Mercurial > prosody-modules
comparison mod_authz_delegate/mod_authz_delegate.lua @ 5289:308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
See the readme :-).
Motivation is allowing Snikket admins to change circle avatars via
the web portal without bypassing Prosody access checks.
| author | Jonas Schäfer <jonas@wielicki.name> |
|---|---|
| date | Wed, 29 Mar 2023 17:21:45 +0200 |
| parents | |
| children | 98d5acb93439 |
comparison
equal
deleted
inserted
replaced
| 5287:4834eaf24fc1 | 5289:308024be6d6f |
|---|---|
| 1 local target_host = assert(module:get_option("authz_delegate_to")); | |
| 2 local this_host = module:get_host(); | |
| 3 | |
| 4 local jid_split = import("prosody.util.jid", "split"); | |
| 5 | |
| 6 local hosts = prosody.hosts; | |
| 7 | |
| 8 function get_jids_with_role(role) --luacheck: ignore 212/role | |
| 9 return nil | |
| 10 end | |
| 11 | |
| 12 function get_user_role(user) | |
| 13 -- this is called where the JID belongs to the host this module is loaded on | |
| 14 -- that means we have to delegate that to get_jid_role with an appropriately composed JID | |
| 15 return hosts[target_host].authz.get_jid_role(user .. "@" .. this_host) | |
| 16 end | |
| 17 | |
| 18 function set_user_role(user, role_name) --luacheck: ignore 212/user 212/role_name | |
| 19 -- no roles for entities on this host. | |
| 20 return false, "cannot set user role on delegation target" | |
| 21 end | |
| 22 | |
| 23 function get_user_secondary_roles(user) --luacheck: ignore 212/user | |
| 24 -- no roles for entities on this host. | |
| 25 return {} | |
| 26 end | |
| 27 | |
| 28 function add_user_secondary_role(user, role_name) --luacheck: ignore 212/user 212/role_name | |
| 29 -- no roles for entities on this host. | |
| 30 return nil, "cannot set user role on delegation target" | |
| 31 end | |
| 32 | |
| 33 function remove_user_secondary_role(user, role_name) --luacheck: ignore 212/user 212/role_name | |
| 34 -- no roles for entities on this host. | |
| 35 return nil, "cannot set user role on delegation target" | |
| 36 end | |
| 37 | |
| 38 function user_can_assume_role(user, role_name) --luacheck: ignore 212/user 212/role_name | |
| 39 -- no roles for entities on this host. | |
| 40 return false | |
| 41 end | |
| 42 | |
| 43 function get_jid_role(jid) | |
| 44 local user, host = jid_split(jid); | |
| 45 if host == target_host then | |
| 46 return hosts[target_host].authz.get_user_role(user); | |
| 47 end | |
| 48 return hosts[target_host].authz.get_jid_role(jid); | |
| 49 end | |
| 50 | |
| 51 function set_jid_role(jid) --luacheck: ignore 212/jid | |
| 52 -- TODO: figure out if there are actually legitimate uses for this... | |
| 53 return nil, "cannot set jid role on delegation target" | |
| 54 end | |
| 55 | |
| 56 function add_default_permission(role_name, action, policy) | |
| 57 return hosts[target_host].authz.add_default_permission(role_name, action, policy) | |
| 58 end | |
| 59 | |
| 60 function get_role_by_name(role_name) | |
| 61 return hosts[target_host].authz.get_role_by_name(role_name) | |
| 62 end | |
| 63 | |
| 64 function get_all_roles() | |
| 65 return hosts[target_host].authz.get_all_roles() | |
| 66 end |