prosody
c0eea4f6c739
spec/util_xml_spec.lua
Software / code / prosody
File
spec/util_xml_spec.lua @ 12659:c0eea4f6c739
usermanager: Add back temporary is_admin to warn about deprecated API usage
Goal: Introduce role-auth with minimal disruption
is_admin() is unsafe in a system with per-session permissions, so it has been
deprecated.
Roll-out approach:
1) First, log a warning when is_admin() is used. It should continue to
function normally, backed by the new role API. Nothing is really using
per-session authz yet, so there is minimal security concern.
The 'strict_deprecate_is_admin' global setting can be set to 'true' to
force a hard failure of is_admin() attempts (it will log an error and
always return false).
2) In some time (at least 1 week), but possibly longer depending on the number
of affected deployments: switch 'strict_deprecate_is_admin' to 'true' by
default. It can still be disabled for systems that need it.
3) Further in the future, before the next release, the option will be removed
and is_admin() will be permanently disabled.
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Mon, 15 Aug 2022 15:25:07 +0100 |
| parent | 12270:c78639ee6ccb |
line wrap: on
line source
local xml = require "util.xml"; describe("util.xml", function() describe("#parse()", function() it("should work", function() local x = [[<x xmlns:a="b"> <y xmlns:a="c"> <!-- this overwrites 'a' --> <a:z/> </y> <a:z/> <!-- prefix 'a' is nil here, but should be 'b' --> </x> ]] local stanza = xml.parse(x, {allow_comments = true}); assert.are.equal(stanza.tags[2].attr.xmlns, "b"); assert.are.equal(stanza.tags[2].namespaces["a"], "b"); end); it("should reject doctypes", function() local x = "<!DOCTYPE foo []><foo/>"; local ok = xml.parse(x); assert.falsy(ok); end); it("should reject comments by default", function() local x = "<foo><!-- foo --></foo>"; local ok = xml.parse(x); assert.falsy(ok); end); it("should allow comments if asked nicely", function() local x = "<foo><!-- foo --></foo>"; local stanza = xml.parse(x, {allow_comments = true}); assert.are.equal(stanza.name, "foo"); assert.are.equal(#stanza, 0); end); it("should reject processing instructions", function() local x = "<foo><?php die(); ?></foo>"; local ok = xml.parse(x); assert.falsy(ok); end); it("should allow processing instructions if asked nicely", function() local x = "<?xml-stylesheet href='make-fancy.xsl'?><foo/>"; local stanza = xml.parse(x, {allow_processing_instructions = true}); assert.truthy(stanza); assert.are.equal(stanza.name, "foo"); end); it("should allow an xml declaration", function() local x = "<?xml version='1.0'?><foo/>"; local stanza = xml.parse(x); assert.truthy(stanza); assert.are.equal(stanza.name, "foo"); end); end); end);
