# HG changeset patch
# User Matthew Wild <mwild1@gmail.com>
# Date 1679773121 0
# Node ID 5625da6ae6b65e4c4700abe8b2f81e79cea8650e
# Parent  623fbb5f9b05ce1aa8f687bab744d11c7a42c9ed
moduleapi: may: Fail early if a local session has no role assigned

We expect every session to explicitly have a role assigned. Falling back to
any kind of "default" role (even the user's default role) in the absence of
an explicit role could open up the possibility of accidental privilege
escalation.

diff -r 623fbb5f9b05 -r 5625da6ae6b6 core/moduleapi.lua
--- a/core/moduleapi.lua	Sun Mar 26 16:51:33 2023 +0200
+++ b/core/moduleapi.lua	Sat Mar 25 19:38:41 2023 +0000
@@ -653,11 +653,16 @@
 	if type(session) ~= "table" then
 		error("Unable to identify actor session from context");
 	end
-	if session.role and session.type == "c2s" and session.host == self.host then
-		local permit = session.role:may(action, context);
+	if session.type == "c2s" and session.host == self.host then
+		local role = session.role;
+		if not role then
+			self:log("warn", "Access denied: session %s has no role assigned");
+			return false;
+		end
+		local permit = role:may(action, context);
 		if not permit then
 			self:log("debug", "Access denied: session %s (%s) may not %s (not permitted by role %s)",
-				session.id, session.full_jid, action, session.role.name
+				session.id, session.full_jid, action, role.name
 			);
 		end
 		return permit;