Software /
code /
prosody-modules
Changeset
49:59f490390528
mod_adhoc, mod_adhoc_cmd_admin: Check permissions in one place for all commands
author | Florian Zeitz <florob@babelmonkeys.de> |
---|---|
date | Sat, 17 Oct 2009 01:37:25 +0200 (2009-10-16) |
parents | 48:7fbaf590dc12 |
children | 50:a96d3f37d845 |
files | mod_adhoc/adhoc/mod_adhoc.lua mod_adhoc_cmd_admin/mod_adhoc_cmd_admin.lua |
diffstat | 2 files changed, 8 insertions(+), 13 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_adhoc/adhoc/mod_adhoc.lua Sat Oct 17 01:36:25 2009 +0200 +++ b/mod_adhoc/adhoc/mod_adhoc.lua Sat Oct 17 01:37:25 2009 +0200 @@ -34,6 +34,14 @@ local node = stanza.tags[1].attr.node for i = 1, #commands do if commands[i].node == node then + -- check whether user has permission to execute this command first + if commands[i].permission == "admin" and not is_admin(stanza.attr.from) then + origin.send(st.error_reply(stanza, "auth", "forbidden", "You don't have permission to execute this command"):up() + :add_child(commands[i]:cmdtag("canceled") + :tag("note", {type="error"}):text("You don't have permission to execute this command"))); + return true + end + -- User has permission now execute the command return commands[i].handler(commands[i], origin, stanza); end end
--- a/mod_adhoc_cmd_admin/mod_adhoc_cmd_admin.lua Sat Oct 17 01:36:25 2009 +0200 +++ b/mod_adhoc_cmd_admin/mod_adhoc_cmd_admin.lua Sat Oct 17 01:37:25 2009 +0200 @@ -39,13 +39,6 @@ }; function add_user_command_handler(item, origin, stanza) - if not is_admin(stanza.attr.from) then - module:log("warn", "Non-admin %s tried to add a user", tostring(jid.bare(stanza.attr.from))); - origin.send(st.error_reply(stanza, "auth", "forbidden", "You don't have permission to add a user"):up() - :add_child(item:cmdtag("canceled") - :tag("note", {type="error"}):text("You don't have permission to add a user"))); - return true; - end if stanza.tags[1].attr.sessionid and sessions[stanza.tags[1].attr.sessionid] then if stanza.tags[1].attr.action == "cancel" then origin.send(st.reply(stanza):add_child(item:cmdtag("canceled", stanza.tags[1].attr.sessionid))); @@ -96,12 +89,6 @@ end function get_online_users_command_handler(item, origin, stanza) - if not is_admin(stanza.attr.from) then - origin.send(st.error_reply(stanza, "auth", "forbidden", "You don't have permission to request a list of online users"):up() - :add_child(item:cmdtag("canceled") - :tag("note", {type="error"}):text("You don't have permission to request a list of online users"))); - return true; - end if stanza.tags[1].attr.sessionid and sessions[stanza.tags[1].attr.sessionid] then if stanza.tags[1].attr.action == "cancel" then origin.send(st.reply(stanza):add_child(item:cmdtag("canceled", stanza.tags[1].attr.sessionid)));