Diff

plugins/mod_authz_internal.lua @ 13170:082c7d856e61

core, plugins: Split prosody:user role into prosody:{guest,registered,member} This gives us more granular control over different types of user account. Accounts registered by IBR get assigned prosody:registered by default, while accounts provisioned by an admin (e.g. via prosodyctl shell) will receive prosody:member by default.
author Matthew Wild <mwild1@gmail.com>
date Thu, 29 Jun 2023 15:36:13 +0100
parent 12977:74b9e05af71e
child 13232:e0ab20519ce5
line wrap: on
line diff
--- a/plugins/mod_authz_internal.lua	Thu Jun 29 15:31:46 2023 +0100
+++ b/plugins/mod_authz_internal.lua	Thu Jun 29 15:36:13 2023 +0100
@@ -11,10 +11,13 @@
 local host_suffix = host:gsub("^[^%.]+%.", "");
 
 local hosts = prosody.hosts;
+local is_anon_host = module:get_option_string("authentication") == "anonymous";
+local default_user_role = module:get_option_string("default_user_role", is_anon_host and "prosody:guest" or "prosody:registered");
+
 local is_component = hosts[host].type == "component";
 local host_user_role, server_user_role, public_user_role;
 if is_component then
-	host_user_role = module:get_option_string("host_user_role", "prosody:user");
+	host_user_role = module:get_option_string("host_user_role", "prosody:registered");
 	server_user_role = module:get_option_string("server_user_role");
 	public_user_role = module:get_option_string("public_user_role");
 end
@@ -48,23 +51,36 @@
 end
 
 -- Default roles
+
+-- For untrusted guest/anonymous users
 register_role {
-	name = "prosody:restricted";
+	name = "prosody:guest";
 	priority = 15;
 };
 
+-- For e.g. self-registered accounts
 register_role {
-	name = "prosody:user";
+	name = "prosody:registered";
 	priority = 25;
-	inherits = { "prosody:restricted" };
+	inherits = { "prosody:guest" };
 };
 
+
+-- For trusted/provisioned accounts
+register_role {
+	name = "prosody:member";
+	priority = 35;
+	inherits = { "prosody:registered" };
+};
+
+-- For administrators, e.g. of a host
 register_role {
 	name = "prosody:admin";
 	priority = 50;
-	inherits = { "prosody:user" };
+	inherits = { "prosody:member" };
 };
 
+-- For server operators (full access)
 register_role {
 	name = "prosody:operator";
 	priority = 75;
@@ -128,11 +144,11 @@
 			return nil, err;
 		end
 		-- No role set, use default role
-		return role_registry["prosody:user"];
+		return role_registry[default_user_role];
 	end
 	if stored_roles._default == nil then
 		-- No primary role explicitly set, return default
-		return role_registry["prosody:user"];
+		return role_registry[default_user_role];
 	end
 	local primary_stored_role = role_registry[stored_roles._default];
 	if not primary_stored_role then
@@ -152,7 +168,7 @@
 		-- Primary role cannot be secondary role
 		[role_name] = role_map_store.remove;
 	};
-	if role_name == "prosody:user" then
+	if role_name == default_user_role then
 		-- Don't store default
 		keys_update._default = role_map_store.remove;
 	end