Changeset

16:35e74c1094a7

mod_privacy: order must be non-negativ integer and unique, group must be existing in the roster, subscription can only be to,from,both or none, action must be either deny or allow.
author Thilo Cestonaro <thilo@cestona.ro>
date Mon, 28 Sep 2009 18:17:20 +0200
parents 15:14b18ef8b554
children 17:ccb07c0efc7e
files mod_privacy/mod_privacy.lua
diffstat 1 files changed, 45 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/mod_privacy/mod_privacy.lua	Sat Sep 26 22:30:33 2009 +0200
+++ b/mod_privacy/mod_privacy.lua	Mon Sep 28 18:17:20 2009 +0200
@@ -15,6 +15,8 @@
 local util_Jid = require "util.jid";
 local jid_bare = util_Jid.bare;
 local jid_split = util_Jid.split;
+local load_roster = require "core.rostermanager".load_roster;
+local to_number = _G.tonumber;
 
 function findNamedList (privacy_lists, name)
 	local ret = nil
@@ -77,7 +79,7 @@
 	return false;
 end
 
-function createOrReplaceList (privacy_lists, origin, stanza, name, entries)
+function createOrReplaceList (privacy_lists, origin, stanza, name, entries, roster)
 	module:log("info", "User requests to create / replace list named %s, item count: %d", name, #entries);
 	local ret = true;
 	local idx = findNamedList(privacy_lists, name);
@@ -91,16 +93,22 @@
 		idx = #privacy_lists.lists + 1;
 	end
 
+	local orderCheck = {};
 	local list = {};
 	list.name = name;
 	list.items = {};
 
 	for _,item in ipairs(entries) do
+		if to_number(item.attr.order) == nil or to_number(item.attr.order) < 0 or orderCheck[item.attr.order] ~= nil then
+			return "bad-request";
+		end
 		local tmp = {};
+		orderCheck[item.attr.order] = true;
+		
 		tmp["type"] = item.attr.type;
 		tmp["value"] = item.attr.value;
 		tmp["action"] = item.attr.action;
-		tmp["order"] = item.attr.order;
+		tmp["order"] = to_number(item.attr.order);
 		tmp["presence-in"] = false;
 		tmp["presence-out"] = false;
 		tmp["message"] = false;
@@ -111,6 +119,35 @@
 				tmp[tag.name] = true;
 			end
 		end
+		
+		if tmp.type == "group" then
+			local found = false;
+			local roster = load_roster(origin.username, origin.host);
+			local groups = roster.groups;
+			if groups == nil then
+				return "item-not-found";
+			end
+			for _,group in ipairs(groups) do
+				if group == tmp.value then
+					found = true;
+				end
+			end
+			if found == false then
+				return "item-not-found";
+			end
+		elseif tmp.type == "subscription" then
+			if	tmp.value ~= "both" and
+				tmp.value ~= "to" and
+				tmp.value ~= "from" and
+				tmp.value ~= "none" then
+				return "bad-request";
+			end
+		end
+		
+		if tmp.action ~= "deny" and tmp.action ~= "allow" then
+			return "bad-request";
+		end
+		
 		list.items[#list.items + 1] = tmp;
 	end
 	
@@ -195,6 +232,10 @@
 							valid = deleteList(privacy_lists, origin, stanza, tag.attr.name);
 						else -- Client edits a privacy list
 							valid = createOrReplaceList(privacy_lists, origin, stanza, tag.attr.name, tag.tags)
+							if valid ~= true then
+								err_reply = st.error_reply(stanza, "cancel", valid);
+								valid = false;
+							end
 						end
 					end
 				end
@@ -289,7 +330,8 @@
 					apply = true;
 					block = (item.action == "deny");
 				elseif item.type == "group" then
-					local groups = origin.roster[jid_bare(stanza.from)].groups;
+					local roster = load_roster(node_, host_);
+					local groups = roster.groups;
 					for _,group in ipairs(groups) do
 						if group == item.value then
 							module:log("debug", "group matched.");