punishments for the given user.")]
     [DocError(typeof(ApiNotFoundError), ApiNotFoundError.UserMissingErrorWhen)]
-    [DocError(typeof(ApiValidationError), ApiValidationError.MayNotModifyUserDueToLowRoleErrorWhen)]
+    [DocError(typeof(ApiValidationError), ApiValidationError.UserIsAlreadyPardonedErrorWhen)]
     public ApiOkResponse PardonUser(RequestContext context, GameDatabaseContext database, GameUser user,
         [DocSummary(SharedParamDescriptions.UserIdParam)] string id, 
         [DocSummary(SharedParamDescriptions.UserIdTypeParam)] string idType)
     {
         GameUser? targetUser = database.GetUserByIdAndType(idType, id);
         if (targetUser == null) return ApiNotFoundError.UserMissingError;
 
-        if (!user.MayModifyUser(targetUser))
-            return ApiValidationError.MayNotModifyUserDueToLowRoleError;
+        if (targetUser.Role > GameUserRole.Restricted)
+            return ApiValidationError.UserIsAlreadyPardonedError;
         
         database.SetUserRole(targetUser, GameUserRole.User);
         return new ApiOkResponse();
diff --git a/Refresh.Interfaces.APIv3/Endpoints/ApiTypes/Errors/ApiValidationError.cs b/Refresh.Interfaces.APIv3/Endpoints/ApiTypes/Errors/ApiValidationError.cs
@@ -71,6 +71,9 @@ public class ApiValidationError : ApiError
     public const string WrongRoleUpdateMethodErrorWhen = "The specified role cannot be assigned to the user using this endpoint.";
     public static readonly ApiValidationError WrongRoleUpdateMethodError = new(WrongRoleUpdateMethodErrorWhen);
 
+    public const string UserIsAlreadyPardonedErrorWhen = "This user has no punishments, they are already pardoned.";
+    public static readonly ApiValidationError UserIsAlreadyPardonedError = new(UserIsAlreadyPardonedErrorWhen);
+
     public const string RoleMissingErrorWhen = "The specified role does not exist.";
     public static readonly ApiValidationError RoleMissingError = new(RoleMissingErrorWhen);
 
diff --git a/RefreshTests.GameServer/Tests/ApiV3/AdminUserManagementApiTests.cs b/RefreshTests.GameServer/Tests/ApiV3/AdminUserManagementApiTests.cs
@@ -223,6 +223,44 @@ public async Task ModeratorsMayNotRestrictAdminsAndModerators()
         Assert.That(updated!.Role, Is.EqualTo(GameUserRole.Restricted));
     }
 
+    [Test]
+    public async Task CanOnlyPardonPunishedUsers()
+    {
+        using TestContext context = this.GetServer();
+        GameUser admin = context.CreateUser(role: GameUserRole.Admin);
+        GameUser mod = context.CreateUser(role: GameUserRole.Moderator);
+        GameUser user = context.CreateUser(role: GameUserRole.User);
+        GameUser restricted = context.CreateUser(role: GameUserRole.Restricted);
+        HttpClient client = context.GetAuthenticatedClient(TokenType.Api, mod);
+
+        // Admin
+        HttpResponseMessage response = await client.PostAsync($"/api/v3/admin/users/uuid/{admin.UserId}/pardon", null);
+        Assert.That(response.IsSuccessStatusCode, Is.False);
+        context.Database.Refresh();
+
+        GameUser? updated = context.Database.GetUserByObjectId(admin.UserId);
+        Assert.That(updated, Is.Not.Null);
+        Assert.That(updated!.Role, Is.EqualTo(GameUserRole.Admin));
+
+        // User
+        response = await client.PostAsync($"/api/v3/admin/users/uuid/{user.UserId}/pardon", null);
+        Assert.That(response.IsSuccessStatusCode, Is.False);
+        context.Database.Refresh();
+
+        updated = context.Database.GetUserByObjectId(user.UserId);
+        Assert.That(updated, Is.Not.Null);
+        Assert.That(updated!.Role, Is.EqualTo(GameUserRole.User));
+
+        // Restricted
+        response = await client.PostAsync($"/api/v3/admin/users/uuid/{restricted.UserId}/pardon", null);
+        Assert.That(response.IsSuccessStatusCode, Is.True);
+        context.Database.Refresh();
+
+        updated = context.Database.GetUserByObjectId(restricted.UserId);
+        Assert.That(updated, Is.Not.Null);
+        Assert.That(updated!.Role, Is.EqualTo(GameUserRole.User));
+    }
+
     [Test]
     public async Task ModeratorsMayNotResetPasswordOfAdminsAndModerators()
     {
