Mercurial > prosody-modules
annotate mod_restrict_xmpp/mod_restrict_xmpp.lua @ 5585:5b316088bef5
mod_rest: Use logger of HTTP request in trunk
In Prosody trunk rev c975dafa4303 each HTTP request gained its own log
sink, to make it easy to log things related to each request and group
those messages. Especially where async is used, spreading the request
and response apart as mod_rest does with iq stanzas, this grouped
logging should help find related messages.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Fri, 07 Jul 2023 00:10:37 +0200 |
parents | 825c6fb76c48 |
children | 111e970213a0 |
rev | line source |
---|---|
5009
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
1 local array = require "util.array"; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
2 local it = require "util.iterators"; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
3 local set = require "util.set"; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
4 local st = require "util.stanza"; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
5 |
5582
825c6fb76c48
Multiple modules: Update for split prosody:user role (prosody 082c7d856e61)
Matthew Wild <mwild1@gmail.com>
parents:
5010
diff
changeset
|
6 local normal_user_role = "prosody:registered"; |
825c6fb76c48
Multiple modules: Update for split prosody:user role (prosody 082c7d856e61)
Matthew Wild <mwild1@gmail.com>
parents:
5010
diff
changeset
|
7 local limited_user_role = "prosody:guest"; |
825c6fb76c48
Multiple modules: Update for split prosody:user role (prosody 082c7d856e61)
Matthew Wild <mwild1@gmail.com>
parents:
5010
diff
changeset
|
8 |
825c6fb76c48
Multiple modules: Update for split prosody:user role (prosody 082c7d856e61)
Matthew Wild <mwild1@gmail.com>
parents:
5010
diff
changeset
|
9 local features = require "core.features"; |
825c6fb76c48
Multiple modules: Update for split prosody:user role (prosody 082c7d856e61)
Matthew Wild <mwild1@gmail.com>
parents:
5010
diff
changeset
|
10 |
825c6fb76c48
Multiple modules: Update for split prosody:user role (prosody 082c7d856e61)
Matthew Wild <mwild1@gmail.com>
parents:
5010
diff
changeset
|
11 -- COMPAT |
825c6fb76c48
Multiple modules: Update for split prosody:user role (prosody 082c7d856e61)
Matthew Wild <mwild1@gmail.com>
parents:
5010
diff
changeset
|
12 if not features.available:contains("split-user-roles") then |
825c6fb76c48
Multiple modules: Update for split prosody:user role (prosody 082c7d856e61)
Matthew Wild <mwild1@gmail.com>
parents:
5010
diff
changeset
|
13 normal_user_role = "prosody:user"; |
825c6fb76c48
Multiple modules: Update for split prosody:user role (prosody 082c7d856e61)
Matthew Wild <mwild1@gmail.com>
parents:
5010
diff
changeset
|
14 limited_user_role = "prosody:restricted"; |
825c6fb76c48
Multiple modules: Update for split prosody:user role (prosody 082c7d856e61)
Matthew Wild <mwild1@gmail.com>
parents:
5010
diff
changeset
|
15 end |
825c6fb76c48
Multiple modules: Update for split prosody:user role (prosody 082c7d856e61)
Matthew Wild <mwild1@gmail.com>
parents:
5010
diff
changeset
|
16 |
825c6fb76c48
Multiple modules: Update for split prosody:user role (prosody 082c7d856e61)
Matthew Wild <mwild1@gmail.com>
parents:
5010
diff
changeset
|
17 module:default_permission(normal_user_role, "xmpp:federate"); |
5009
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
18 module:hook("route/remote", function (event) |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
19 if not module:may("xmpp:federate", event) then |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
20 if event.stanza.attr.type ~= "result" and event.stanza.attr.type ~= "error" then |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
21 module:log("warn", "Access denied: xmpp:federate for %s -> %s", event.stanza.attr.from, event.stanza.attr.to); |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
22 local reply = st.error_reply(event.stanza, "auth", "forbidden"); |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
23 event.origin.send(reply); |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
24 end |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
25 return true; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
26 end |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
27 end); |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
28 |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
29 local iq_namespaces = { |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
30 ["jabber:iq:roster"] = "contacts"; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
31 ["jabber:iq:private"] = "storage"; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
32 |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
33 ["vcard-temp"] = "profile"; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
34 ["urn:xmpp:mam:0"] = "history"; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
35 ["urn:xmpp:mam:1"] = "history"; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
36 ["urn:xmpp:mam:2"] = "history"; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
37 |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
38 ["urn:xmpp:carbons:0"] = "carbons"; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
39 ["urn:xmpp:carbons:1"] = "carbons"; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
40 ["urn:xmpp:carbons:2"] = "carbons"; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
41 |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
42 ["urn:xmpp:blocking"] = "blocklist"; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
43 |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
44 ["http://jabber.org/protocol/pubsub"] = "pep"; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
45 ["http://jabber.org/protocol/disco#info"] = "disco"; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
46 }; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
47 |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
48 local legacy_storage_nodes = { |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
49 ["storage:bookmarks"] = "bookmarks"; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
50 ["storage:rosternotes"] = "contacts"; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
51 ["roster:delimiter"] = "contacts"; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
52 ["storage:metacontacts"] = "contacts"; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
53 }; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
54 |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
55 local pep_nodes = { |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
56 ["storage:bookmarks"] = "bookmarks"; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
57 ["urn:xmpp:bookmarks:1"] = "bookmarks"; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
58 |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
59 ["urn:xmpp:avatar:data"] = "profile"; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
60 ["urn:xmpp:avatar:metadata"] = "profile"; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
61 ["http://jabber.org/protocol/nick"] = "profile"; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
62 |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
63 ["eu.siacs.conversations.axolotl.devicelist"] = "omemo"; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
64 ["urn:xmpp:omemo:1:devices"] = "omemo"; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
65 ["urn:xmpp:omemo:1:bundles"] = "omemo"; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
66 ["urn:xmpp:omemo:2:devices"] = "omemo"; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
67 ["urn:xmpp:omemo:2:bundles"] = "omemo"; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
68 }; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
69 |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
70 module:hook("pre-iq/bare", function (event) |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
71 if not event.to_self then return; end |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
72 local origin, stanza = event.origin, event.stanza; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
73 |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
74 local typ = stanza.attr.type; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
75 if typ ~= "set" and typ ~= "get" then return; end |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
76 local action = typ == "get" and "read" or "write"; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
77 |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
78 local payload = stanza.tags[1]; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
79 local ns = payload and payload.attr.xmlns; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
80 local proto = iq_namespaces[ns]; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
81 if proto == "pep" then |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
82 local pubsub = payload:get_child("pubsub", "http://jabber.org/protocol/pubsub"); |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
83 local node = pubsub and #pubsub.tags == 1 and pubsub.tags[1].attr.node or nil; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
84 proto = pep_nodes[node] or "pep"; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
85 if proto == "pep" and node and node:match("^eu%.siacs%.conversations%.axolotl%.bundles%.%d+$") then |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
86 proto = "omemo"; -- COMPAT w/ original OMEMO |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
87 end |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
88 elseif proto == "storage" then |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
89 local data = payload.tags[1]; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
90 proto = data and legacy_storage_nodes[data.attr.xmlns] or "legacy-storage"; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
91 elseif proto == "carbons" then |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
92 -- This allows access to live messages |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
93 proto, action = "messages", "read"; |
5010
a1f49586d28a
mod_restrict_xmpp: Treat archive query as a read despite using iq-set
Kim Alvefur <zash@zash.se>
parents:
5009
diff
changeset
|
94 elseif proto == "history" then |
a1f49586d28a
mod_restrict_xmpp: Treat archive query as a read despite using iq-set
Kim Alvefur <zash@zash.se>
parents:
5009
diff
changeset
|
95 action = "read"; |
5009
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
96 end |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
97 local permission_name = "xmpp:account:"..(proto and (proto..":") or "")..action; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
98 if not module:may(permission_name, event) then |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
99 module:log("warn", "Access denied: %s ({%s}%s) for %s", permission_name, ns, payload.name, origin.full_jid or origin.id); |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
100 origin.send(st.error_reply(stanza, "auth", "forbidden", "You do not have permission to make this request ("..permission_name..")")); |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
101 return true; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
102 end |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
103 end); |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
104 |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
105 --module:default_permission("prosody:restricted", "xmpp:account:read"); |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
106 --module:default_permission("prosody:restricted", "xmpp:account:write"); |
5582
825c6fb76c48
Multiple modules: Update for split prosody:user role (prosody 082c7d856e61)
Matthew Wild <mwild1@gmail.com>
parents:
5010
diff
changeset
|
107 module:default_permission(limited_user_role, "xmpp:account:messages:read"); |
825c6fb76c48
Multiple modules: Update for split prosody:user role (prosody 082c7d856e61)
Matthew Wild <mwild1@gmail.com>
parents:
5010
diff
changeset
|
108 module:default_permission(limited_user_role, "xmpp:account:messages:write"); |
5009
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
109 for _, property_list in ipairs({ iq_namespaces, legacy_storage_nodes, pep_nodes }) do |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
110 for account_property in set.new(array.collect(it.values(property_list))) do |
5582
825c6fb76c48
Multiple modules: Update for split prosody:user role (prosody 082c7d856e61)
Matthew Wild <mwild1@gmail.com>
parents:
5010
diff
changeset
|
111 module:default_permission(limited_user_role, "xmpp:account:"..account_property..":read"); |
825c6fb76c48
Multiple modules: Update for split prosody:user role (prosody 082c7d856e61)
Matthew Wild <mwild1@gmail.com>
parents:
5010
diff
changeset
|
112 module:default_permission(limited_user_role, "xmpp:account:"..account_property..":write"); |
5009
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
113 end |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
114 end |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
115 |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
116 module:default_permission("prosody:restricted", "xmpp:account:presence:write"); |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
117 module:hook("pre-presence/bare", function (event) |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
118 if not event.to_self then return; end |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
119 local stanza = event.stanza; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
120 if not module:may("xmpp:account:presence:write", event) then |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
121 module:log("warn", "Access denied: xmpp:account:presence:write for %s", event.origin.full_jid or event.origin.id); |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
122 event.origin.send(st.error_reply(stanza, "auth", "forbidden", "You do not have permission to send account presence")); |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
123 return true; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
124 end |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
125 local priority = stanza:get_child_text("priority"); |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
126 if priority ~= "-1" then |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
127 if not module:may("xmpp:account:messages:read", event) then |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
128 module:log("warn", "Access denied: xmpp:account:messages:read for %s", event.origin.full_jid or event.origin.id); |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
129 event.origin.send(st.error_reply(stanza, "auth", "forbidden", "You do not have permission to receive messages (use presence priority -1)")); |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
130 return true; |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
131 end |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
132 end |
459a4001c1d9
mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
133 end); |