comparison mod_compat_roles/mod_compat_roles.lua @ 5098:817bc9873fc2

mod_compat_roles: Fix permission checks/roles to be per-host as intended
author Matthew Wild <mwild1@gmail.com>
date Tue, 29 Nov 2022 11:38:28 +0000
parents d414fa8b37dc
children f03f4ec859a3
comparison
equal deleted inserted replaced
5097:d414fa8b37dc 5098:817bc9873fc2
26 26
27 local function get_user_role_name(username, host) 27 local function get_user_role_name(username, host)
28 return get_jid_role_name(username.."@"..host, host); 28 return get_jid_role_name(username.."@"..host, host);
29 end 29 end
30 30
31 -- permissions[host][permission_name] = permitted_role_name 31 -- permissions[host][role_name][permission_name] = is_permitted
32 local permissions = {}; 32 local permissions = {};
33 33
34 local function role_may(role_name, permission) 34 local function role_may(host, role_name, permission)
35 local role_permissions = permissions[role_name]; 35 local host_roles = permissions[host];
36 if not host_roles then
37 return false;
38 end
39 local role_permissions = host_roles[role_name];
36 if not role_permissions then 40 if not role_permissions then
37 return false; 41 return false;
38 end 42 end
39 return not not permissions[role_name][permission]; 43 return not not permissions[role_name][permission];
40 end 44 end
54 if not role then 58 if not role then
55 self:log("debug", "Access denied: JID <%s> may not %s (no role found)", context, action); 59 self:log("debug", "Access denied: JID <%s> may not %s (no role found)", context, action);
56 return false; 60 return false;
57 end 61 end
58 62
59 local permit = role_may(role, action); 63 local permit = role_may(self.host, role, action);
60 if not permit then 64 if not permit then
61 self:log("debug", "Access denied: JID <%s> may not %s (not permitted by role %s)", context, action, role.name); 65 self:log("debug", "Access denied: JID <%s> may not %s (not permitted by role %s)", context, action, role.name);
62 end 66 end
63 return permit; 67 return permit;
64 end 68 end
72 local role_name = get_jid_role_name(actor_jid); 76 local role_name = get_jid_role_name(actor_jid);
73 if not role_name then 77 if not role_name then
74 self:log("debug", "Access denied: JID <%s> may not %s (no role found)", actor_jid, action); 78 self:log("debug", "Access denied: JID <%s> may not %s (no role found)", actor_jid, action);
75 return false; 79 return false;
76 end 80 end
77 local permit = role_may(role_name, action, context); 81 local permit = role_may(self.host, role_name, action, context);
78 if not permit then 82 if not permit then
79 self:log("debug", "Access denied: JID <%s> may not %s (not permitted by role %s)", actor_jid, action, role_name); 83 self:log("debug", "Access denied: JID <%s> may not %s (not permitted by role %s)", actor_jid, action, role_name);
80 end 84 end
81 return permit; 85 return permit;
82 end 86 end