prosody
c0eea4f6c739
plugins/mod_announce.lua
Software / code / prosody
File
plugins/mod_announce.lua @ 12659:c0eea4f6c739
usermanager: Add back temporary is_admin to warn about deprecated API usage
Goal: Introduce role-auth with minimal disruption
is_admin() is unsafe in a system with per-session permissions, so it has been
deprecated.
Roll-out approach:
1) First, log a warning when is_admin() is used. It should continue to
function normally, backed by the new role API. Nothing is really using
per-session authz yet, so there is minimal security concern.
The 'strict_deprecate_is_admin' global setting can be set to 'true' to
force a hard failure of is_admin() attempts (it will log an error and
always return false).
2) In some time (at least 1 week), but possibly longer depending on the number
of affected deployments: switch 'strict_deprecate_is_admin' to 'true' by
default. It can still be disabled for systems that need it.
3) Further in the future, before the next release, the option will be removed
and is_admin() will be permanently disabled.
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Mon, 15 Aug 2022 15:25:07 +0100 |
| parent | 12642:9061f9621330 |
| child | 12977:74b9e05af71e |
line wrap: on
line source
-- Prosody IM -- Copyright (C) 2008-2010 Matthew Wild -- Copyright (C) 2008-2010 Waqas Hussain -- -- This project is MIT/X11 licensed. Please see the -- COPYING file in the source package for more information. -- local st, jid = require "util.stanza", require "util.jid"; local hosts = prosody.hosts; function send_to_online(message, host) local sessions; if host then sessions = { [host] = hosts[host] }; else sessions = hosts; end local c = 0; for hostname, host_session in pairs(sessions) do if host_session.sessions then message.attr.from = hostname; for username in pairs(host_session.sessions) do c = c + 1; message.attr.to = username.."@"..hostname; module:send(message); end end end return c; end module:default_permission("prosody:admin", ":send-announcement"); -- Old <message>-based jabberd-style announcement sending function handle_announcement(event) local stanza = event.stanza; -- luacheck: ignore 211/node local node, host, resource = jid.split(stanza.attr.to); if resource ~= "announce/online" then return; -- Not an announcement end if not module:may(":send-announcement", event) then -- Not allowed! module:log("warn", "Non-admin '%s' tried to send server announcement", stanza.attr.from); return; end module:log("info", "Sending server announcement to all online users"); local message = st.clone(stanza); message.attr.type = "headline"; message.attr.from = host; local c = send_to_online(message, host); module:log("info", "Announcement sent to %d online users", c); return true; end module:hook("message/host", handle_announcement); -- Ad-hoc command (XEP-0133) local dataforms_new = require "util.dataforms".new; local announce_layout = dataforms_new{ title = "Making an Announcement"; instructions = "Fill out this form to make an announcement to all\nactive users of this service."; { name = "FORM_TYPE", type = "hidden", value = "http://jabber.org/protocol/admin" }; { name = "subject", type = "text-single", label = "Subject" }; { name = "announcement", type = "text-multi", required = true, label = "Announcement" }; }; function announce_handler(_, data, state) if state then if data.action == "cancel" then return { status = "canceled" }; end local fields = announce_layout:data(data.form); module:log("info", "Sending server announcement to all online users"); local message = st.message({type = "headline"}, fields.announcement):up() :tag("subject"):text(fields.subject or "Announcement"); local count = send_to_online(message, data.to); module:log("info", "Announcement sent to %d online users", count); return { status = "completed", info = ("Announcement sent to %d online users"):format(count) }; else return { status = "executing", actions = {"next", "complete", default = "complete"}, form = announce_layout }, "executing"; end end module:depends "adhoc"; local adhoc_new = module:require "adhoc".new; local announce_desc = adhoc_new("Send Announcement to Online Users", "http://jabber.org/protocol/admin#announce", announce_handler, "admin"); module:provides("adhoc", announce_desc);
