annotate mod_restrict_xmpp/mod_restrict_xmpp.lua @ 5585:5b316088bef5

mod_rest: Use logger of HTTP request in trunk In Prosody trunk rev c975dafa4303 each HTTP request gained its own log sink, to make it easy to log things related to each request and group those messages. Especially where async is used, spreading the request and response apart as mod_rest does with iq stanzas, this grouped logging should help find related messages.
author Kim Alvefur <zash@zash.se>
date Fri, 07 Jul 2023 00:10:37 +0200
parents 825c6fb76c48
children 111e970213a0
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
5009
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
1 local array = require "util.array";
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
2 local it = require "util.iterators";
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
3 local set = require "util.set";
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
4 local st = require "util.stanza";
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
5
5582
825c6fb76c48 Multiple modules: Update for split prosody:user role (prosody 082c7d856e61)
Matthew Wild <mwild1@gmail.com>
parents: 5010
diff changeset
6 local normal_user_role = "prosody:registered";
825c6fb76c48 Multiple modules: Update for split prosody:user role (prosody 082c7d856e61)
Matthew Wild <mwild1@gmail.com>
parents: 5010
diff changeset
7 local limited_user_role = "prosody:guest";
825c6fb76c48 Multiple modules: Update for split prosody:user role (prosody 082c7d856e61)
Matthew Wild <mwild1@gmail.com>
parents: 5010
diff changeset
8
825c6fb76c48 Multiple modules: Update for split prosody:user role (prosody 082c7d856e61)
Matthew Wild <mwild1@gmail.com>
parents: 5010
diff changeset
9 local features = require "core.features";
825c6fb76c48 Multiple modules: Update for split prosody:user role (prosody 082c7d856e61)
Matthew Wild <mwild1@gmail.com>
parents: 5010
diff changeset
10
825c6fb76c48 Multiple modules: Update for split prosody:user role (prosody 082c7d856e61)
Matthew Wild <mwild1@gmail.com>
parents: 5010
diff changeset
11 -- COMPAT
825c6fb76c48 Multiple modules: Update for split prosody:user role (prosody 082c7d856e61)
Matthew Wild <mwild1@gmail.com>
parents: 5010
diff changeset
12 if not features.available:contains("split-user-roles") then
825c6fb76c48 Multiple modules: Update for split prosody:user role (prosody 082c7d856e61)
Matthew Wild <mwild1@gmail.com>
parents: 5010
diff changeset
13 normal_user_role = "prosody:user";
825c6fb76c48 Multiple modules: Update for split prosody:user role (prosody 082c7d856e61)
Matthew Wild <mwild1@gmail.com>
parents: 5010
diff changeset
14 limited_user_role = "prosody:restricted";
825c6fb76c48 Multiple modules: Update for split prosody:user role (prosody 082c7d856e61)
Matthew Wild <mwild1@gmail.com>
parents: 5010
diff changeset
15 end
825c6fb76c48 Multiple modules: Update for split prosody:user role (prosody 082c7d856e61)
Matthew Wild <mwild1@gmail.com>
parents: 5010
diff changeset
16
825c6fb76c48 Multiple modules: Update for split prosody:user role (prosody 082c7d856e61)
Matthew Wild <mwild1@gmail.com>
parents: 5010
diff changeset
17 module:default_permission(normal_user_role, "xmpp:federate");
5009
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
18 module:hook("route/remote", function (event)
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
19 if not module:may("xmpp:federate", event) then
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
20 if event.stanza.attr.type ~= "result" and event.stanza.attr.type ~= "error" then
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
21 module:log("warn", "Access denied: xmpp:federate for %s -> %s", event.stanza.attr.from, event.stanza.attr.to);
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
22 local reply = st.error_reply(event.stanza, "auth", "forbidden");
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
23 event.origin.send(reply);
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
24 end
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
25 return true;
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
26 end
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
27 end);
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
28
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
29 local iq_namespaces = {
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
30 ["jabber:iq:roster"] = "contacts";
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
31 ["jabber:iq:private"] = "storage";
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
32
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
33 ["vcard-temp"] = "profile";
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
34 ["urn:xmpp:mam:0"] = "history";
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
35 ["urn:xmpp:mam:1"] = "history";
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
36 ["urn:xmpp:mam:2"] = "history";
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
37
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
38 ["urn:xmpp:carbons:0"] = "carbons";
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
39 ["urn:xmpp:carbons:1"] = "carbons";
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
40 ["urn:xmpp:carbons:2"] = "carbons";
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
41
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
42 ["urn:xmpp:blocking"] = "blocklist";
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
43
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
44 ["http://jabber.org/protocol/pubsub"] = "pep";
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
45 ["http://jabber.org/protocol/disco#info"] = "disco";
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
46 };
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
47
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
48 local legacy_storage_nodes = {
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
49 ["storage:bookmarks"] = "bookmarks";
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
50 ["storage:rosternotes"] = "contacts";
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
51 ["roster:delimiter"] = "contacts";
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
52 ["storage:metacontacts"] = "contacts";
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
53 };
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
54
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
55 local pep_nodes = {
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
56 ["storage:bookmarks"] = "bookmarks";
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
57 ["urn:xmpp:bookmarks:1"] = "bookmarks";
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
58
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
59 ["urn:xmpp:avatar:data"] = "profile";
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
60 ["urn:xmpp:avatar:metadata"] = "profile";
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
61 ["http://jabber.org/protocol/nick"] = "profile";
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
62
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
63 ["eu.siacs.conversations.axolotl.devicelist"] = "omemo";
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
64 ["urn:xmpp:omemo:1:devices"] = "omemo";
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
65 ["urn:xmpp:omemo:1:bundles"] = "omemo";
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
66 ["urn:xmpp:omemo:2:devices"] = "omemo";
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
67 ["urn:xmpp:omemo:2:bundles"] = "omemo";
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
68 };
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
69
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
70 module:hook("pre-iq/bare", function (event)
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
71 if not event.to_self then return; end
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
72 local origin, stanza = event.origin, event.stanza;
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
73
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
74 local typ = stanza.attr.type;
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
75 if typ ~= "set" and typ ~= "get" then return; end
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
76 local action = typ == "get" and "read" or "write";
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
77
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
78 local payload = stanza.tags[1];
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
79 local ns = payload and payload.attr.xmlns;
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
80 local proto = iq_namespaces[ns];
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
81 if proto == "pep" then
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
82 local pubsub = payload:get_child("pubsub", "http://jabber.org/protocol/pubsub");
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
83 local node = pubsub and #pubsub.tags == 1 and pubsub.tags[1].attr.node or nil;
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
84 proto = pep_nodes[node] or "pep";
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
85 if proto == "pep" and node and node:match("^eu%.siacs%.conversations%.axolotl%.bundles%.%d+$") then
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
86 proto = "omemo"; -- COMPAT w/ original OMEMO
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
87 end
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
88 elseif proto == "storage" then
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
89 local data = payload.tags[1];
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
90 proto = data and legacy_storage_nodes[data.attr.xmlns] or "legacy-storage";
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
91 elseif proto == "carbons" then
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
92 -- This allows access to live messages
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
93 proto, action = "messages", "read";
5010
a1f49586d28a mod_restrict_xmpp: Treat archive query as a read despite using iq-set
Kim Alvefur <zash@zash.se>
parents: 5009
diff changeset
94 elseif proto == "history" then
a1f49586d28a mod_restrict_xmpp: Treat archive query as a read despite using iq-set
Kim Alvefur <zash@zash.se>
parents: 5009
diff changeset
95 action = "read";
5009
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
96 end
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
97 local permission_name = "xmpp:account:"..(proto and (proto..":") or "")..action;
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
98 if not module:may(permission_name, event) then
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
99 module:log("warn", "Access denied: %s ({%s}%s) for %s", permission_name, ns, payload.name, origin.full_jid or origin.id);
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
100 origin.send(st.error_reply(stanza, "auth", "forbidden", "You do not have permission to make this request ("..permission_name..")"));
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
101 return true;
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
102 end
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
103 end);
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
104
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
105 --module:default_permission("prosody:restricted", "xmpp:account:read");
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
106 --module:default_permission("prosody:restricted", "xmpp:account:write");
5582
825c6fb76c48 Multiple modules: Update for split prosody:user role (prosody 082c7d856e61)
Matthew Wild <mwild1@gmail.com>
parents: 5010
diff changeset
107 module:default_permission(limited_user_role, "xmpp:account:messages:read");
825c6fb76c48 Multiple modules: Update for split prosody:user role (prosody 082c7d856e61)
Matthew Wild <mwild1@gmail.com>
parents: 5010
diff changeset
108 module:default_permission(limited_user_role, "xmpp:account:messages:write");
5009
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
109 for _, property_list in ipairs({ iq_namespaces, legacy_storage_nodes, pep_nodes }) do
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
110 for account_property in set.new(array.collect(it.values(property_list))) do
5582
825c6fb76c48 Multiple modules: Update for split prosody:user role (prosody 082c7d856e61)
Matthew Wild <mwild1@gmail.com>
parents: 5010
diff changeset
111 module:default_permission(limited_user_role, "xmpp:account:"..account_property..":read");
825c6fb76c48 Multiple modules: Update for split prosody:user role (prosody 082c7d856e61)
Matthew Wild <mwild1@gmail.com>
parents: 5010
diff changeset
112 module:default_permission(limited_user_role, "xmpp:account:"..account_property..":write");
5009
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
113 end
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
114 end
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
115
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
116 module:default_permission("prosody:restricted", "xmpp:account:presence:write");
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
117 module:hook("pre-presence/bare", function (event)
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
118 if not event.to_self then return; end
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
119 local stanza = event.stanza;
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
120 if not module:may("xmpp:account:presence:write", event) then
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
121 module:log("warn", "Access denied: xmpp:account:presence:write for %s", event.origin.full_jid or event.origin.id);
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
122 event.origin.send(st.error_reply(stanza, "auth", "forbidden", "You do not have permission to send account presence"));
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
123 return true;
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
124 end
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
125 local priority = stanza:get_child_text("priority");
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
126 if priority ~= "-1" then
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
127 if not module:may("xmpp:account:messages:read", event) then
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
128 module:log("warn", "Access denied: xmpp:account:messages:read for %s", event.origin.full_jid or event.origin.id);
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
129 event.origin.send(st.error_reply(stanza, "auth", "forbidden", "You do not have permission to receive messages (use presence priority -1)"));
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
130 return true;
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
131 end
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
132 end
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
133 end);