prosody-modules
94399ad6b5ab
mod_watch_spam_reports/mod_watch_spam_reports.lua
Software / code / prosody-modules
File
mod_watch_spam_reports/mod_watch_spam_reports.lua @ 6191:94399ad6b5ab
mod_invites_register_api: Use set_password() for password resets
Previously the code relied on the (weird) behaviour of create_user(), which
would update the password for a user account if it already existed. This has
several issues, and we plan to deprecate this behaviour of create_user().
The larger issue is that this route does not trigger the user-password-changed
event, which can be a security problem. For example, it did not disconnect
existing user sessions (this occurs in mod_c2s in response to the event).
Switching to set_password() is the right thing to do.
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Thu, 06 Feb 2025 10:13:39 +0000 |
| parent | 5022:97d34d520cfa |
line wrap: on
line source
local jid = require "util.jid"; local set = require "util.set"; local st = require "util.stanza"; local usermanager = require "core.usermanager"; local host = module.host; local admins; if usermanager.get_jids_with_role then admins = set.new(usermanager.get_jids_with_role("prosody:admin", host)); else -- COMPAT w/pre-0.12 admins = module:get_option_inherited_set("admins"); end module:depends("spam_reporting") module:hook("spam_reporting/spam-report", function(event) local reporter_bare_jid = jid.bare(event.stanza.attr.from) local report = reporter_bare_jid.." reported spam from "..event.jid..": "..(event.reason or "no reason given") for admin_jid in admins do module:send(st.message({from=host, type="chat",to=admin_jid}, report)); end end) module:hook("spam_reporting/abuse-report", function(event) local reporter_bare_jid = jid.bare(event.stanza.attr.from) local report = reporter_bare_jid.." reported abuse from "..event.jid..": "..(event.reason or "no reason given") for admin_jid in admins do module:send(st.message({from=host, type="chat",to=admin_jid}, report)); end end)
