Comparison

core/usermanager.lua @ 12662:07424992d7fc

mod_authz_internal, and more: New iteration of role API These changes to the API (hopefully the last) introduce a cleaner separation between the user's primary (default) role, and their secondary (optional) roles. To keep the code sane and reduce complexity, a data migration is needed for people using stored roles in 0.12. This can be performed with prosodyctl mod_authz_internal migrate <host>
author Matthew Wild <mwild1@gmail.com>
date Wed, 17 Aug 2022 16:38:53 +0100
parent 12659:c0eea4f6c739
child 12663:cf88f6b03942
comparison
equal deleted inserted replaced
12661:1c391c17a907 12662:07424992d7fc
35 end 35 end
36 36
37 local fallback_authz_provider = { 37 local fallback_authz_provider = {
38 get_user_roles = function (user) end; --luacheck: ignore 212/user 38 get_user_roles = function (user) end; --luacheck: ignore 212/user
39 get_jids_with_role = function (role) end; --luacheck: ignore 212 39 get_jids_with_role = function (role) end; --luacheck: ignore 212
40 set_user_roles = function (user, roles) end; -- luacheck: ignore 212 40
41 set_jid_roles = function (jid, roles) end; -- luacheck: ignore 212 41 get_user_role = function (user) end; -- luacheck: ignore 212
42 42 set_user_role = function (user, roles) end; -- luacheck: ignore 212
43 get_user_default_role = function (user) end; -- luacheck: ignore 212 43
44 add_user_secondary_role = function (user, host, role_name) end; --luacheck: ignore 212
45 remove_user_secondary_role = function (user, host, role_name) end; --luacheck: ignore 212
46
47 get_jid_role = function (jid) end; -- luacheck: ignore 212
48 set_jid_role = function (jid, role) end; -- luacheck: ignore 212
49
44 get_users_with_role = function (role_name) end; -- luacheck: ignore 212 50 get_users_with_role = function (role_name) end; -- luacheck: ignore 212
45 get_jid_role = function (jid) end; -- luacheck: ignore 212
46 set_jid_role = function (jid) end; -- luacheck: ignore 212
47 add_default_permission = function (role_name, action, policy) end; -- luacheck: ignore 212 51 add_default_permission = function (role_name, action, policy) end; -- luacheck: ignore 212
48 get_role_by_name = function (role_name) end; -- luacheck: ignore 212 52 get_role_by_name = function (role_name) end; -- luacheck: ignore 212
49 }; 53 };
50 54
51 local provider_mt = { __index = new_null_provider() }; 55 local provider_mt = { __index = new_null_provider() };
138 142
139 local function get_provider(host) 143 local function get_provider(host)
140 return hosts[host].users; 144 return hosts[host].users;
141 end 145 end
142 146
143 -- Returns a map of { [role_name] = role, ... } that a user is allowed to assume 147 local function get_user_role(user, host)
144 local function get_user_roles(user, host) 148 if host and not hosts[host] then return false; end
145 if host and not hosts[host] then return false; end 149 if type(user) ~= "string" then return false; end
146 if type(user) ~= "string" then return false; end 150
147 151 return hosts[host].authz.get_user_role(user);
148 return hosts[host].authz.get_user_roles(user); 152 end
149 end 153
150 154 local function set_user_role(user, host, role_name)
151 local function get_user_default_role(user, host) 155 if host and not hosts[host] then return false; end
152 if host and not hosts[host] then return false; end 156 if type(user) ~= "string" then return false; end
153 if type(user) ~= "string" then return false; end 157
154 158 local role, err = hosts[host].authz.set_user_role(user, role_name);
155 return hosts[host].authz.get_user_default_role(user); 159 if role then
156 end 160 prosody.events.fire_event("user-role-changed", {
157 161 username = user, host = host, role = role;
158 -- Accepts a set of role names which the user is allowed to assume 162 });
159 local function set_user_roles(user, host, roles) 163 end
160 if host and not hosts[host] then return false; end 164 return role, err;
161 if type(user) ~= "string" then return false; end 165 end
162 166
163 local ok, err = hosts[host].authz.set_user_roles(user, roles); 167 local function add_user_secondary_role(user, host, role_name)
168 if host and not hosts[host] then return false; end
169 if type(user) ~= "string" then return false; end
170
171 local role, err = hosts[host].authz.add_user_secondary_role(user, role_name);
172 if role then
173 prosody.events.fire_event("user-role-added", {
174 username = user, host = host, role = role;
175 });
176 end
177 return role, err;
178 end
179
180 local function remove_user_secondary_role(user, host, role_name)
181 if host and not hosts[host] then return false; end
182 if type(user) ~= "string" then return false; end
183
184 local ok, err = hosts[host].authz.remove_user_secondary_role(user, role_name);
164 if ok then 185 if ok then
165 prosody.events.fire_event("user-roles-changed", { 186 prosody.events.fire_event("user-role-removed", {
166 username = user, host = host 187 username = user, host = host, role_name = role_name;
167 }); 188 });
168 end 189 end
169 return ok, err; 190 return ok, err;
191 end
192
193 local function get_user_secondary_roles(user, host)
194 if host and not hosts[host] then return false; end
195 if type(user) ~= "string" then return false; end
196
197 return hosts[host].authz.get_user_secondary_roles(user);
170 end 198 end
171 199
172 local function get_jid_role(jid, host) 200 local function get_jid_role(jid, host)
173 local jid_node, jid_host = jid_split(jid); 201 local jid_node, jid_host = jid_split(jid);
174 if host == jid_host and jid_node then 202 if host == jid_host and jid_node then
175 return hosts[host].authz.get_user_default_role(jid_node); 203 return hosts[host].authz.get_user_role(jid_node);
176 end 204 end
177 return hosts[host].authz.get_jid_role(jid); 205 return hosts[host].authz.get_jid_role(jid);
178 end 206 end
179 207
180 local function set_jid_role(jid, host, role_name) 208 local function set_jid_role(jid, host, role_name)
228 create_user = create_user; 256 create_user = create_user;
229 delete_user = delete_user; 257 delete_user = delete_user;
230 users = users; 258 users = users;
231 get_sasl_handler = get_sasl_handler; 259 get_sasl_handler = get_sasl_handler;
232 get_provider = get_provider; 260 get_provider = get_provider;
233 get_user_default_role = get_user_default_role; 261 get_user_role = get_user_role;
234 get_user_roles = get_user_roles; 262 set_user_role = set_user_role;
235 set_user_roles = set_user_roles; 263 add_user_secondary_role = add_user_secondary_role;
264 remove_user_secondary_role = remove_user_secondary_role;
265 get_user_secondary_roles = get_user_secondary_roles;
236 get_users_with_role = get_users_with_role; 266 get_users_with_role = get_users_with_role;
237 get_jid_role = get_jid_role; 267 get_jid_role = get_jid_role;
238 set_jid_role = set_jid_role; 268 set_jid_role = set_jid_role;
239 get_jids_with_role = get_jids_with_role; 269 get_jids_with_role = get_jids_with_role;
240 get_role_by_name = get_role_by_name; 270 get_role_by_name = get_role_by_name;