prosody-modules
963c16e417d6
mod_privilege/mod_privilege.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody-modules

Annotate

mod_privilege/mod_privilege.lua @ 6222:963c16e417d6

mod_admin_web: Remove compatibility with 0.11
author Link Mauve <linkmauve@linkmauve.fr>
date Wed, 09 Apr 2025 19:04:30 +0200
parent 5897:a88c43de648c
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1667
c81a981479d4 mod_privilege: implemented probing of rosters items (for existing sessions only) on connection + use a globally shared table for priv_session (and fixed last_presence)
Goffi <goffi@goffi.org>
parents: 1666
diff changeset
1 -- XEP-0356 (Privileged Entity)
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
2 -- Copyright (C) 2015-2022 Jérôme Poisson
1658
1146cb4493a9 mod_privilege: roster get permission implemented
Goffi <goffi@goffi.org>
parents: 1657
diff changeset
3 --
1146cb4493a9 mod_privilege: roster get permission implemented
Goffi <goffi@goffi.org>
parents: 1657
diff changeset
4 -- This module is MIT/X11 licensed. Please see the
1146cb4493a9 mod_privilege: roster get permission implemented
Goffi <goffi@goffi.org>
parents: 1657
diff changeset
5 -- COPYING file in the source package for more information.
1660
d1072db4db44 mod_privilege: implemented roster set privilege
Goffi <goffi@goffi.org>
parents: 1659
diff changeset
6 --
d1072db4db44 mod_privilege: implemented roster set privilege
Goffi <goffi@goffi.org>
parents: 1659
diff changeset
7 -- Some parts come from mod_remote_roster (module by Waqas Hussain and Kim Alvefur, see https://code.google.com/p/prosody-modules/)
1658
1146cb4493a9 mod_privilege: roster get permission implemented
Goffi <goffi@goffi.org>
parents: 1657
diff changeset
8
1667
c81a981479d4 mod_privilege: implemented probing of rosters items (for existing sessions only) on connection + use a globally shared table for priv_session (and fixed last_presence)
Goffi <goffi@goffi.org>
parents: 1666
diff changeset
9 -- TODO: manage external <presence/> (for "roster" presence permission) when the account with the roster is offline
1658
1146cb4493a9 mod_privilege: roster get permission implemented
Goffi <goffi@goffi.org>
parents: 1657
diff changeset
10
1990
c4da3d9f212d mod_privilege: fixed imports, using "/" instead of "." was causing caching issues
Goffi <goffi@goffi.org>
parents: 1989
diff changeset
11 local jid = require("util.jid")
c4da3d9f212d mod_privilege: fixed imports, using "/" instead of "." was causing caching issues
Goffi <goffi@goffi.org>
parents: 1989
diff changeset
12 local set = require("util.set")
c4da3d9f212d mod_privilege: fixed imports, using "/" instead of "." was causing caching issues
Goffi <goffi@goffi.org>
parents: 1989
diff changeset
13 local st = require("util.stanza")
c4da3d9f212d mod_privilege: fixed imports, using "/" instead of "." was causing caching issues
Goffi <goffi@goffi.org>
parents: 1989
diff changeset
14 local roster_manager = require("core.rostermanager")
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
15 local usermanager_user_exists = require "core.usermanager".user_exists
1661
69aa2b54ba8a mod_privilege: implemented message privilege
Goffi <goffi@goffi.org>
parents: 1660
diff changeset
16 local hosts = prosody.hosts
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
17 local full_sessions = prosody.full_sessions
1667
c81a981479d4 mod_privilege: implemented probing of rosters items (for existing sessions only) on connection + use a globally shared table for priv_session (and fixed last_presence)
Goffi <goffi@goffi.org>
parents: 1666
diff changeset
18
c81a981479d4 mod_privilege: implemented probing of rosters items (for existing sessions only) on connection + use a globally shared table for priv_session (and fixed last_presence)
Goffi <goffi@goffi.org>
parents: 1666
diff changeset
19 local priv_session = module:shared("/*/privilege/session")
c81a981479d4 mod_privilege: implemented probing of rosters items (for existing sessions only) on connection + use a globally shared table for priv_session (and fixed last_presence)
Goffi <goffi@goffi.org>
parents: 1666
diff changeset
20
1708
ad7afcf86131 mod_privilege: fixed bad handling of presence permissions / component authentication between different hosts
Goffi <goffi@goffi.org>
parents: 1707
diff changeset
21 if priv_session.connected_cb == nil then
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
22 -- set used to have connected event listeners
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
23 -- which allows a host to react on events from
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
24 -- other hosts
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
25 priv_session.connected_cb = set.new()
1663
ca07a6ada631 mod_privilege: presence permission configuration check + use global set to know privileged entities to advertise
Goffi <goffi@goffi.org>
parents: 1662
diff changeset
26 end
1708
ad7afcf86131 mod_privilege: fixed bad handling of presence permissions / component authentication between different hosts
Goffi <goffi@goffi.org>
parents: 1707
diff changeset
27 local connected_cb = priv_session.connected_cb
ad7afcf86131 mod_privilege: fixed bad handling of presence permissions / component authentication between different hosts
Goffi <goffi@goffi.org>
parents: 1707
diff changeset
28
ad7afcf86131 mod_privilege: fixed bad handling of presence permissions / component authentication between different hosts
Goffi <goffi@goffi.org>
parents: 1707
diff changeset
29 -- the folowing sets are used to forward presence stanza
ad7afcf86131 mod_privilege: fixed bad handling of presence permissions / component authentication between different hosts
Goffi <goffi@goffi.org>
parents: 1707
diff changeset
30 -- the folowing sets are used to forward presence stanza
ad7afcf86131 mod_privilege: fixed bad handling of presence permissions / component authentication between different hosts
Goffi <goffi@goffi.org>
parents: 1707
diff changeset
31 local presence_man_ent = set.new()
ad7afcf86131 mod_privilege: fixed bad handling of presence permissions / component authentication between different hosts
Goffi <goffi@goffi.org>
parents: 1707
diff changeset
32 local presence_roster = set.new()
1658
1146cb4493a9 mod_privilege: roster get permission implemented
Goffi <goffi@goffi.org>
parents: 1657
diff changeset
33
1657
7116bc76663b mod_privilege: mod_privilege first draft
Goffi <goffi@goffi.org>
parents:
diff changeset
34 local _ALLOWED_ROSTER = set.new({'none', 'get', 'set', 'both'})
1658
1146cb4493a9 mod_privilege: roster get permission implemented
Goffi <goffi@goffi.org>
parents: 1657
diff changeset
35 local _ROSTER_GET_PERM = set.new({'get', 'both'})
1146cb4493a9 mod_privilege: roster get permission implemented
Goffi <goffi@goffi.org>
parents: 1657
diff changeset
36 local _ROSTER_SET_PERM = set.new({'set', 'both'})
1657
7116bc76663b mod_privilege: mod_privilege first draft
Goffi <goffi@goffi.org>
parents:
diff changeset
37 local _ALLOWED_MESSAGE = set.new({'none', 'outgoing'})
7116bc76663b mod_privilege: mod_privilege first draft
Goffi <goffi@goffi.org>
parents:
diff changeset
38 local _ALLOWED_PRESENCE = set.new({'none', 'managed_entity', 'roster'})
1665
746d94f37a4c mod_privilege: presence already known are advertised to privileged entity (for "maneger_entity" permission only so far)
Goffi <goffi@goffi.org>
parents: 1664
diff changeset
39 local _PRESENCE_MANAGED = set.new({'managed_entity', 'roster'})
1657
7116bc76663b mod_privilege: mod_privilege first draft
Goffi <goffi@goffi.org>
parents:
diff changeset
40 local _TO_CHECK = {roster=_ALLOWED_ROSTER, message=_ALLOWED_MESSAGE, presence=_ALLOWED_PRESENCE}
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
41 local _PRIV_ENT_NS = 'urn:xmpp:privilege:2'
1661
69aa2b54ba8a mod_privilege: implemented message privilege
Goffi <goffi@goffi.org>
parents: 1660
diff changeset
42 local _FORWARDED_NS = 'urn:xmpp:forward:0'
1955
f719d5e6c627 mod_privilege: fixed session.privilege overwritting when multiple hosts are activated + fixed roster permission check on presence permission.
Goffi <goffi@goffi.org>
parents: 1775
diff changeset
43 local _MODULE_HOST = module:get_host()
1657
7116bc76663b mod_privilege: mod_privilege first draft
Goffi <goffi@goffi.org>
parents:
diff changeset
44
1658
1146cb4493a9 mod_privilege: roster get permission implemented
Goffi <goffi@goffi.org>
parents: 1657
diff changeset
45
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
46 module:log("debug", "Loading privileged entity module ")
1658
1146cb4493a9 mod_privilege: roster get permission implemented
Goffi <goffi@goffi.org>
parents: 1657
diff changeset
47
1663
ca07a6ada631 mod_privilege: presence permission configuration check + use global set to know privileged entities to advertise
Goffi <goffi@goffi.org>
parents: 1662
diff changeset
48
1658
1146cb4493a9 mod_privilege: roster get permission implemented
Goffi <goffi@goffi.org>
parents: 1657
diff changeset
49 --> Permissions management <--
1657
7116bc76663b mod_privilege: mod_privilege first draft
Goffi <goffi@goffi.org>
parents:
diff changeset
50
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
51 local config_priv = module:get_option("privileged_entities", {})
1657
7116bc76663b mod_privilege: mod_privilege first draft
Goffi <goffi@goffi.org>
parents:
diff changeset
52
1955
f719d5e6c627 mod_privilege: fixed session.privilege overwritting when multiple hosts are activated + fixed roster permission check on presence permission.
Goffi <goffi@goffi.org>
parents: 1775
diff changeset
53 local function get_session_privileges(session, host)
f719d5e6c627 mod_privilege: fixed session.privilege overwritting when multiple hosts are activated + fixed roster permission check on presence permission.
Goffi <goffi@goffi.org>
parents: 1775
diff changeset
54 if not session.privileges then return nil end
f719d5e6c627 mod_privilege: fixed session.privilege overwritting when multiple hosts are activated + fixed roster permission check on presence permission.
Goffi <goffi@goffi.org>
parents: 1775
diff changeset
55 return session.privileges[host]
f719d5e6c627 mod_privilege: fixed session.privilege overwritting when multiple hosts are activated + fixed roster permission check on presence permission.
Goffi <goffi@goffi.org>
parents: 1775
diff changeset
56 end
f719d5e6c627 mod_privilege: fixed session.privilege overwritting when multiple hosts are activated + fixed roster permission check on presence permission.
Goffi <goffi@goffi.org>
parents: 1775
diff changeset
57
f719d5e6c627 mod_privilege: fixed session.privilege overwritting when multiple hosts are activated + fixed roster permission check on presence permission.
Goffi <goffi@goffi.org>
parents: 1775
diff changeset
58
1707
64b3d1eb0cfe mod_privilege: fixed various issues reported by luacheck
Goffi <goffi@goffi.org>
parents: 1667
diff changeset
59 local function advertise_perm(session, to_jid, perms)
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
60 -- send <message/> stanza to advertise permissions
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
61 -- as expained in § 4.2
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
62 local message = st.message({from=module.host, to=to_jid})
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
63 :tag("privilege", {xmlns=_PRIV_ENT_NS})
1660
d1072db4db44 mod_privilege: implemented roster set privilege
Goffi <goffi@goffi.org>
parents: 1659
diff changeset
64
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
65 for _, perm in pairs({'roster', 'message', 'presence'}) do
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
66 if perms[perm] then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
67 message:tag("perm", {access=perm, type=perms[perm]}):up()
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
68 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
69 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
70 local iq_perm = perms["iq"]
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
71 if iq_perm ~= nil then
5897
a88c43de648c mod_privilege: Fix IQ privileges advertising for multiple namespaces
nicoco <nicoco@nicoco.fr>
parents: 4994
diff changeset
72 local perm_el = st.stanza("perm", {access="iq"})
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
73 for namespace, ns_perm in pairs(iq_perm) do
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
74 local perm_type
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
75 if ns_perm.set and ns_perm.get then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
76 perm_type = "both"
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
77 elseif ns_perm.set then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
78 perm_type = "set"
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
79 elseif ns_perm.get then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
80 perm_type = "get"
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
81 else
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
82 perm_type = nil
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
83 end
5897
a88c43de648c mod_privilege: Fix IQ privileges advertising for multiple namespaces
nicoco <nicoco@nicoco.fr>
parents: 4994
diff changeset
84 perm_el:tag("namespace", {ns=namespace, type=perm_type}):up()
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
85 end
5897
a88c43de648c mod_privilege: Fix IQ privileges advertising for multiple namespaces
nicoco <nicoco@nicoco.fr>
parents: 4994
diff changeset
86 message:add_child(perm_el)
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
87 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
88 session.send(message)
1662
d440a22fa0af mod_privilege: advertise_perm method now use session.send instead of module:send to avoid to go back in hook
Goffi <goffi@goffi.org>
parents: 1661
diff changeset
89 end
1660
d1072db4db44 mod_privilege: implemented roster set privilege
Goffi <goffi@goffi.org>
parents: 1659
diff changeset
90
1707
64b3d1eb0cfe mod_privilege: fixed various issues reported by luacheck
Goffi <goffi@goffi.org>
parents: 1667
diff changeset
91 local function set_presence_perm_set(to_jid, perms)
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
92 -- fill the presence sets according to perms
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
93 if _PRESENCE_MANAGED:contains(perms.presence) then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
94 presence_man_ent:add(to_jid)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
95 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
96 if perms.presence == 'roster' then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
97 presence_roster:add(to_jid)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
98 end
1657
7116bc76663b mod_privilege: mod_privilege first draft
Goffi <goffi@goffi.org>
parents:
diff changeset
99 end
7116bc76663b mod_privilege: mod_privilege first draft
Goffi <goffi@goffi.org>
parents:
diff changeset
100
1707
64b3d1eb0cfe mod_privilege: fixed various issues reported by luacheck
Goffi <goffi@goffi.org>
parents: 1667
diff changeset
101 local function advertise_presences(session, to_jid, perms)
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
102 -- send presence status for already connected entities
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
103 -- as explained in § 7.1
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
104 -- people in roster are probed only for active sessions
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
105 -- TODO: manage roster load for inactive sessions
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
106 if not perms.presence then return; end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
107 local to_probe = {}
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
108 for _, user_session in pairs(full_sessions) do
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
109 if user_session.presence and _PRESENCE_MANAGED:contains(perms.presence) then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
110 local presence = st.clone(user_session.presence)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
111 presence.attr.to = to_jid
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
112 module:log("debug", "sending current presence for "..tostring(user_session.full_jid))
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
113 session.send(presence)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
114 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
115 if perms.presence == "roster" then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
116 -- we reset the cache to avoid to miss a presence that just changed
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
117 priv_session.last_presence = nil
1667
c81a981479d4 mod_privilege: implemented probing of rosters items (for existing sessions only) on connection + use a globally shared table for priv_session (and fixed last_presence)
Goffi <goffi@goffi.org>
parents: 1666
diff changeset
118
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
119 if user_session.roster then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
120 local bare_jid = jid.bare(user_session.full_jid)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
121 for entity, item in pairs(user_session.roster) do
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
122 if entity~=false and entity~="pending" and (item.subscription=="both" or item.subscription=="to") then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
123 local _, host = jid.split(entity)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
124 if not hosts[host] then -- we don't probe jid from hosts we manage
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
125 -- using a table with entity as key avoid probing several time the same one
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
126 to_probe[entity] = bare_jid
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
127 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
128 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
129 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
130 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
131 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
132 end
1667
c81a981479d4 mod_privilege: implemented probing of rosters items (for existing sessions only) on connection + use a globally shared table for priv_session (and fixed last_presence)
Goffi <goffi@goffi.org>
parents: 1666
diff changeset
133
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
134 -- now we probe peoples for "roster" presence permission
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
135 for probe_to, probe_from in pairs(to_probe) do
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
136 module:log("debug", "probing presence for %s (on behalf of %s)", tostring(probe_to), tostring(probe_from))
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
137 local probe = st.presence({from=probe_from, to=probe_to, type="probe"})
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
138 prosody.core_route_stanza(nil, probe)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
139 end
1665
746d94f37a4c mod_privilege: presence already known are advertised to privileged entity (for "maneger_entity" permission only so far)
Goffi <goffi@goffi.org>
parents: 1664
diff changeset
140 end
746d94f37a4c mod_privilege: presence already known are advertised to privileged entity (for "maneger_entity" permission only so far)
Goffi <goffi@goffi.org>
parents: 1664
diff changeset
141
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
142
1707
64b3d1eb0cfe mod_privilege: fixed various issues reported by luacheck
Goffi <goffi@goffi.org>
parents: 1667
diff changeset
143 local function on_auth(event)
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
144 -- Check if entity is privileged according to configuration,
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
145 -- and set session.privileges accordingly
1660
d1072db4db44 mod_privilege: implemented roster set privilege
Goffi <goffi@goffi.org>
parents: 1659
diff changeset
146
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
147 local session = event.session
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
148 local bare_jid = jid.join(session.username, session.host)
1955
f719d5e6c627 mod_privilege: fixed session.privilege overwritting when multiple hosts are activated + fixed roster permission check on presence permission.
Goffi <goffi@goffi.org>
parents: 1775
diff changeset
149 if not session.privileges then
f719d5e6c627 mod_privilege: fixed session.privilege overwritting when multiple hosts are activated + fixed roster permission check on presence permission.
Goffi <goffi@goffi.org>
parents: 1775
diff changeset
150 session.privileges = {}
f719d5e6c627 mod_privilege: fixed session.privilege overwritting when multiple hosts are activated + fixed roster permission check on presence permission.
Goffi <goffi@goffi.org>
parents: 1775
diff changeset
151 end
1657
7116bc76663b mod_privilege: mod_privilege first draft
Goffi <goffi@goffi.org>
parents:
diff changeset
152
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
153 local conf_ent_priv = config_priv[bare_jid]
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
154 local ent_priv = {}
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
155 if conf_ent_priv ~= nil then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
156 module:log("debug", "Entity is privileged")
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
157 for perm_type, allowed_values in pairs(_TO_CHECK) do
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
158 local value = conf_ent_priv[perm_type]
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
159 if value ~= nil then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
160 if not allowed_values:contains(value) then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
161 module:log('warn', 'Invalid value for '..perm_type..' privilege: ['..value..']')
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
162 module:log('warn', 'Setting '..perm_type..' privilege to none')
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
163 ent_priv[perm_type] = nil
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
164 elseif value == 'none' then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
165 ent_priv[perm_type] = nil
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
166 else
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
167 ent_priv[perm_type] = value
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
168 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
169 else
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
170 ent_priv[perm_type] = nil
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
171 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
172 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
173 -- extra checks for presence permission
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
174 if ent_priv.presence == 'roster' and not _ROSTER_GET_PERM:contains(ent_priv.roster) then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
175 module:log("warn", "Can't allow roster presence privilege without roster \"get\" privilege")
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
176 module:log("warn", "Setting presence permission to none")
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
177 ent_priv.presence = nil
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
178 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
179 -- iq permission
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
180 local iq_perm_config = conf_ent_priv["iq"]
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
181 if iq_perm_config ~= nil then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
182 local iq_perm = {}
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
183 ent_priv["iq"] = iq_perm
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
184 for ns, ns_perm_config in pairs(iq_perm_config) do
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
185 iq_perm[ns] = {
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
186 ["get"] = ns_perm_config == "get" or ns_perm_config == "both",
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
187 ["set"] = ns_perm_config == "set" or ns_perm_config == "both"
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
188 }
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
189 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
190 else
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
191 ent_priv["iq"] = nil
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
192 end
1663
ca07a6ada631 mod_privilege: presence permission configuration check + use global set to know privileged entities to advertise
Goffi <goffi@goffi.org>
parents: 1662
diff changeset
193
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
194 if session.type == "component" then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
195 -- we send the message stanza only for component
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
196 -- it will be sent at first <presence/> for other entities
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
197 advertise_perm(session, bare_jid, ent_priv)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
198 set_presence_perm_set(bare_jid, ent_priv)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
199 advertise_presences(session, bare_jid, ent_priv)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
200 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
201 end
1657
7116bc76663b mod_privilege: mod_privilege first draft
Goffi <goffi@goffi.org>
parents:
diff changeset
202
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
203 session.privileges[_MODULE_HOST] = ent_priv
1657
7116bc76663b mod_privilege: mod_privilege first draft
Goffi <goffi@goffi.org>
parents:
diff changeset
204 end
7116bc76663b mod_privilege: mod_privilege first draft
Goffi <goffi@goffi.org>
parents:
diff changeset
205
1707
64b3d1eb0cfe mod_privilege: fixed various issues reported by luacheck
Goffi <goffi@goffi.org>
parents: 1667
diff changeset
206 local function on_presence(event)
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
207 -- Permission are already checked at this point,
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
208 -- we only advertise them to the entity
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
209 local session = event.origin
1955
f719d5e6c627 mod_privilege: fixed session.privilege overwritting when multiple hosts are activated + fixed roster permission check on presence permission.
Goffi <goffi@goffi.org>
parents: 1775
diff changeset
210 local session_privileges = get_session_privileges(session, _MODULE_HOST)
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
211 if session_privileges then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
212 advertise_perm(session, session.full_jid, session_privileges)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
213 set_presence_perm_set(session.full_jid, session_privileges)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
214 advertise_presences(session, session.full_jid, session_privileges)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
215 end
1659
495a093798eb mod_privilege: added permissions notification on initial presence for entities which are not components
Goffi <goffi@goffi.org>
parents: 1658
diff changeset
216 end
495a093798eb mod_privilege: added permissions notification on initial presence for entities which are not components
Goffi <goffi@goffi.org>
parents: 1658
diff changeset
217
1708
ad7afcf86131 mod_privilege: fixed bad handling of presence permissions / component authentication between different hosts
Goffi <goffi@goffi.org>
parents: 1707
diff changeset
218 local function on_component_auth(event)
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
219 -- react to component-authenticated event from this host
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
220 -- and call the on_auth methods from all other hosts
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
221 -- needed for the component to get delegations advertising
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
222 for callback in connected_cb:items() do
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
223 callback(event)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
224 end
1708
ad7afcf86131 mod_privilege: fixed bad handling of presence permissions / component authentication between different hosts
Goffi <goffi@goffi.org>
parents: 1707
diff changeset
225 end
ad7afcf86131 mod_privilege: fixed bad handling of presence permissions / component authentication between different hosts
Goffi <goffi@goffi.org>
parents: 1707
diff changeset
226
1775
0d78bb31348e mod_privilege: fixed bad calling of on_auth for components
Goffi <goffi@goffi.org>
parents: 1708
diff changeset
227 if module:get_host_type() ~= "component" then
0d78bb31348e mod_privilege: fixed bad calling of on_auth for components
Goffi <goffi@goffi.org>
parents: 1708
diff changeset
228 connected_cb:add(on_auth)
0d78bb31348e mod_privilege: fixed bad calling of on_auth for components
Goffi <goffi@goffi.org>
parents: 1708
diff changeset
229 end
1657
7116bc76663b mod_privilege: mod_privilege first draft
Goffi <goffi@goffi.org>
parents:
diff changeset
230 module:hook('authentication-success', on_auth)
1708
ad7afcf86131 mod_privilege: fixed bad handling of presence permissions / component authentication between different hosts
Goffi <goffi@goffi.org>
parents: 1707
diff changeset
231 module:hook('component-authenticated', on_component_auth)
1659
495a093798eb mod_privilege: added permissions notification on initial presence for entities which are not components
Goffi <goffi@goffi.org>
parents: 1658
diff changeset
232 module:hook('presence/initial', on_presence)
1658
1146cb4493a9 mod_privilege: roster get permission implemented
Goffi <goffi@goffi.org>
parents: 1657
diff changeset
233
1146cb4493a9 mod_privilege: roster get permission implemented
Goffi <goffi@goffi.org>
parents: 1657
diff changeset
234
1146cb4493a9 mod_privilege: roster get permission implemented
Goffi <goffi@goffi.org>
parents: 1657
diff changeset
235 --> roster permission <--
1146cb4493a9 mod_privilege: roster get permission implemented
Goffi <goffi@goffi.org>
parents: 1657
diff changeset
236
1660
d1072db4db44 mod_privilege: implemented roster set privilege
Goffi <goffi@goffi.org>
parents: 1659
diff changeset
237 -- get
1658
1146cb4493a9 mod_privilege: roster get permission implemented
Goffi <goffi@goffi.org>
parents: 1657
diff changeset
238 module:hook("iq-get/bare/jabber:iq:roster:query", function(event)
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
239 local session, stanza = event.origin, event.stanza
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
240 if not stanza.attr.to then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
241 -- we don't want stanzas addressed to /self
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
242 return
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
243 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
244 local node, host = jid.split(stanza.attr.to)
1955
f719d5e6c627 mod_privilege: fixed session.privilege overwritting when multiple hosts are activated + fixed roster permission check on presence permission.
Goffi <goffi@goffi.org>
parents: 1775
diff changeset
245 local session_privileges = get_session_privileges(session, host)
1660
d1072db4db44 mod_privilege: implemented roster set privilege
Goffi <goffi@goffi.org>
parents: 1659
diff changeset
246
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
247 if session_privileges and _ROSTER_GET_PERM:contains(session_privileges.roster) then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
248 module:log("debug", "Roster get from allowed privileged entity received")
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
249 -- following code is adapted from mod_remote_roster
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
250 local roster = roster_manager.load_roster(node, host)
1660
d1072db4db44 mod_privilege: implemented roster set privilege
Goffi <goffi@goffi.org>
parents: 1659
diff changeset
251
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
252 local reply = st.reply(stanza):query("jabber:iq:roster")
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
253 for entity_jid, item in pairs(roster) do
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
254 if entity_jid and entity_jid ~= "pending" then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
255 reply:tag("item", {
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
256 jid = entity_jid,
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
257 subscription = item.subscription,
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
258 ask = item.ask,
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
259 name = item.name,
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
260 })
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
261 for group in pairs(item.groups) do
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
262 reply:tag("group"):text(group):up()
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
263 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
264 reply:up(); -- move out from item
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
265 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
266 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
267 -- end of code adapted from mod_remote_roster
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
268 session.send(reply)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
269 else
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
270 module:log("warn", "Entity "..tostring(session.full_jid).." try to get roster without permission")
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
271 session.send(st.error_reply(stanza, 'auth', 'forbidden'))
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
272 end
1660
d1072db4db44 mod_privilege: implemented roster set privilege
Goffi <goffi@goffi.org>
parents: 1659
diff changeset
273
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
274 return true
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
275 end)
1658
1146cb4493a9 mod_privilege: roster get permission implemented
Goffi <goffi@goffi.org>
parents: 1657
diff changeset
276
1660
d1072db4db44 mod_privilege: implemented roster set privilege
Goffi <goffi@goffi.org>
parents: 1659
diff changeset
277 -- set
d1072db4db44 mod_privilege: implemented roster set privilege
Goffi <goffi@goffi.org>
parents: 1659
diff changeset
278 module:hook("iq-set/bare/jabber:iq:roster:query", function(event)
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
279 local session, stanza = event.origin, event.stanza
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
280 if not stanza.attr.to then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
281 -- we don't want stanzas addressed to /self
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
282 return
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
283 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
284 local from_node, from_host = jid.split(stanza.attr.to)
1955
f719d5e6c627 mod_privilege: fixed session.privilege overwritting when multiple hosts are activated + fixed roster permission check on presence permission.
Goffi <goffi@goffi.org>
parents: 1775
diff changeset
285 local session_privileges = get_session_privileges(session, from_host)
1660
d1072db4db44 mod_privilege: implemented roster set privilege
Goffi <goffi@goffi.org>
parents: 1659
diff changeset
286
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
287 if session_privileges and _ROSTER_SET_PERM:contains(session_privileges.roster) then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
288 module:log("debug", "Roster set from allowed privileged entity received")
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
289 -- following code is adapted from mod_remote_roster
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
290 if not(usermanager_user_exists(from_node, from_host)) then return; end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
291 local roster = roster_manager.load_roster(from_node, from_host)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
292 if not(roster) then return; end
1660
d1072db4db44 mod_privilege: implemented roster set privilege
Goffi <goffi@goffi.org>
parents: 1659
diff changeset
293
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
294 local query = stanza.tags[1]
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
295 for _, item in ipairs(query.tags) do
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
296 if item.name == "item"
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
297 and item.attr.xmlns == "jabber:iq:roster" and item.attr.jid
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
298 -- Protection against overwriting roster.pending, until we move it
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
299 and item.attr.jid ~= "pending" then
1660
d1072db4db44 mod_privilege: implemented roster set privilege
Goffi <goffi@goffi.org>
parents: 1659
diff changeset
300
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
301 local item_jid = jid.prep(item.attr.jid)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
302 local _, host, resource = jid.split(item_jid)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
303 if not resource then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
304 if item_jid ~= stanza.attr.to then -- not self-item_jid
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
305 if item.attr.subscription == "remove" then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
306 local r_item = roster[item_jid]
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
307 if r_item then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
308 roster[item_jid] = nil
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
309 if roster_manager.save_roster(from_node, from_host, roster) then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
310 session.send(st.reply(stanza))
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
311 roster_manager.roster_push(from_node, from_host, item_jid)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
312 else
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
313 roster[item_jid] = item
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
314 session.send(st.error_reply(stanza, "wait", "internal-server-error", "Unable to save roster"))
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
315 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
316 else
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
317 session.send(st.error_reply(stanza, "modify", "item-not-found"))
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
318 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
319 else
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
320 local subscription = item.attr.subscription
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
321 if subscription ~= "both" and subscription ~= "to" and subscription ~= "from" and subscription ~= "none" then -- TODO error on invalid
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
322 subscription = roster[item_jid] and roster[item_jid].subscription or "none"
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
323 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
324 local r_item = {name = item.attr.name, groups = {}}
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
325 if r_item.name == "" then r_item.name = nil; end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
326 r_item.subscription = subscription
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
327 if subscription ~= "both" and subscription ~= "to" then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
328 r_item.ask = roster[item_jid] and roster[item_jid].ask
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
329 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
330 for _, child in ipairs(item) do
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
331 if child.name == "group" then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
332 local text = table.concat(child)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
333 if text and text ~= "" then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
334 r_item.groups[text] = true
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
335 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
336 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
337 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
338 local olditem = roster[item_jid]
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
339 roster[item_jid] = r_item
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
340 if roster_manager.save_roster(from_node, from_host, roster) then -- Ok, send success
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
341 session.send(st.reply(stanza))
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
342 -- and push change to all resources
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
343 roster_manager.roster_push(from_node, from_host, item_jid)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
344 else -- Adding to roster failed
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
345 roster[item_jid] = olditem
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
346 session.send(st.error_reply(stanza, "wait", "internal-server-error", "Unable to save roster"))
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
347 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
348 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
349 else -- Trying to add self to roster
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
350 session.send(st.error_reply(stanza, "cancel", "not-allowed"))
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
351 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
352 else -- Invalid JID added to roster
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
353 module:log("warn", "resource: %s , host: %s", tostring(resource), tostring(host))
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
354 session.send(st.error_reply(stanza, "modify", "bad-request")); -- FIXME what's the correct error?
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
355 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
356 else -- Roster set didn't include a single item, or its name wasn't 'item'
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
357 session.send(st.error_reply(stanza, "modify", "bad-request"))
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
358 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
359 end -- for loop end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
360 -- end of code adapted from mod_remote_roster
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
361 else -- The permission is not granted
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
362 module:log("warn", "Entity "..tostring(session.full_jid).." try to set roster without permission")
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
363 session.send(st.error_reply(stanza, 'auth', 'forbidden'))
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
364 end
1660
d1072db4db44 mod_privilege: implemented roster set privilege
Goffi <goffi@goffi.org>
parents: 1659
diff changeset
365
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
366 return true
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
367 end)
1661
69aa2b54ba8a mod_privilege: implemented message privilege
Goffi <goffi@goffi.org>
parents: 1660
diff changeset
368
69aa2b54ba8a mod_privilege: implemented message privilege
Goffi <goffi@goffi.org>
parents: 1660
diff changeset
369
69aa2b54ba8a mod_privilege: implemented message privilege
Goffi <goffi@goffi.org>
parents: 1660
diff changeset
370 --> message permission <--
69aa2b54ba8a mod_privilege: implemented message privilege
Goffi <goffi@goffi.org>
parents: 1660
diff changeset
371
3393
7454274ead2f mod_privilege: fixed routing issue with message permission:
Goffi <goffi@goffi.org>
parents: 2068
diff changeset
372 local function clean_xmlns(node)
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
373 -- Recursively remove "jabber:client" attribute from node.
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
374 -- In Prosody internal routing, xmlns should not be set.
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
375 -- Keeping xmlns would lead to issues like mod_smacks ignoring the outgoing stanza,
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
376 -- so we remove all xmlns attributes with a value of "jabber:client"
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
377 if node.attr.xmlns == 'jabber:client' then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
378 for childnode in node:childtags() do
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
379 clean_xmlns(childnode)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
380 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
381 node.attr.xmlns = nil
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
382 end
3393
7454274ead2f mod_privilege: fixed routing issue with message permission:
Goffi <goffi@goffi.org>
parents: 2068
diff changeset
383 end
7454274ead2f mod_privilege: fixed routing issue with message permission:
Goffi <goffi@goffi.org>
parents: 2068
diff changeset
384
1661
69aa2b54ba8a mod_privilege: implemented message privilege
Goffi <goffi@goffi.org>
parents: 1660
diff changeset
385 module:hook("message/host", function(event)
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
386 local session, stanza = event.origin, event.stanza
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
387 local privilege_elt = stanza:get_child('privilege', _PRIV_ENT_NS)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
388 if privilege_elt==nil then return; end
1955
f719d5e6c627 mod_privilege: fixed session.privilege overwritting when multiple hosts are activated + fixed roster permission check on presence permission.
Goffi <goffi@goffi.org>
parents: 1775
diff changeset
389 local _, to_host = jid.split(stanza.attr.to)
f719d5e6c627 mod_privilege: fixed session.privilege overwritting when multiple hosts are activated + fixed roster permission check on presence permission.
Goffi <goffi@goffi.org>
parents: 1775
diff changeset
390 local session_privileges = get_session_privileges(session, to_host)
f719d5e6c627 mod_privilege: fixed session.privilege overwritting when multiple hosts are activated + fixed roster permission check on presence permission.
Goffi <goffi@goffi.org>
parents: 1775
diff changeset
391
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
392 if session_privileges and session_privileges.message=="outgoing" then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
393 if #privilege_elt.tags==1 and privilege_elt.tags[1].name == "forwarded"
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
394 and privilege_elt.tags[1].attr.xmlns==_FORWARDED_NS then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
395 local message_elt = privilege_elt.tags[1]:get_child('message', 'jabber:client')
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
396 if message_elt ~= nil then
4994
cce12a660b98 mod_privilege: process entity IQs (credit to adx) and messages with a constructed entity session
Nicoco <nicoco@nicoco.fr>
parents: 4937
diff changeset
397 local username, from_host, from_resource = jid.split(message_elt.attr.from)
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
398 if from_resource == nil and hosts[from_host] then -- we only accept bare jids from one of the server hosts
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
399 clean_xmlns(message_elt); -- needed do to proper routing
4994
cce12a660b98 mod_privilege: process entity IQs (credit to adx) and messages with a constructed entity session
Nicoco <nicoco@nicoco.fr>
parents: 4937
diff changeset
400 local session = {
cce12a660b98 mod_privilege: process entity IQs (credit to adx) and messages with a constructed entity session
Nicoco <nicoco@nicoco.fr>
parents: 4937
diff changeset
401 username = username;
cce12a660b98 mod_privilege: process entity IQs (credit to adx) and messages with a constructed entity session
Nicoco <nicoco@nicoco.fr>
parents: 4937
diff changeset
402 host = from_host;
cce12a660b98 mod_privilege: process entity IQs (credit to adx) and messages with a constructed entity session
Nicoco <nicoco@nicoco.fr>
parents: 4937
diff changeset
403 type = "c2s";
cce12a660b98 mod_privilege: process entity IQs (credit to adx) and messages with a constructed entity session
Nicoco <nicoco@nicoco.fr>
parents: 4937
diff changeset
404 log = module._log;
cce12a660b98 mod_privilege: process entity IQs (credit to adx) and messages with a constructed entity session
Nicoco <nicoco@nicoco.fr>
parents: 4937
diff changeset
405 }
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
406 -- at this point everything should be alright, we can send the message
4994
cce12a660b98 mod_privilege: process entity IQs (credit to adx) and messages with a constructed entity session
Nicoco <nicoco@nicoco.fr>
parents: 4937
diff changeset
407 prosody.core_post_stanza(session, message_elt, true)
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
408 else -- trying to send a message from a forbidden entity
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
409 module:log("warn", "Entity "..tostring(session.full_jid).." try to send a message from "..tostring(message_elt.attr.from))
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
410 session.send(st.error_reply(stanza, 'auth', 'forbidden'))
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
411 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
412 else -- incorrect message child
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
413 session.send(st.error_reply(stanza, "modify", "bad-request", "invalid forwarded <message/> element"))
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
414 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
415 else -- incorrect forwarded child
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
416 session.send(st.error_reply(stanza, "modify", "bad-request", "invalid <forwarded/> element"))
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
417 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
418 else -- The permission is not granted
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
419 module:log("warn", "Entity "..tostring(session.full_jid).." try to send message without permission")
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
420 session.send(st.error_reply(stanza, 'auth', 'forbidden'))
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
421 end
1661
69aa2b54ba8a mod_privilege: implemented message privilege
Goffi <goffi@goffi.org>
parents: 1660
diff changeset
422
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
423 return true
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
424 end)
1664
6bdcb1418029 mod_privilege: implemented "managed_entity" presence
Goffi <goffi@goffi.org>
parents: 1663
diff changeset
425
6bdcb1418029 mod_privilege: implemented "managed_entity" presence
Goffi <goffi@goffi.org>
parents: 1663
diff changeset
426
6bdcb1418029 mod_privilege: implemented "managed_entity" presence
Goffi <goffi@goffi.org>
parents: 1663
diff changeset
427 --> presence permission <--
6bdcb1418029 mod_privilege: implemented "managed_entity" presence
Goffi <goffi@goffi.org>
parents: 1663
diff changeset
428
1707
64b3d1eb0cfe mod_privilege: fixed various issues reported by luacheck
Goffi <goffi@goffi.org>
parents: 1667
diff changeset
429 local function same_tags(tag1, tag2)
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
430 -- check if two tags are equivalent
1666
0b1b4b7d5fe0 mod_privilege: implemented "roster" presence permission
Goffi <goffi@goffi.org>
parents: 1665
diff changeset
431
0b1b4b7d5fe0 mod_privilege: implemented "roster" presence permission
Goffi <goffi@goffi.org>
parents: 1665
diff changeset
432 if tag1.name ~= tag2.name then return false; end
0b1b4b7d5fe0 mod_privilege: implemented "roster" presence permission
Goffi <goffi@goffi.org>
parents: 1665
diff changeset
433
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
434 if #tag1 ~= #tag2 then return false; end
1666
0b1b4b7d5fe0 mod_privilege: implemented "roster" presence permission
Goffi <goffi@goffi.org>
parents: 1665
diff changeset
435
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
436 for name, value in pairs(tag1.attr) do
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
437 if tag2.attr[name] ~= value then return false; end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
438 end
1666
0b1b4b7d5fe0 mod_privilege: implemented "roster" presence permission
Goffi <goffi@goffi.org>
parents: 1665
diff changeset
439
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
440 for i=1,#tag1 do
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
441 if type(tag1[i]) == "string" then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
442 if tag1[i] ~= tag2[i] then return false; end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
443 else
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
444 if not same_tags(tag1[i], tag2[i]) then return false; end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
445 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
446 end
1666
0b1b4b7d5fe0 mod_privilege: implemented "roster" presence permission
Goffi <goffi@goffi.org>
parents: 1665
diff changeset
447
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
448 return true
1666
0b1b4b7d5fe0 mod_privilege: implemented "roster" presence permission
Goffi <goffi@goffi.org>
parents: 1665
diff changeset
449 end
0b1b4b7d5fe0 mod_privilege: implemented "roster" presence permission
Goffi <goffi@goffi.org>
parents: 1665
diff changeset
450
1707
64b3d1eb0cfe mod_privilege: fixed various issues reported by luacheck
Goffi <goffi@goffi.org>
parents: 1667
diff changeset
451 local function same_presences(presence1, presence2)
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
452 -- check that 2 <presence/> stanzas are equivalent (except for "to" attribute)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
453 -- /!\ if the id change but everything else is equivalent, this method return false
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
454 -- this behaviour may change in the future
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
455 if presence1.attr.from ~= presence2.attr.from or presence1.attr.id ~= presence2.attr.id
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
456 or presence1.attr.type ~= presence2.attr.type then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
457 return false
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
458 end
1666
0b1b4b7d5fe0 mod_privilege: implemented "roster" presence permission
Goffi <goffi@goffi.org>
parents: 1665
diff changeset
459
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
460 if presence1.attr.id and presence1.attr.id == presence2.attr.id then return true; end
1666
0b1b4b7d5fe0 mod_privilege: implemented "roster" presence permission
Goffi <goffi@goffi.org>
parents: 1665
diff changeset
461
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
462 if #presence1 ~= #presence2 then return false; end
1666
0b1b4b7d5fe0 mod_privilege: implemented "roster" presence permission
Goffi <goffi@goffi.org>
parents: 1665
diff changeset
463
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
464 for i=1,#presence1 do
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
465 if type(presence1[i]) == "string" then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
466 if presence1[i] ~= presence2[i] then return false; end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
467 else
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
468 if not same_tags(presence1[i], presence2[i]) then return false; end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
469 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
470 end
1666
0b1b4b7d5fe0 mod_privilege: implemented "roster" presence permission
Goffi <goffi@goffi.org>
parents: 1665
diff changeset
471
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
472 return true
1666
0b1b4b7d5fe0 mod_privilege: implemented "roster" presence permission
Goffi <goffi@goffi.org>
parents: 1665
diff changeset
473 end
0b1b4b7d5fe0 mod_privilege: implemented "roster" presence permission
Goffi <goffi@goffi.org>
parents: 1665
diff changeset
474
1707
64b3d1eb0cfe mod_privilege: fixed various issues reported by luacheck
Goffi <goffi@goffi.org>
parents: 1667
diff changeset
475 local function forward_presence(presence, to_jid)
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
476 local presence_fwd = st.clone(presence)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
477 presence_fwd.attr.to = to_jid
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
478 module:log("debug", "presence forwarded to "..to_jid..": "..tostring(presence_fwd))
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
479 module:send(presence_fwd)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
480 -- cache used to avoid to send several times the same stanza
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
481 priv_session.last_presence = presence
1666
0b1b4b7d5fe0 mod_privilege: implemented "roster" presence permission
Goffi <goffi@goffi.org>
parents: 1665
diff changeset
482 end
0b1b4b7d5fe0 mod_privilege: implemented "roster" presence permission
Goffi <goffi@goffi.org>
parents: 1665
diff changeset
483
1664
6bdcb1418029 mod_privilege: implemented "managed_entity" presence
Goffi <goffi@goffi.org>
parents: 1663
diff changeset
484 module:hook("presence/bare", function(event)
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
485 if presence_man_ent:empty() and presence_roster:empty() then return; end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
486
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
487 local stanza = event.stanza
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
488 if stanza.attr.type == nil or stanza.attr.type == "unavailable" then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
489 if not stanza.attr.to then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
490 for entity in presence_man_ent:items() do
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
491 if stanza.attr.from ~= entity then forward_presence(stanza, entity); end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
492 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
493 else -- directed presence
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
494 -- we ignore directed presences from our own host, as we already have them
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
495 local _, from_host = jid.split(stanza.attr.from)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
496 if hosts[from_host] then return; end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
497
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
498 -- we don't send several time the same presence, as recommended in §7 #2
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
499 if priv_session.last_presence and same_presences(priv_session.last_presence, stanza) then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
500 return
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
501 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
502
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
503 for entity in presence_roster:items() do
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
504 if stanza.attr.from ~= entity then forward_presence(stanza, entity); end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
505 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
506 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
507 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
508 end, 150)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
509
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
510 --> IQ permission <--
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
511
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
512 module:hook("iq/bare/".._PRIV_ENT_NS..":privileged_iq", function(event)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
513 local session, stanza = event.origin, event.stanza
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
514 if not stanza.attr.to then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
515 -- we don't want stanzas addressed to /self
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
516 return
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
517 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
518 local from_node, from_host, from_resource = jid.split(stanza.attr.to)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
519
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
520 if from_resource ~= nil or not usermanager_user_exists(from_node, from_host) then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
521 session.send(
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
522 st.error_reply(
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
523 stanza,
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
524 "auth",
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
525 "forbidden",
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
526 "wrapping <IQ> stanza recipient must be a bare JID of a local user"
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
527 )
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
528 )
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
529 return true
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
530 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
531
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
532 local session_privileges = get_session_privileges(session, from_host)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
533
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
534 if session_privileges == nil then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
535 session.send(
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
536 st.error_reply(
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
537 stanza,
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
538 "auth",
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
539 "forbidden",
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
540 "no privilege granted"
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
541 )
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
542 )
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
543 return true
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
544 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
545
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
546 local iq_privileges = session_privileges["iq"]
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
547 if iq_privileges == nil then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
548 session.send(
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
549 session.send(st.error_reply(stanza, "auth", "forbidden", "you are not allowed to send privileged <IQ> stanzas"))
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
550 )
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
551 return true
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
552 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
553
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
554 local privileged_iq = stanza:get_child("privileged_iq", _PRIV_ENT_NS)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
555
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
556 local wrapped_iq = privileged_iq.tags[1]
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
557 if wrapped_iq == nil then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
558 session.send(
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
559 st.error_reply(stanza, "auth", "forbidden", "missing <IQ> stanza to send")
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
560 )
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
561 return true
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
562 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
563
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
564 if wrapped_iq.attr.xmlns ~= "jabber:client" then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
565 session.send(
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
566 st.error_reply(
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
567 stanza,
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
568 "auth",
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
569 "forbidden",
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
570 'wrapped <IQ> must have a xmlns of "jabber:client"'
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
571 )
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
572 )
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
573 return true
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
574 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
575
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
576 clean_xmlns(wrapped_iq)
1666
0b1b4b7d5fe0 mod_privilege: implemented "roster" presence permission
Goffi <goffi@goffi.org>
parents: 1665
diff changeset
577
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
578 if #wrapped_iq.tags ~= 1 then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
579 session.send(
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
580 st.error_reply(
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
581 stanza,
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
582 "auth",
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
583 "forbidden",
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
584 'invalid payload in wrapped <IQ>'
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
585 )
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
586 )
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
587 return true
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
588 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
589
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
590 local payload = wrapped_iq.tags[1]
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
591
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
592 local priv_ns = payload.attr.xmlns
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
593 if priv_ns == nil then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
594 session.send(
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
595 st.error_reply(stanza, "auth", "forbidden", "xmlns not set in privileged <IQ>")
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
596 )
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
597 return true
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
598 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
599
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
600 local ns_perms = iq_privileges[priv_ns]
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
601 local iq_type = stanza.attr.type
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
602 if ns_perms == nil or iq_type == nil or not ns_perms[iq_type] then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
603 session.send(
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
604 session.send(st.error_reply(
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
605 stanza,
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
606 "auth",
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
607 "forbidden",
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
608 "you are not allowed to send privileged <IQ> stanzas of this type and namespace")
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
609 )
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
610 )
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
611 return true
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
612 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
613
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
614 if wrapped_iq.attr.from ~= nil and wrapped_iq.attr.from ~= stanza.attr.to then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
615 session.send(
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
616 st.error_reply(
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
617 stanza,
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
618 "auth",
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
619 "forbidden",
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
620 'wrapped <IQ> "from" attribute is inconsistent with main <IQ> "to" attribute'
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
621 )
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
622 )
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
623 return true
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
624 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
625
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
626 wrapped_iq.attr.from = stanza.attr.to
1666
0b1b4b7d5fe0 mod_privilege: implemented "roster" presence permission
Goffi <goffi@goffi.org>
parents: 1665
diff changeset
627
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
628
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
629 if wrapped_iq.attr.type ~= iq_type then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
630 session.send(
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
631 st.error_reply(
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
632 stanza,
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
633 "auth",
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
634 "forbidden",
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
635 'invalid wrapped <IQ>: type mismatch'
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
636 )
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
637 )
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
638 return true
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
639 end
1666
0b1b4b7d5fe0 mod_privilege: implemented "roster" presence permission
Goffi <goffi@goffi.org>
parents: 1665
diff changeset
640
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
641 if wrapped_iq.attr.id == nil then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
642 session.send(
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
643 st.error_reply(
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
644 stanza,
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
645 "auth",
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
646 "forbidden",
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
647 'invalid wrapped <IQ>: missing "id" attribute'
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
648 )
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
649 )
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
650 return true
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
651 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
652
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
653 -- at this point, wrapped_iq is considered valid, and privileged entity is allowed to send it
4994
cce12a660b98 mod_privilege: process entity IQs (credit to adx) and messages with a constructed entity session
Nicoco <nicoco@nicoco.fr>
parents: 4937
diff changeset
654 local username, from_host, _ = jid.split(wrapped_iq.attr.from)
cce12a660b98 mod_privilege: process entity IQs (credit to adx) and messages with a constructed entity session
Nicoco <nicoco@nicoco.fr>
parents: 4937
diff changeset
655 local newsession = {
cce12a660b98 mod_privilege: process entity IQs (credit to adx) and messages with a constructed entity session
Nicoco <nicoco@nicoco.fr>
parents: 4937
diff changeset
656 username = username;
cce12a660b98 mod_privilege: process entity IQs (credit to adx) and messages with a constructed entity session
Nicoco <nicoco@nicoco.fr>
parents: 4937
diff changeset
657 host = from_host;
cce12a660b98 mod_privilege: process entity IQs (credit to adx) and messages with a constructed entity session
Nicoco <nicoco@nicoco.fr>
parents: 4937
diff changeset
658 full_jid = stanza.attr.to;
cce12a660b98 mod_privilege: process entity IQs (credit to adx) and messages with a constructed entity session
Nicoco <nicoco@nicoco.fr>
parents: 4937
diff changeset
659 type = "c2s";
cce12a660b98 mod_privilege: process entity IQs (credit to adx) and messages with a constructed entity session
Nicoco <nicoco@nicoco.fr>
parents: 4937
diff changeset
660 log = module._log;
cce12a660b98 mod_privilege: process entity IQs (credit to adx) and messages with a constructed entity session
Nicoco <nicoco@nicoco.fr>
parents: 4937
diff changeset
661 }
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
662
4994
cce12a660b98 mod_privilege: process entity IQs (credit to adx) and messages with a constructed entity session
Nicoco <nicoco@nicoco.fr>
parents: 4937
diff changeset
663 module:send_iq(wrapped_iq,newsession)
4937
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
664 :next(function (response)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
665 local reply = st.reply(stanza);
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
666 response.stanza.attr.xmlns = 'jabber:client'
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
667 reply:tag("privilege", {xmlns = _PRIV_ENT_NS})
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
668 :tag("forwarded", {xmlns = _FORWARDED_NS})
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
669 :add_child(response.stanza)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
670 session.send(reply)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
671 end,
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
672 function(response)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
673 module:log("error", "Error while sending privileged <IQ>: %s", response);
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
674 session.send(
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
675 st.error_reply(
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
676 stanza,
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
677 "cancel",
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
678 "internal-server-error"
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
679 )
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
680 )
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
681 end)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
682
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
683 return true
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3393
diff changeset
684 end)