This should be a new API endpoint in https://github.com/redshiftzero/securedrop/tree/signal-proto that allows admins only to remove a user from an existing group. The idea here is that if journalist workstations are lost or offboarded, admins will remove them from any existing conversations when their journalist accounts are deleted.
Since sources cannot be admins, this endpoint only needs to be added to the journalist/admin v2 API endpoint. For a similar endpoint, see here.
To close this issue, there should be a new API endpoint, and either a test or an addition to a new script admin.py in this repository that exercises the endpoint.
The logic should be as follows:
Execute AuthAsGroupMember operation (using the auth_as_group_member() function).
Encrypt new user’s UID to create UidCiphertext using GroupSecretParams.
Server verifies the authenticated user is an admin (selected using the UidCiphertext from the provided AuthCredentialPresentation).
Server deletes the user if it is in the group. If there are no users left in the group, the group is deleted.
This should be a new API endpoint in https://github.com/redshiftzero/securedrop/tree/signal-proto that allows admins only to remove a user from an existing group. The idea here is that if journalist workstations are lost or offboarded, admins will remove them from any existing conversations when their journalist accounts are deleted.
Since sources cannot be admins, this endpoint only needs to be added to the journalist/admin v2 API endpoint. For a similar endpoint, see here.
To close this issue, there should be a new API endpoint, and either a test or an addition to a new script
admin.pyin this repository that exercises the endpoint.The logic should be as follows:
AuthAsGroupMemberoperation (using theauth_as_group_member()function).UidCiphertextusingGroupSecretParams.UidCiphertextfrom the providedAuthCredentialPresentation).