prosody
5625da6ae6b6

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Changeset

12994:5625da6ae6b6

moduleapi: may: Fail early if a local session has no role assigned We expect every session to explicitly have a role assigned. Falling back to any kind of "default" role (even the user's default role) in the absence of an explicit role could open up the possibility of accidental privilege escalation.
author Matthew Wild <mwild1@gmail.com>
date Sat, 25 Mar 2023 19:38:41 +0000
parents 12993:623fbb5f9b05
children 12995:e385f3a06673
files core/moduleapi.lua
diffstat 1 files changed, 8 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/core/moduleapi.lua	Sun Mar 26 16:51:33 2023 +0200
+++ b/core/moduleapi.lua	Sat Mar 25 19:38:41 2023 +0000
@@ -653,11 +653,16 @@
 	if type(session) ~= "table" then
 		error("Unable to identify actor session from context");
 	end
-	if session.role and session.type == "c2s" and session.host == self.host then
-		local permit = session.role:may(action, context);
+	if session.type == "c2s" and session.host == self.host then
+		local role = session.role;
+		if not role then
+			self:log("warn", "Access denied: session %s has no role assigned");
+			return false;
+		end
+		local permit = role:may(action, context);
 		if not permit then
 			self:log("debug", "Access denied: session %s (%s) may not %s (not permitted by role %s)",
-				session.id, session.full_jid, action, session.role.name
+				session.id, session.full_jid, action, role.name
 			);
 		end
 		return permit;