# HG changeset patch # User Kim Alvefur # Date 1661766451 -7200 # Node ID 546c7e0f3f3103c88120e00f01ebe3e79f81c9ff # Parent 1bc2220cd6eca7111ec8be2d7bd7ff7857e049f7 core.moduleapi: Check for local role-aware sessions before e.g. s2s The condition checked for s2sin but not s2sout, so would have ignored bidi-enabled s2sout sessions. Components as well. diff -r 1bc2220cd6ec -r 546c7e0f3f31 core/moduleapi.lua --- a/core/moduleapi.lua Mon Aug 29 15:48:07 2022 +0100 +++ b/core/moduleapi.lua Mon Aug 29 11:47:31 2022 +0200 @@ -649,7 +649,15 @@ if type(session) ~= "table" then error("Unable to identify actor session from context"); end - if session.type == "s2sin" or (session.type == "c2s" and session.host ~= self.host) then + if session.role and session.type == "c2s" and session.host == self.host then + local permit = session.role:may(action, context); + if not permit then + self:log("debug", "Access denied: session %s (%s) may not %s (not permitted by role %s)", + session.id, session.full_jid, action, session.role.name + ); + end + return permit; + else local actor_jid = context.stanza.attr.from; local role = hosts[self.host].authz.get_jid_role(actor_jid); if not role then @@ -661,14 +669,6 @@ self:log("debug", "Access denied: JID <%s> may not %s (not permitted by role %s)", actor_jid, action, role.name); end return permit; - elseif session.role then - local permit = session.role:may(action, context); - if not permit then - self:log("debug", "Access denied: session %s (%s) may not %s (not permitted by role %s)", - session.id, session.full_jid, action, session.role.name - ); - end - return permit; end end