Software /
code /
prosody
Diff
plugins/mod_authz_internal.lua @ 13170:082c7d856e61
core, plugins: Split prosody:user role into prosody:{guest,registered,member}
This gives us more granular control over different types of user account.
Accounts registered by IBR get assigned prosody:registered by default, while
accounts provisioned by an admin (e.g. via prosodyctl shell) will receive
prosody:member by default.
author | Matthew Wild <mwild1@gmail.com> |
---|---|
date | Thu, 29 Jun 2023 15:36:13 +0100 |
parent | 12977:74b9e05af71e |
child | 13232:e0ab20519ce5 |
line wrap: on
line diff
--- a/plugins/mod_authz_internal.lua Thu Jun 29 15:31:46 2023 +0100 +++ b/plugins/mod_authz_internal.lua Thu Jun 29 15:36:13 2023 +0100 @@ -11,10 +11,13 @@ local host_suffix = host:gsub("^[^%.]+%.", ""); local hosts = prosody.hosts; +local is_anon_host = module:get_option_string("authentication") == "anonymous"; +local default_user_role = module:get_option_string("default_user_role", is_anon_host and "prosody:guest" or "prosody:registered"); + local is_component = hosts[host].type == "component"; local host_user_role, server_user_role, public_user_role; if is_component then - host_user_role = module:get_option_string("host_user_role", "prosody:user"); + host_user_role = module:get_option_string("host_user_role", "prosody:registered"); server_user_role = module:get_option_string("server_user_role"); public_user_role = module:get_option_string("public_user_role"); end @@ -48,23 +51,36 @@ end -- Default roles + +-- For untrusted guest/anonymous users register_role { - name = "prosody:restricted"; + name = "prosody:guest"; priority = 15; }; +-- For e.g. self-registered accounts register_role { - name = "prosody:user"; + name = "prosody:registered"; priority = 25; - inherits = { "prosody:restricted" }; + inherits = { "prosody:guest" }; }; + +-- For trusted/provisioned accounts +register_role { + name = "prosody:member"; + priority = 35; + inherits = { "prosody:registered" }; +}; + +-- For administrators, e.g. of a host register_role { name = "prosody:admin"; priority = 50; - inherits = { "prosody:user" }; + inherits = { "prosody:member" }; }; +-- For server operators (full access) register_role { name = "prosody:operator"; priority = 75; @@ -128,11 +144,11 @@ return nil, err; end -- No role set, use default role - return role_registry["prosody:user"]; + return role_registry[default_user_role]; end if stored_roles._default == nil then -- No primary role explicitly set, return default - return role_registry["prosody:user"]; + return role_registry[default_user_role]; end local primary_stored_role = role_registry[stored_roles._default]; if not primary_stored_role then @@ -152,7 +168,7 @@ -- Primary role cannot be secondary role [role_name] = role_map_store.remove; }; - if role_name == "prosody:user" then + if role_name == default_user_role then -- Don't store default keys_update._default = role_map_store.remove; end