prosody-modules
e977174082ee
mod_broadcast/mod_broadcast.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody-modules

File

mod_broadcast/mod_broadcast.lua @ 6193:e977174082ee

mod_invites_register_api: Use set_password() for password resets Previously the code relied on the (weird) behaviour of create_user(), which would update the password for a user account if it already existed. This has several issues, and we plan to deprecate this behaviour of create_user(). The larger issue is that this route does not trigger the user-password-changed event, which can be a security problem. For example, it did not disconnect existing user sessions (this occurs in mod_c2s in response to the event). Switching to set_password() is the right thing to do
author Matthew Wild <mwild1@gmail.com>
date Thu, 06 Feb 2025 10:24:30 +0000
parent 1016:9f7c97e55593
line wrap: on
line source

local is_admin = require "core.usermanager".is_admin;
local allowed_senders = module:get_option_set("broadcast_senders", {});
local from_address = module:get_option_string("broadcast_from");

local jid_bare = require "util.jid".bare;

function send_to_online(message)
	local c = 0;
	for hostname, host_session in pairs(hosts) do
		if host_session.sessions then
			for username in pairs(host_session.sessions) do
				c = c + 1;
				message.attr.to = username.."@"..hostname;
				module:send(message);
			end
		end
	end
	return c;
end

function send_message(event)
	local stanza = event.stanza;
	local from = stanza.attr.from;
	if is_admin(from) or allowed_senders:contains(jid_bare(from)) then
		if from_address then
			stanza = st.clone(stanza);
			stanza.attr.from = from_address;
		end
		local c = send_to_online(stanza);
		module:log("debug", "Broadcast stanza from %s to %d online users", from, c);
		return true;
	else
		module:log("warn", "Broadcasting is not allowed for %s", from);
	end
end

module:hook("message/bare", send_message);