prosody
c0eea4f6c739
CHANGES
Software / code / prosody
File
CHANGES @ 12659:c0eea4f6c739
usermanager: Add back temporary is_admin to warn about deprecated API usage
Goal: Introduce role-auth with minimal disruption
is_admin() is unsafe in a system with per-session permissions, so it has been
deprecated.
Roll-out approach:
1) First, log a warning when is_admin() is used. It should continue to
function normally, backed by the new role API. Nothing is really using
per-session authz yet, so there is minimal security concern.
The 'strict_deprecate_is_admin' global setting can be set to 'true' to
force a hard failure of is_admin() attempts (it will log an error and
always return false).
2) In some time (at least 1 week), but possibly longer depending on the number
of affected deployments: switch 'strict_deprecate_is_admin' to 'true' by
default. It can still be disabled for systems that need it.
3) Further in the future, before the next release, the option will be removed
and is_admin() will be permanently disabled.
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Mon, 15 Aug 2022 15:25:07 +0100 |
| parent | 12635:f928cb5c5d04 |
| child | 12673:2d330edf8bf2 |
line wrap: on
line source
TRUNK ===== ## New ### Administration - Add 'watch log' command to follow live debug logs at runtime (even if disabled) ### Networking - Honour 'weight' parameter during SRV record selection - Support for RFC 8305 "Happy Eyeballs" to improve IPv4/IPv6 connectivity - Support for TCP Fast Open in server_epoll (pending LuaSocket support) - Support for deferred accept in server_epoll (pending LuaSocket support) ### Security and authentication - Advertise supported SASL Channel-Binding types (XEP-0440) - Implement RFC 9266 'tls-exporter' channel binding with TLS 1.3 ## Changes - Support sub-second precision timestamps ## Removed - Lua 5.1 support - XEP-0090 support removed from mod_time 0.12.0 ====== **2022-03-14** ## New ### Modules - mod_mimicking: Prevent address spoofing - mod_s2s_bidi: Bi-directional server-to-server (XEP-0288) - mod_external_services: generic XEP-0215 support - mod_turn_external: easy setup XEP-0215 for STUN+TURN - mod_http_file_share: File sharing via HTTP (XEP-0363) - mod_http_openmetrics for exposing metrics to stats collectors - mod_smacks: Stream management and resumption (XEP-0198) - mod_auth_ldap: LDAP authentication - mod_cron: One module to rule all the periodic tasks - mod_admin_shell: New home of the Console admin interface - mod_admin_socket: Enable secure connections to the Console - mod_tombstones: Prevent registration of deleted accounts - mod_invites: Create and manage invites - mod_invites_register: Create accounts using invites - mod_invites_adhoc: Create invites via AdHoc command - mod_bookmarks: Synchronise open rooms between clients ### Security and authentication - SNI support (including automatic certificate selection) - ALPN support in mod_net_multiplex - DANE support in low-level network layer - Direct TLS support (c2s and s2s) - SCRAM-SHA-256 - Direct TLS (including https) certificates updated on reload - Pluggable authorization providers (mod_authz_) - Easy use of Mozilla TLS recommendations presets - Unencrypted HTTP port (5280) restricted to loopback by default - require_encryption options default to 'true' if unspecified - Authentication module defaults to 'internal_hashed' if unspecified ### HTTP - CORS handling now provided by mod_http - Built-in HTTP server now handles HEAD requests - Uploads can be handled incrementally ### API - Module statuses (API change) - util.error for encapsulating errors - Promise based API for sending queries - API for adding periodic tasks - More APIs supporting ES6 Promises - Async can be used during shutdown ### Other - Plugin installer - MUC presence broadcast controls - MUC: support for XEP-0421 occupant identifiers - `prosodyctl check connectivity` via observe.jabber.network - STUN/TURN server tests in `prosodyctl check` - libunbound for DNS queries - The POSIX poll() API used by server_epoll on \*nix other than Linux ## Changes - Improved rules for mobile optimizations - Improved rules for what messages should be archived - mod_limits: Exempted JIDs - mod_server_contact_info now loaded on components if enabled - Statistics now based on OpenMetrics - Statistics scheduling can be done by plugin - Offline messages aren't sent to MAM clients - Archive quotas (means?) - Rewritten migrator with archive support - Improved automatic certificate locating and selecting - Logging to syslog no longer missing startup messages - Graceful shutdown sequence that closes ports first and waits for connections to close ## Removed - `daemonize` option deprecated - SASL DIGEST-MD5 removed - mod_auth_cyrus (older LDAP support) - Network backend server_select deprecated (not actually removed yet) 0.11.0 ====== **2018-11-18** New features ------------ - Rewritten more extensible MUC module - Store inactive rooms to disk - Store rooms to disk on shutdown - Voice requests - Tombstones in place of destroyed rooms - PubSub features - Persistence - Affiliations - Access models - "publish-options" - PEP now uses our pubsub code and now shares the above features - Asynchronous operations - Busted for tests - mod\_muc\_mam (XEP-0313 in groupchats) - mod\_vcard\_legacy (XEP-0398) - mod\_vcard4 (XEP-0292) - mod\_csi, mod\_csi\_simple (XEP-0352) - New experimental network backend "epoll" 0.10.0 ====== **2017-10-02** New features ------------ - Rewritten SQL storage module with Archive support - SCRAM-SHA-1-PLUS - `prosodyctl check` - Statistics - Improved TLS configuration - Lua 5.2 support - mod\_blocklist (XEP-0191) - mod\_carbons (XEP-0280) - Pluggable connection timeout handling - mod\_websocket (RFC 7395) - mod\_mam (XEP-0313) Removed ------- - mod\_privacy (XEP-0016) - mod\_compression (XEP-0138)
