Software /
code /
prosody
Diff
plugins/mod_tokenauth.lua @ 13099:a1ba503610ed
mod_tokenauth: Support selection of _no_ role at all
If a grant does not have a role, we should not go and make one up.
While not very useful for XMPP if you can't even login, it may be useful
for OAuth2/OIDC.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sun, 07 May 2023 20:34:07 +0200 |
parent | 13098:65d2ff6e674e |
child | 13209:c8d949cf6b09 |
line wrap: on
line diff
--- a/plugins/mod_tokenauth.lua Sun May 07 20:33:03 2023 +0200 +++ b/plugins/mod_tokenauth.lua Sun May 07 20:34:07 2023 +0200 @@ -10,11 +10,12 @@ local access_time_granularity = module:get_option_number("token_auth_access_time_granularity", 60); -local function select_role(username, host, role) - if role then - return prosody.hosts[host].authz.get_role_by_name(role); - end - return usermanager.get_user_role(username, host); +local function select_role(username, host, role_name) + if not role_name then return end + local role = usermanager.get_role_by_name(role_name, host); + if not role then return end + if not usermanager.user_can_assume_role(username, host, role.name) then return end + return role; end function create_grant(actor_jid, grant_jid, grant_ttl, grant_data)