prosody
082c7d856e61
plugins/mod_authz_internal.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Comparison

plugins/mod_authz_internal.lua @ 13170:082c7d856e61

core, plugins: Split prosody:user role into prosody:{guest,registered,member} This gives us more granular control over different types of user account. Accounts registered by IBR get assigned prosody:registered by default, while accounts provisioned by an admin (e.g. via prosodyctl shell) will receive prosody:member by default.
author Matthew Wild <mwild1@gmail.com>
date Thu, 29 Jun 2023 15:36:13 +0100
parent 12977:74b9e05af71e
child 13232:e0ab20519ce5
comparison
equal deleted inserted replaced
13169:7b6e7290265b 13170:082c7d856e61
9 local config_admin_jids = module:get_option_inherited_set("admins", {}) / normalize; 9 local config_admin_jids = module:get_option_inherited_set("admins", {}) / normalize;
10 local host = module.host; 10 local host = module.host;
11 local host_suffix = host:gsub("^[^%.]+%.", ""); 11 local host_suffix = host:gsub("^[^%.]+%.", "");
12 12
13 local hosts = prosody.hosts; 13 local hosts = prosody.hosts;
14 local is_anon_host = module:get_option_string("authentication") == "anonymous";
15 local default_user_role = module:get_option_string("default_user_role", is_anon_host and "prosody:guest" or "prosody:registered");
16
14 local is_component = hosts[host].type == "component"; 17 local is_component = hosts[host].type == "component";
15 local host_user_role, server_user_role, public_user_role; 18 local host_user_role, server_user_role, public_user_role;
16 if is_component then 19 if is_component then
17 host_user_role = module:get_option_string("host_user_role", "prosody:user"); 20 host_user_role = module:get_option_string("host_user_role", "prosody:registered");
18 server_user_role = module:get_option_string("server_user_role"); 21 server_user_role = module:get_option_string("server_user_role");
19 public_user_role = module:get_option_string("public_user_role"); 22 public_user_role = module:get_option_string("public_user_role");
20 end 23 end
21 24
22 local role_store = module:open_store("account_roles"); 25 local role_store = module:open_store("account_roles");
46 end 49 end
47 role_registry[role.name] = role; 50 role_registry[role.name] = role;
48 end 51 end
49 52
50 -- Default roles 53 -- Default roles
51 register_role { 54
52 name = "prosody:restricted"; 55 -- For untrusted guest/anonymous users
56 register_role {
57 name = "prosody:guest";
53 priority = 15; 58 priority = 15;
54 }; 59 };
55 60
56 register_role { 61 -- For e.g. self-registered accounts
57 name = "prosody:user"; 62 register_role {
63 name = "prosody:registered";
58 priority = 25; 64 priority = 25;
59 inherits = { "prosody:restricted" }; 65 inherits = { "prosody:guest" };
60 }; 66 };
61 67
68
69 -- For trusted/provisioned accounts
70 register_role {
71 name = "prosody:member";
72 priority = 35;
73 inherits = { "prosody:registered" };
74 };
75
76 -- For administrators, e.g. of a host
62 register_role { 77 register_role {
63 name = "prosody:admin"; 78 name = "prosody:admin";
64 priority = 50; 79 priority = 50;
65 inherits = { "prosody:user" }; 80 inherits = { "prosody:member" };
66 }; 81 };
67 82
83 -- For server operators (full access)
68 register_role { 84 register_role {
69 name = "prosody:operator"; 85 name = "prosody:operator";
70 priority = 75; 86 priority = 75;
71 inherits = { "prosody:admin" }; 87 inherits = { "prosody:admin" };
72 }; 88 };
126 if err then 142 if err then
127 -- Unable to fetch role, fail 143 -- Unable to fetch role, fail
128 return nil, err; 144 return nil, err;
129 end 145 end
130 -- No role set, use default role 146 -- No role set, use default role
131 return role_registry["prosody:user"]; 147 return role_registry[default_user_role];
132 end 148 end
133 if stored_roles._default == nil then 149 if stored_roles._default == nil then
134 -- No primary role explicitly set, return default 150 -- No primary role explicitly set, return default
135 return role_registry["prosody:user"]; 151 return role_registry[default_user_role];
136 end 152 end
137 local primary_stored_role = role_registry[stored_roles._default]; 153 local primary_stored_role = role_registry[stored_roles._default];
138 if not primary_stored_role then 154 if not primary_stored_role then
139 return nil, "unknown-role"; 155 return nil, "unknown-role";
140 end 156 end
150 local keys_update = { 166 local keys_update = {
151 _default = role_name; 167 _default = role_name;
152 -- Primary role cannot be secondary role 168 -- Primary role cannot be secondary role
153 [role_name] = role_map_store.remove; 169 [role_name] = role_map_store.remove;
154 }; 170 };
155 if role_name == "prosody:user" then 171 if role_name == default_user_role then
156 -- Don't store default 172 -- Don't store default
157 keys_update._default = role_map_store.remove; 173 keys_update._default = role_map_store.remove;
158 end 174 end
159 local ok, err = role_map_store:set_keys(user, keys_update); 175 local ok, err = role_map_store:set_keys(user, keys_update);
160 if not ok then 176 if not ok then