Diff

mod_privilege/README.markdown @ 4937:3ddab718f717

mod_privilege: update to v0.4: - now the namespace "urn:xmpp:privilege:2" is exclusively used - IQ permission implementation - README update roster pushes are not implemented yet
author Goffi <goffi@goffi.org>
date Wed, 11 May 2022 12:43:26 +0200
parent 1992:8dda3d7d616f
line wrap: on
line diff
--- a/mod_privilege/README.markdown	Wed Mar 30 17:52:41 2022 +0200
+++ b/mod_privilege/README.markdown	Wed May 11 12:43:26 2022 +0200
@@ -1,6 +1,6 @@
 ---
 labels:
-- 'Stage-Alpha'
+- 'Stage-Beta'
 summary: 'XEP-0356 (Privileged Entity) implementation'
 ...
 
@@ -8,9 +8,9 @@
 ============
 
 Privileged Entity is an extension which allows entity/component to have
-privileged access to server (set/get roster, send message on behalf of
-server, access presence informations). It can be used to build services
-independently of server (e.g.: PEP service).
+privileged access to server (set/get roster, send message on behalf of server,
+send IQ stanza on behalf of user, access presence information). It can be used
+to build services independently of server (e.g.: PEP service).
 
 Details
 =======
@@ -18,6 +18,12 @@
 You can have all the details by reading the
 [XEP-0356](http://xmpp.org/extensions/xep-0356.html).
 
+Only the latest version of the XEP is implemented (using namespace
+`urn:xmpp:privilege:2`), if your component use an older version, please update.
+
+Note that roster permission is not fully implemented yet, roster pushes are not yet sent
+to privileged entity.
+
 Usage
 =====
 
@@ -33,7 +39,7 @@
 
     [...]
 
-    Component "youcomponent.yourdomain.tld"
+    Component "pubsub.yourdomain.tld"
         component_secret = "yourpassword"
         modules_enabled = {"privilege"}
 
@@ -51,22 +57,38 @@
                 message = "outgoing";
                 presence = "roster";
             },
+            ["pubsub.yourdomain.tld"] = {
+                roster = "get";
+                message = "outgoing";
+                presence = "roster";
+                iq = {
+                    ["http://jabber.org/protocol/pubsub"] = "set";
+                };
+            },
         }
 
-Here *romeo@montaigu.lit* can **get** roster of anybody on the host, and
-will **have presence for any user** of the host, while
-*juliet@capulet.lit* can **get** and **set** a roster, **send messages**
-on the behalf of the server, and **access presence of anybody linked to
-the host** (not only people on the server, but also people in rosters of
-users of the server).
+Here *romeo@montaigu.lit* can **get** roster of anybody on the host, and will
+**have presence for any user** of the host, while *juliet@capulet.lit* can
+**get** and **set** a roster, **send messages** on behalf of the server, and
+**access presence of anybody linked to the host** (not only people on the
+server, but also people in rosters of users of the server).
 
-**/! Be extra careful when you give a permission to an entity/component,
-it's a powerful access, only do it if you absoly trust the
-component/entity, and you know where the software is coming from**
+*pubsub.yourdomain.tld* is a Pubsub/PEP component which can **get** roster of
+anybody on the host, **send messages** on the behalf of the server, **access
+presence of anybody linked to the host**, and **send IQ stanza of type "set" for
+the namespace "http://jabber.org/protocol/pubsub"** (this can be used to
+implement XEP-0376 "Pubsub Account Management").
+
+**/!\\ Be extra careful when you give a permission to an entity/component, it's
+a powerful access, only do it if you absolutely trust the component/entity, and
+you know where the software is coming from**
 
 Configuration
 =============
 
+roster
+------
+
 All the permissions give access to all accounts of the virtual host.
 
   -------- ------------------------------------------------ ----------------------
@@ -76,6 +98,9 @@
   both     Allow **read** and **write** access to rosters   
   -------- ------------------------------------------------ ----------------------
 
+Note that roster implementation is incomplete at the moment, roster pushes are not yet
+send to privileged entity.
+
 message
 -------
 
@@ -93,6 +118,22 @@
   roster             Receive all presence stanzas (except subsciptions) from host users and people in their rosters
   ------------------ ------------------------------------------------------------------------------------------------
 
+iq
+--
+
+IQ permission is a table mapping allowed namespaces to allowed stanza type. When
+a namespace is specified, IQ stanza of the specified type (see below) can be
+sent if and only if the first child element of the IQ stanza has the specified
+namespace. See https://xmpp.org/extensions/xep-0356.html#iq for details.
+
+Allowed stanza type:
+
+  -------- -------------------------------------------
+  get      Allow IQ stanza of type **get**
+  set      Allow IQ stanza of type **set**
+  both     Allow IQ stanza of type **get** and **set**
+  -------- -------------------------------------------
+
 Compatibility
 =============
 
@@ -118,13 +159,15 @@
 
 `patch -p1 < /tmp/component.patch`
 
-  ----- ----------------------------------------------------
+  ----- --------------------------------------------------
+  trunk Works
+  0.12  Works
+  0.11  Works
   0.10  Works
   0.9   Need a patched core/mod\_component.lua (see above)
-  ----- ----------------------------------------------------
+  ----- --------------------------------------------------
 
 Note
 ====
 
-This module is often used with mod\_delegation (c.f. XEP for more
-details)
+This module is often used with mod\_delegation (c.f. XEP for more details)