prosody
9097149923ae
plugins/mod_http_file_share.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Comparison

plugins/mod_http_file_share.lua @ 13259:9097149923ae

mod_http_file_share: Switch to the new authz API (BC) Behavior change: It becomes up to the authorization module whether to allow requests. The default, mod_authz_internal, will allow users on the *parent* host only, breaking use by some components. Remaining question is whether to deprecate the `http_file_share_access` setting or leave as a way to complement/bypass access control?
author Kim Alvefur <zash@zash.se>
date Sat, 16 Sep 2023 14:23:08 +0200
parent 13230:26c30844cac6
child 13266:9c62ffbdf2ae
comparison
equal deleted inserted replaced
13258:c8c0cfb7f5df 13259:9097149923ae
45 45
46 local create_jwt, verify_jwt = require"prosody.util.jwt".init("HS256", secret, secret, { default_ttl = 600 }); 46 local create_jwt, verify_jwt = require"prosody.util.jwt".init("HS256", secret, secret, { default_ttl = 600 });
47 47
48 local access = module:get_option_set(module.name .. "_access", {}); 48 local access = module:get_option_set(module.name .. "_access", {});
49 49
50 module:default_permission("prosody:registered", ":upload");
51
50 if not external_base_url then 52 if not external_base_url then
51 module:depends("http"); 53 module:depends("http");
52 end 54 end
53 55
54 module:add_extension(dataform { 56 module:add_extension(dataform {
134 return total_bytes; 136 return total_bytes;
135 end 137 end
136 138
137 function may_upload(uploader, filename, filesize, filetype) -- > boolean, error 139 function may_upload(uploader, filename, filesize, filetype) -- > boolean, error
138 local uploader_host = jid.host(uploader); 140 local uploader_host = jid.host(uploader);
139 if not ((access:empty() and prosody.hosts[uploader_host]) or access:contains(uploader) or access:contains(uploader_host)) then 141 if not (module:may(":upload", uploader) or access:contains(uploader) or access:contains(uploader_host)) then
140 return false, upload_errors.new("access"); 142 return false, upload_errors.new("access");
141 end 143 end
142 144
143 if not filename or filename:find"/" then 145 if not filename or filename:find"/" then
144 -- On Linux, only '/' and '\0' are invalid in filenames and NUL can't be in XML 146 -- On Linux, only '/' and '\0' are invalid in filenames and NUL can't be in XML