prosody
07424992d7fc
core/usermanager.lua
Software / code / prosody
Comparison
core/usermanager.lua @ 12662:07424992d7fc
mod_authz_internal, and more: New iteration of role API
These changes to the API (hopefully the last) introduce a cleaner separation
between the user's primary (default) role, and their secondary (optional)
roles.
To keep the code sane and reduce complexity, a data migration is needed for
people using stored roles in 0.12. This can be performed with
prosodyctl mod_authz_internal migrate <host>
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Wed, 17 Aug 2022 16:38:53 +0100 |
| parent | 12659:c0eea4f6c739 |
| child | 12663:cf88f6b03942 |
comparison
equal
deleted
inserted
replaced
| 12661:1c391c17a907 | 12662:07424992d7fc |
|---|---|
| 35 end | 35 end |
| 36 | 36 |
| 37 local fallback_authz_provider = { | 37 local fallback_authz_provider = { |
| 38 get_user_roles = function (user) end; --luacheck: ignore 212/user | 38 get_user_roles = function (user) end; --luacheck: ignore 212/user |
| 39 get_jids_with_role = function (role) end; --luacheck: ignore 212 | 39 get_jids_with_role = function (role) end; --luacheck: ignore 212 |
| 40 set_user_roles = function (user, roles) end; -- luacheck: ignore 212 | 40 |
| 41 set_jid_roles = function (jid, roles) end; -- luacheck: ignore 212 | 41 get_user_role = function (user) end; -- luacheck: ignore 212 |
| 42 | 42 set_user_role = function (user, roles) end; -- luacheck: ignore 212 |
| 43 get_user_default_role = function (user) end; -- luacheck: ignore 212 | 43 |
| 44 add_user_secondary_role = function (user, host, role_name) end; --luacheck: ignore 212 | |
| 45 remove_user_secondary_role = function (user, host, role_name) end; --luacheck: ignore 212 | |
| 46 | |
| 47 get_jid_role = function (jid) end; -- luacheck: ignore 212 | |
| 48 set_jid_role = function (jid, role) end; -- luacheck: ignore 212 | |
| 49 | |
| 44 get_users_with_role = function (role_name) end; -- luacheck: ignore 212 | 50 get_users_with_role = function (role_name) end; -- luacheck: ignore 212 |
| 45 get_jid_role = function (jid) end; -- luacheck: ignore 212 | |
| 46 set_jid_role = function (jid) end; -- luacheck: ignore 212 | |
| 47 add_default_permission = function (role_name, action, policy) end; -- luacheck: ignore 212 | 51 add_default_permission = function (role_name, action, policy) end; -- luacheck: ignore 212 |
| 48 get_role_by_name = function (role_name) end; -- luacheck: ignore 212 | 52 get_role_by_name = function (role_name) end; -- luacheck: ignore 212 |
| 49 }; | 53 }; |
| 50 | 54 |
| 51 local provider_mt = { __index = new_null_provider() }; | 55 local provider_mt = { __index = new_null_provider() }; |
| 138 | 142 |
| 139 local function get_provider(host) | 143 local function get_provider(host) |
| 140 return hosts[host].users; | 144 return hosts[host].users; |
| 141 end | 145 end |
| 142 | 146 |
| 143 -- Returns a map of { [role_name] = role, ... } that a user is allowed to assume | 147 local function get_user_role(user, host) |
| 144 local function get_user_roles(user, host) | 148 if host and not hosts[host] then return false; end |
| 145 if host and not hosts[host] then return false; end | 149 if type(user) ~= "string" then return false; end |
| 146 if type(user) ~= "string" then return false; end | 150 |
| 147 | 151 return hosts[host].authz.get_user_role(user); |
| 148 return hosts[host].authz.get_user_roles(user); | 152 end |
| 149 end | 153 |
| 150 | 154 local function set_user_role(user, host, role_name) |
| 151 local function get_user_default_role(user, host) | 155 if host and not hosts[host] then return false; end |
| 152 if host and not hosts[host] then return false; end | 156 if type(user) ~= "string" then return false; end |
| 153 if type(user) ~= "string" then return false; end | 157 |
| 154 | 158 local role, err = hosts[host].authz.set_user_role(user, role_name); |
| 155 return hosts[host].authz.get_user_default_role(user); | 159 if role then |
| 156 end | 160 prosody.events.fire_event("user-role-changed", { |
| 157 | 161 username = user, host = host, role = role; |
| 158 -- Accepts a set of role names which the user is allowed to assume | 162 }); |
| 159 local function set_user_roles(user, host, roles) | 163 end |
| 160 if host and not hosts[host] then return false; end | 164 return role, err; |
| 161 if type(user) ~= "string" then return false; end | 165 end |
| 162 | 166 |
| 163 local ok, err = hosts[host].authz.set_user_roles(user, roles); | 167 local function add_user_secondary_role(user, host, role_name) |
| 168 if host and not hosts[host] then return false; end | |
| 169 if type(user) ~= "string" then return false; end | |
| 170 | |
| 171 local role, err = hosts[host].authz.add_user_secondary_role(user, role_name); | |
| 172 if role then | |
| 173 prosody.events.fire_event("user-role-added", { | |
| 174 username = user, host = host, role = role; | |
| 175 }); | |
| 176 end | |
| 177 return role, err; | |
| 178 end | |
| 179 | |
| 180 local function remove_user_secondary_role(user, host, role_name) | |
| 181 if host and not hosts[host] then return false; end | |
| 182 if type(user) ~= "string" then return false; end | |
| 183 | |
| 184 local ok, err = hosts[host].authz.remove_user_secondary_role(user, role_name); | |
| 164 if ok then | 185 if ok then |
| 165 prosody.events.fire_event("user-roles-changed", { | 186 prosody.events.fire_event("user-role-removed", { |
| 166 username = user, host = host | 187 username = user, host = host, role_name = role_name; |
| 167 }); | 188 }); |
| 168 end | 189 end |
| 169 return ok, err; | 190 return ok, err; |
| 191 end | |
| 192 | |
| 193 local function get_user_secondary_roles(user, host) | |
| 194 if host and not hosts[host] then return false; end | |
| 195 if type(user) ~= "string" then return false; end | |
| 196 | |
| 197 return hosts[host].authz.get_user_secondary_roles(user); | |
| 170 end | 198 end |
| 171 | 199 |
| 172 local function get_jid_role(jid, host) | 200 local function get_jid_role(jid, host) |
| 173 local jid_node, jid_host = jid_split(jid); | 201 local jid_node, jid_host = jid_split(jid); |
| 174 if host == jid_host and jid_node then | 202 if host == jid_host and jid_node then |
| 175 return hosts[host].authz.get_user_default_role(jid_node); | 203 return hosts[host].authz.get_user_role(jid_node); |
| 176 end | 204 end |
| 177 return hosts[host].authz.get_jid_role(jid); | 205 return hosts[host].authz.get_jid_role(jid); |
| 178 end | 206 end |
| 179 | 207 |
| 180 local function set_jid_role(jid, host, role_name) | 208 local function set_jid_role(jid, host, role_name) |
| 228 create_user = create_user; | 256 create_user = create_user; |
| 229 delete_user = delete_user; | 257 delete_user = delete_user; |
| 230 users = users; | 258 users = users; |
| 231 get_sasl_handler = get_sasl_handler; | 259 get_sasl_handler = get_sasl_handler; |
| 232 get_provider = get_provider; | 260 get_provider = get_provider; |
| 233 get_user_default_role = get_user_default_role; | 261 get_user_role = get_user_role; |
| 234 get_user_roles = get_user_roles; | 262 set_user_role = set_user_role; |
| 235 set_user_roles = set_user_roles; | 263 add_user_secondary_role = add_user_secondary_role; |
| 264 remove_user_secondary_role = remove_user_secondary_role; | |
| 265 get_user_secondary_roles = get_user_secondary_roles; | |
| 236 get_users_with_role = get_users_with_role; | 266 get_users_with_role = get_users_with_role; |
| 237 get_jid_role = get_jid_role; | 267 get_jid_role = get_jid_role; |
| 238 set_jid_role = set_jid_role; | 268 set_jid_role = set_jid_role; |
| 239 get_jids_with_role = get_jids_with_role; | 269 get_jids_with_role = get_jids_with_role; |
| 240 get_role_by_name = get_role_by_name; | 270 get_role_by_name = get_role_by_name; |
