Mercurial > prosody-modules
comparison mod_compat_roles/mod_compat_roles.lua @ 4983:7c77058a1ac5
mod_compat_roles: New module providing compat shim for trunk's new role API
The new role API is translated to is_admin() calls on older versions. On newer
versions (which have the role API) this module does nothing.
It allows modules to drop their use of is_admin() (which is not available in
trunk) and switch to the new role API, while remaining compatible with
previous Prosody versions.
author | Matthew Wild <mwild1@gmail.com> |
---|---|
date | Thu, 11 Aug 2022 17:49:33 +0100 |
parents | |
children | d414fa8b37dc |
comparison
equal
deleted
inserted
replaced
4982:8a4b17e2e984 | 4983:7c77058a1ac5 |
---|---|
1 -- Export a module:may() that works on Prosody 0.12 and earlier | |
2 -- (i.e. backed by is_admin). | |
3 | |
4 -- This API is safe because Prosody 0.12 and earlier do not support | |
5 -- per-session roles - all authorization is based on JID alone. It is not | |
6 -- safe on versions that support per-session authorization. | |
7 | |
8 module:set_global(); | |
9 | |
10 local moduleapi = require "core.moduleapi"; | |
11 | |
12 -- If module.may already exists, abort | |
13 if moduleapi.may then return; end | |
14 | |
15 local jid_split = require "util.jid".split; | |
16 local um_is_admin = require "core.usermanager".is_admin; | |
17 | |
18 local function get_jid_role_name(jid, host) | |
19 if um_is_admin(jid, "*") then | |
20 return "prosody:operator"; | |
21 elseif um_is_admin(jid, host) then | |
22 return "prosody:admin"; | |
23 end | |
24 return nil; | |
25 end | |
26 | |
27 local function get_user_role_name(username, host) | |
28 return get_jid_role_name(username.."@"..host, host); | |
29 end | |
30 | |
31 -- permissions[host][permission_name] = permitted_role_name | |
32 local permissions = {}; | |
33 | |
34 local function role_may(role_name, permission) | |
35 local role_permissions = permissions[role_name]; | |
36 if not role_permissions then | |
37 return false; | |
38 end | |
39 return not not permissions[role_name][permission]; | |
40 end | |
41 | |
42 function moduleapi.may(self, action, context) | |
43 if action:byte(1) == 58 then -- action begins with ':' | |
44 action = self.name..action; -- prepend module name | |
45 end | |
46 if type(context) == "string" then -- check JID permissions | |
47 local role; | |
48 local node, host = jid_split(context); | |
49 if host == self.host then | |
50 role = get_user_role_name(node, self.host); | |
51 else | |
52 role = get_jid_role_name(context, self.host); | |
53 end | |
54 if not role then | |
55 self:log("debug", "Access denied: JID <%s> may not %s (no role found)", context, action); | |
56 return false; | |
57 end | |
58 | |
59 local permit = role_may(role, action); | |
60 if not permit then | |
61 self:log("debug", "Access denied: JID <%s> may not %s (not permitted by role %s)", context, action, role.name); | |
62 end | |
63 return permit; | |
64 end | |
65 | |
66 local session = context.origin or context.session; | |
67 if type(session) ~= "table" then | |
68 error("Unable to identify actor session from context"); | |
69 end | |
70 if session.type == "s2sin" or (session.type == "c2s" and session.host ~= self.host) then | |
71 local actor_jid = context.stanza.attr.from; | |
72 local role_name = get_jid_role_name(actor_jid); | |
73 if not role_name then | |
74 self:log("debug", "Access denied: JID <%s> may not %s (no role found)", actor_jid, action); | |
75 return false; | |
76 end | |
77 local permit = role_may(role_name, action, context); | |
78 if not permit then | |
79 self:log("debug", "Access denied: JID <%s> may not %s (not permitted by role %s)", actor_jid, action, role_name); | |
80 end | |
81 return permit; | |
82 end | |
83 end | |
84 | |
85 function moduleapi.default_permission(self, role_name, permission) | |
86 local r = permissions[self.host][role_name]; | |
87 if not r then | |
88 r = {}; | |
89 permissions[self.host][role_name] = r; | |
90 end | |
91 r[permission] = true; | |
92 end | |
93 | |
94 function moduleapi.default_permissions(self, role_name, permission_list) | |
95 for _, permission in ipairs(permission_list) do | |
96 self:default_permission(role_name, permission); | |
97 end | |
98 end | |
99 | |
100 function module.add_host(host_module) | |
101 permissions[host_module.host] = {}; | |
102 function host_module.unload() | |
103 permissions[host_module.host] = nil; | |
104 end | |
105 end |