prosody
546c7e0f3f31
core/moduleapi.lua
Software / code / prosody
Comparison
core/moduleapi.lua @ 12690:546c7e0f3f31
core.moduleapi: Check for local role-aware sessions before e.g. s2s
The condition checked for s2sin but not s2sout, so would have ignored
bidi-enabled s2sout sessions. Components as well.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Mon, 29 Aug 2022 11:47:31 +0200 |
| parent | 12662:07424992d7fc |
| child | 12874:b9468c8ac1d3 |
comparison
equal
deleted
inserted
replaced
| 12689:1bc2220cd6ec | 12690:546c7e0f3f31 |
|---|---|
| 647 | 647 |
| 648 local session = context.origin or context.session; | 648 local session = context.origin or context.session; |
| 649 if type(session) ~= "table" then | 649 if type(session) ~= "table" then |
| 650 error("Unable to identify actor session from context"); | 650 error("Unable to identify actor session from context"); |
| 651 end | 651 end |
| 652 if session.type == "s2sin" or (session.type == "c2s" and session.host ~= self.host) then | 652 if session.role and session.type == "c2s" and session.host == self.host then |
| 653 local permit = session.role:may(action, context); | |
| 654 if not permit then | |
| 655 self:log("debug", "Access denied: session %s (%s) may not %s (not permitted by role %s)", | |
| 656 session.id, session.full_jid, action, session.role.name | |
| 657 ); | |
| 658 end | |
| 659 return permit; | |
| 660 else | |
| 653 local actor_jid = context.stanza.attr.from; | 661 local actor_jid = context.stanza.attr.from; |
| 654 local role = hosts[self.host].authz.get_jid_role(actor_jid); | 662 local role = hosts[self.host].authz.get_jid_role(actor_jid); |
| 655 if not role then | 663 if not role then |
| 656 self:log("debug", "Access denied: JID <%s> may not %s (no role found)", actor_jid, action); | 664 self:log("debug", "Access denied: JID <%s> may not %s (no role found)", actor_jid, action); |
| 657 return false; | 665 return false; |
| 659 local permit = role:may(action, context); | 667 local permit = role:may(action, context); |
| 660 if not permit then | 668 if not permit then |
| 661 self:log("debug", "Access denied: JID <%s> may not %s (not permitted by role %s)", actor_jid, action, role.name); | 669 self:log("debug", "Access denied: JID <%s> may not %s (not permitted by role %s)", actor_jid, action, role.name); |
| 662 end | 670 end |
| 663 return permit; | 671 return permit; |
| 664 elseif session.role then | |
| 665 local permit = session.role:may(action, context); | |
| 666 if not permit then | |
| 667 self:log("debug", "Access denied: session %s (%s) may not %s (not permitted by role %s)", | |
| 668 session.id, session.full_jid, action, session.role.name | |
| 669 ); | |
| 670 end | |
| 671 return permit; | |
| 672 end | 672 end |
| 673 end | 673 end |
| 674 | 674 |
| 675 return api; | 675 return api; |
