Mercurial > prosody-modules
annotate mod_muc_restrict_rooms/mod_muc_restrict_rooms.lua @ 5298:12f7d8b901e0
mod_audit: Support for adding location (GeoIP) to audit events
This can be more privacy-friendly than logging full IP addresses, and also
more informative to a user - IP addresses don't mean much to the average
person, however if they see activity from outside their expected country, they
can immediately identify suspicious activity.
As with IPs, this field is configurable for deployments that would like to
disable it. Location is also not logged when the geoip library is not
available.
author | Matthew Wild <mwild1@gmail.com> |
---|---|
date | Sat, 01 Apr 2023 13:11:53 +0100 |
parents | 79adec50b24d |
children |
rev | line source |
---|---|
1612
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
1 local st = require "util.stanza"; |
1613
ca04f75958f7
mod_muc_restrict_rooms: Some fixes based on Matthew's comments + a few more
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
1612
diff
changeset
|
2 local jid = require "util.jid"; |
1612
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
3 local nodeprep = require "util.encodings".stringprep.nodeprep; |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
4 |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
5 local rooms = module:shared "muc/rooms"; |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
6 if not rooms then |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
7 module:log("error", "This module only works on MUC components!"); |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
8 return; |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
9 end |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
10 |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
11 local restrict_patterns = module:get_option("muc_restrict_matching", {}); |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
12 local restrict_excepts = module:get_option_set("muc_restrict_exceptions", {}); |
1613
ca04f75958f7
mod_muc_restrict_rooms: Some fixes based on Matthew's comments + a few more
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
1612
diff
changeset
|
13 local restrict_allow_admins = module:get_option_boolean("muc_restrict_allow_admins", false); |
1612
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
14 |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
15 local function is_restricted(room, who) |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
16 -- If admins can join prohibited rooms, we allow them to |
1613
ca04f75958f7
mod_muc_restrict_rooms: Some fixes based on Matthew's comments + a few more
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
1612
diff
changeset
|
17 if restrict_allow_admins and usermanager.is_admin(who, module.host) then |
1612
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
18 module:log("debug", "Admins are allowed to enter restricted rooms (%s on %s)", who, room) |
1613
ca04f75958f7
mod_muc_restrict_rooms: Some fixes based on Matthew's comments + a few more
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
1612
diff
changeset
|
19 return nil; |
1612
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
20 end |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
21 |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
22 -- Don't evaluate exceptions |
1613
ca04f75958f7
mod_muc_restrict_rooms: Some fixes based on Matthew's comments + a few more
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
1612
diff
changeset
|
23 if restrict_excepts:contains(room) then |
ca04f75958f7
mod_muc_restrict_rooms: Some fixes based on Matthew's comments + a few more
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
1612
diff
changeset
|
24 module:log("debug", "Room %s is amongst restriction exceptions", room()) |
ca04f75958f7
mod_muc_restrict_rooms: Some fixes based on Matthew's comments + a few more
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
1612
diff
changeset
|
25 return nil; |
1612
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
26 end |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
27 |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
28 -- Evaluate regexps of restricted patterns |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
29 for pattern,reason in pairs(restrict_patterns) do |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
30 if room:match(pattern) then |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
31 module:log("debug", "Room %s is restricted by pattern %s, user %s is not allowed to join (%s)", room, pattern, who, reason) |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
32 return reason; |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
33 end |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
34 end |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
35 |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
36 return nil |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
37 end |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
38 |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
39 module:hook("presence/full", function(event) |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
40 local stanza = event.stanza; |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
41 |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
42 if stanza.name == "presence" and stanza.attr.type == "unavailable" then -- Leaving events get discarded |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
43 return; |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
44 end |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
45 |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
46 -- Get the room |
1614
79adec50b24d
mod_muc_restrict_rooms: Fixed the way of getting room and user
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
1613
diff
changeset
|
47 local room = jid.split(stanza.attr.to); |
1612
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
48 if not room then return; end |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
49 |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
50 -- Get who has tried to join it |
1614
79adec50b24d
mod_muc_restrict_rooms: Fixed the way of getting room and user
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
1613
diff
changeset
|
51 local who = jid.bare(stanza.attr.from) |
1612
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
52 |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
53 -- Checking whether room is restricted |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
54 local check_restricted = is_restricted(room, who) |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
55 if check_restricted ~= nil then |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
56 event.allowed = false; |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
57 event.stanza.attr.type = 'error'; |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
58 return event.origin.send(st.error_reply(event.stanza, "cancel", "forbidden", "You're not allowed to enter this room: " .. check_restricted)); |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
59 end |
247e6e43843e
Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff
changeset
|
60 end, 10); |