From 71beafd1a66c6feb42087bbe4f08d01bc7ab68f1 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Thu, 12 Aug 2021 19:18:50 +0100
Subject: [PATCH] Only allow admin to create groups

---
 daemon.py         |  7 +++++--
 webapp_profile.py | 14 +++++++++-----
 2 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/daemon.py b/daemon.py
index dd807cdc5..cf8a88275 100644
--- a/daemon.py
+++ b/daemon.py
@@ -5383,8 +5383,11 @@ class PubServer(BaseHTTPRequestHandler):
                         if fields.get('isGroup'):
                             if fields['isGroup'] == 'on':
                                 if actorJson['type'] != 'Group':
-                                    actorJson['type'] = 'Group'
-                                    actorChanged = True
+                                    # only allow admin to create groups
+                                    if path.startswith('/users/' +
+                                                       adminNickname + '/'):
+                                        actorJson['type'] = 'Group'
+                                        actorChanged = True
                         else:
                             # this account is a person (default)
                             if actorJson['type'] != 'Person':
diff --git a/webapp_profile.py b/webapp_profile.py
index 5d3ef07a7..c2518159e 100644
--- a/webapp_profile.py
+++ b/webapp_profile.py
@@ -1667,7 +1667,8 @@ def _htmlEditProfileContactInfo(nickname: str,
     return editProfileForm
 
 
-def _htmlEditProfileOptions(manuallyApprovesFollowers: str,
+def _htmlEditProfileOptions(isAdmin: bool,
+                            manuallyApprovesFollowers: str,
                             isBot: str, isGroup: str,
                             followDMs: str, removeTwitter: str,
                             notifyLikes: str, hideLikeButton: str,
@@ -1681,9 +1682,10 @@ def _htmlEditProfileOptions(manuallyApprovesFollowers: str,
     editProfileForm += \
         editCheckBox(translate['This is a bot account'],
                      'isBot', isBot)
-    editProfileForm += \
-        editCheckBox(translate['This is a group account'],
-                     'isGroup', isGroup)
+    if isAdmin:
+        editProfileForm += \
+            editCheckBox(translate['This is a group account'],
+                         'isGroup', isGroup)
     editProfileForm += \
         editCheckBox(translate['Only people I follow can send me DMs'],
                      'followDMs', followDMs)
@@ -1932,8 +1934,10 @@ def htmlEditProfile(cssCache: {}, translate: {}, baseDir: str, path: str,
        path.startswith('/users/' + str(adminNickname) + '/'):
         graphicsStr = _htmlEditProfileGraphicDesign(baseDir, translate)
 
+    isAdmin = False
     if adminNickname:
         if path.startswith('/users/' + adminNickname + '/'):
+            isAdmin = True
             # shared items section
             sharesFederationStr = \
                 _htmlEditProfileSharedItems(baseDir, nickname,
@@ -1982,7 +1986,7 @@ def htmlEditProfile(cssCache: {}, translate: {}, baseDir: str, path: str,
 
     # Option checkboxes
     editProfileForm += \
-        _htmlEditProfileOptions(manuallyApprovesFollowers,
+        _htmlEditProfileOptions(isAdmin, manuallyApprovesFollowers,
                                 isBot, isGroup, followDMs, removeTwitter,
                                 notifyLikes, hideLikeButton, translate)