# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1683484447 -7200
# Node ID a1ba503610ed56e1f6ac75c315de987ebe5a3112
# Parent  65d2ff6e674ea3b5bdaf6edd035a67c05b4b998d
mod_tokenauth: Support selection of _no_ role at all

If a grant does not have a role, we should not go and make one up.
While not very useful for XMPP if you can't even login, it may be useful
for OAuth2/OIDC.

diff -r 65d2ff6e674e -r a1ba503610ed plugins/mod_tokenauth.lua
--- a/plugins/mod_tokenauth.lua	Sun May 07 20:33:03 2023 +0200
+++ b/plugins/mod_tokenauth.lua	Sun May 07 20:34:07 2023 +0200
@@ -10,11 +10,12 @@
 
 local access_time_granularity = module:get_option_number("token_auth_access_time_granularity", 60);
 
-local function select_role(username, host, role)
-	if role then
-		return prosody.hosts[host].authz.get_role_by_name(role);
-	end
-	return usermanager.get_user_role(username, host);
+local function select_role(username, host, role_name)
+	if not role_name then return end
+	local role = usermanager.get_role_by_name(role_name, host);
+	if not role then return end
+	if not usermanager.user_can_assume_role(username, host, role.name) then return end
+	return role;
 end
 
 function create_grant(actor_jid, grant_jid, grant_ttl, grant_data)