moduleapi: may: Fail early if a local session has no role assigned We expect every session to explicitly have a role assigned. Falling back to any kind of "default" role (even the user's default role) in the absence of an explicit role could open up the possibility of accidental privilege escalation.

author: Matthew Wild <mwild1@gmail.com>
date: Sat, 25 Mar 2023 19:38:41 +0000
parent: 12972:ead41e25ebc0
child: 12995:e385f3a06673
--- a/core/moduleapi.lua	Sun Mar 26 16:51:33 2023 +0200
+++ b/core/moduleapi.lua	Sat Mar 25 19:38:41 2023 +0000
@@ -653,11 +653,16 @@
 	if type(session) ~= "table" then
 		error("Unable to identify actor session from context");
 	end
-	if session.role and session.type == "c2s" and session.host == self.host then
-		local permit = session.role:may(action, context);
+	if session.type == "c2s" and session.host == self.host then
+		local role = session.role;
+		if not role then
+			self:log("warn", "Access denied: session %s has no role assigned");
+			return false;
+		end
+		local permit = role:may(action, context);
 		if not permit then
 			self:log("debug", "Access denied: session %s (%s) may not %s (not permitted by role %s)",
-				session.id, session.full_jid, action, session.role.name
+				session.id, session.full_jid, action, role.name
 			);
 		end
 		return permit;