Comparison

mod_firewall/README.markdown @ 5002:84997bc3f92e

mod_firewall: Update for role-auth (backwards compatible) Probably worth investigating mod_compat_roles in the future.
author Matthew Wild <mwild1@gmail.com>
date Thu, 11 Aug 2022 17:04:53 +0100
parent 4967:1e8381f0d0a8
child 5234:f6c71d9d6dc0
comparison
equal deleted inserted replaced
5001:cb19cb1c03d6 5002:84997bc3f92e
433 # Rule to bounce messages from senders not in the roster who haven't been sent directed presence 433 # Rule to bounce messages from senders not in the roster who haven't been sent directed presence
434 NOT IN ROSTER? 434 NOT IN ROSTER?
435 NOT SENT DIRECTED PRESENCE TO SENDER? 435 NOT SENT DIRECTED PRESENCE TO SENDER?
436 BOUNCE=service-unavailable 436 BOUNCE=service-unavailable
437 437
438 ### Permissions
439
440 Rules can consult Prosody's internal role and permissions system to check whether a certain action may
441 be performed. The acting entity, their role, and appropriate context is automatically inferred. All you
442 need to do is provide the identifier of the permission that should be checked.
443
444 Condition Description
445 ----------------------- --------------------------------------------------------------------
446 `MAY=permission` Checks whether 'permission' is allowed in the current context.
447
448 As with all other conditions, `MAY` can be combined with `NOT` to negate the result of the check.
449
450 Example, blocking outgoing stanzas from users with roles that do not allow the 'xmpp:federate' permission:
451
452 ```
453 ::deliver_remote
454 MAY NOT: xmpp:federate
455 BOUNCE=policy-violation (You are not allowed access to the federation)
456 ```
457
458 ### Roles
459
460 Condition Matches
461 ---------------- -------------------------------------------------------------------------------------
462 `TO ROLE` When the recipient JID of the stanza has the named role
463 `FROM ROLE` When the sender JID of the stanza has the named role
464
465 **Note:** In most cases, you should avoid checking for specific roles, and instead check for
466 permissions granted by those roles (using the 'MAY' condition).
467
438 ### Admins 468 ### Admins
469
470 **Deprecated:** These conditions should no longer be used. Prefer 'MAY', 'TO ROLE' or 'FROM ROLE'.
439 471
440 Prosody allows certain JIDs to be declared as administrators of a host, component or the whole server. 472 Prosody allows certain JIDs to be declared as administrators of a host, component or the whole server.
441 473
442 Condition Matches 474 Condition Matches
443 ---------------- ------------------------------------------------------------------------------------- 475 ---------------- -------------------------------------------------------------------------------------