# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1694866988 -7200
# Node ID 9097149923ae52234c508f737811d2fdb4d8cda6
# Parent  c8c0cfb7f5df0eec00c5e82902b5a13db432fae8
mod_http_file_share: Switch to the new authz API (BC)

Behavior change: It becomes up to the authorization module whether to
allow requests. The default, mod_authz_internal, will allow users on the
*parent* host only, breaking use by some components.

Remaining question is whether to deprecate the `http_file_share_access`
setting or leave as a way to complement/bypass access control?

diff -r c8c0cfb7f5df -r 9097149923ae CHANGES
--- a/CHANGES	Mon Sep 04 00:38:45 2023 +0200
+++ b/CHANGES	Sat Sep 16 14:23:08 2023 +0200
@@ -51,6 +51,7 @@
 - mod_blocklist: New option 'migrate_legacy_blocking' to disable migration from mod_privacy
 - Moved all modules into the Lua namespace `prosody.`
 - Forwarded header from RFC 7239 supported, disabled by default
+- mod_http_file_share now uses roles framework, affecting access from e.g. components
 
 ## Removed
 
diff -r c8c0cfb7f5df -r 9097149923ae plugins/mod_http_file_share.lua
--- a/plugins/mod_http_file_share.lua	Mon Sep 04 00:38:45 2023 +0200
+++ b/plugins/mod_http_file_share.lua	Sat Sep 16 14:23:08 2023 +0200
@@ -47,6 +47,8 @@
 
 local access = module:get_option_set(module.name .. "_access", {});
 
+module:default_permission("prosody:registered", ":upload");
+
 if not external_base_url then
 	module:depends("http");
 end
@@ -136,7 +138,7 @@
 
 function may_upload(uploader, filename, filesize, filetype) -- > boolean, error
 	local uploader_host = jid.host(uploader);
-	if not ((access:empty() and prosody.hosts[uploader_host]) or access:contains(uploader) or access:contains(uploader_host)) then
+	if not (module:may(":upload", uploader) or access:contains(uploader) or access:contains(uploader_host)) then
 		return false, upload_errors.new("access");
 	end