prosody
14b62ad88d8a
plugins/muc/muc.lib.lua
Software / code / prosody
Comparison
plugins/muc/muc.lib.lua @ 6453:14b62ad88d8a
plugins/muc/muc.lib: Validate affiliations and roles to admin query get
| author | daurnimator <quae@daurnimator.com> |
|---|---|
| date | Fri, 26 Sep 2014 17:43:00 -0400 |
| parent | 6452:e692ea8c09a0 |
| child | 6454:6842b07fc7bc |
comparison
equal
deleted
inserted
replaced
| 6452:e692ea8c09a0 | 6453:14b62ad88d8a |
|---|---|
| 732 function room_mt:handle_admin_query_get_command(origin, stanza) | 732 function room_mt:handle_admin_query_get_command(origin, stanza) |
| 733 local actor = stanza.attr.from; | 733 local actor = stanza.attr.from; |
| 734 local affiliation = self:get_affiliation(actor); | 734 local affiliation = self:get_affiliation(actor); |
| 735 local item = stanza.tags[1].tags[1]; | 735 local item = stanza.tags[1].tags[1]; |
| 736 local _aff = item.attr.affiliation; | 736 local _aff = item.attr.affiliation; |
| 737 local _aff_rank = valid_affiliations[_aff or "none"]; | |
| 737 local _rol = item.attr.role; | 738 local _rol = item.attr.role; |
| 738 if _aff and not _rol then | 739 if _aff and _aff_rank and not _rol then |
| 739 if affiliation == "owner" or (affiliation == "admin" and _aff ~= "owner" and _aff ~= "admin") then | 740 -- You need to be at least an admin, and be requesting info about your affifiliation or lower |
| 741 -- e.g. an admin can't ask for a list of owners | |
| 742 local affiliation_rank = valid_affiliations[affiliation]; | |
| 743 if affiliation_rank >= valid_affiliations.admin and affiliation_rank >= _aff_rank then | |
| 740 local reply = st.reply(stanza):query("http://jabber.org/protocol/muc#admin"); | 744 local reply = st.reply(stanza):query("http://jabber.org/protocol/muc#admin"); |
| 741 for jid, affiliation in pairs(self._affiliations) do | 745 for jid, affiliation in pairs(self._affiliations) do |
| 742 if affiliation == _aff then | 746 if affiliation == _aff then |
| 743 reply:tag("item", {affiliation = _aff, jid = jid}):up(); | 747 reply:tag("item", {affiliation = _aff, jid = jid}):up(); |
| 744 end | 748 end |
| 747 return true; | 751 return true; |
| 748 else | 752 else |
| 749 origin.send(st.error_reply(stanza, "auth", "forbidden")); | 753 origin.send(st.error_reply(stanza, "auth", "forbidden")); |
| 750 return true; | 754 return true; |
| 751 end | 755 end |
| 752 elseif _rol and not _aff then | 756 elseif _rol and valid_roles[_rol or "none"] and not _aff then |
| 753 local role = self:get_role(self:get_occupant_jid(actor)) or self:get_default_role(affiliation); | 757 local role = self:get_role(self:get_occupant_jid(actor)) or self:get_default_role(affiliation); |
| 754 if valid_roles[role or "none"] >= valid_roles.moderator then | 758 if valid_roles[role or "none"] >= valid_roles.moderator then |
| 755 if _rol == "none" then _rol = nil; end | 759 if _rol == "none" then _rol = nil; end |
| 756 local reply = st.reply(stanza):query("http://jabber.org/protocol/muc#admin"); | 760 local reply = st.reply(stanza):query("http://jabber.org/protocol/muc#admin"); |
| 757 -- TODO: whois check here? (though fully anonymous rooms are not supported) | 761 -- TODO: whois check here? (though fully anonymous rooms are not supported) |
