Mercurial > prosody-modules
comparison mod_compat_roles/mod_compat_roles.lua @ 5098:817bc9873fc2
mod_compat_roles: Fix permission checks/roles to be per-host as intended
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Tue, 29 Nov 2022 11:38:28 +0000 |
| parents | d414fa8b37dc |
| children | f03f4ec859a3 |
comparison
equal
deleted
inserted
replaced
| 5097:d414fa8b37dc | 5098:817bc9873fc2 |
|---|---|
| 26 | 26 |
| 27 local function get_user_role_name(username, host) | 27 local function get_user_role_name(username, host) |
| 28 return get_jid_role_name(username.."@"..host, host); | 28 return get_jid_role_name(username.."@"..host, host); |
| 29 end | 29 end |
| 30 | 30 |
| 31 -- permissions[host][permission_name] = permitted_role_name | 31 -- permissions[host][role_name][permission_name] = is_permitted |
| 32 local permissions = {}; | 32 local permissions = {}; |
| 33 | 33 |
| 34 local function role_may(role_name, permission) | 34 local function role_may(host, role_name, permission) |
| 35 local role_permissions = permissions[role_name]; | 35 local host_roles = permissions[host]; |
| 36 if not host_roles then | |
| 37 return false; | |
| 38 end | |
| 39 local role_permissions = host_roles[role_name]; | |
| 36 if not role_permissions then | 40 if not role_permissions then |
| 37 return false; | 41 return false; |
| 38 end | 42 end |
| 39 return not not permissions[role_name][permission]; | 43 return not not permissions[role_name][permission]; |
| 40 end | 44 end |
| 54 if not role then | 58 if not role then |
| 55 self:log("debug", "Access denied: JID <%s> may not %s (no role found)", context, action); | 59 self:log("debug", "Access denied: JID <%s> may not %s (no role found)", context, action); |
| 56 return false; | 60 return false; |
| 57 end | 61 end |
| 58 | 62 |
| 59 local permit = role_may(role, action); | 63 local permit = role_may(self.host, role, action); |
| 60 if not permit then | 64 if not permit then |
| 61 self:log("debug", "Access denied: JID <%s> may not %s (not permitted by role %s)", context, action, role.name); | 65 self:log("debug", "Access denied: JID <%s> may not %s (not permitted by role %s)", context, action, role.name); |
| 62 end | 66 end |
| 63 return permit; | 67 return permit; |
| 64 end | 68 end |
| 72 local role_name = get_jid_role_name(actor_jid); | 76 local role_name = get_jid_role_name(actor_jid); |
| 73 if not role_name then | 77 if not role_name then |
| 74 self:log("debug", "Access denied: JID <%s> may not %s (no role found)", actor_jid, action); | 78 self:log("debug", "Access denied: JID <%s> may not %s (no role found)", actor_jid, action); |
| 75 return false; | 79 return false; |
| 76 end | 80 end |
| 77 local permit = role_may(role_name, action, context); | 81 local permit = role_may(self.host, role_name, action, context); |
| 78 if not permit then | 82 if not permit then |
| 79 self:log("debug", "Access denied: JID <%s> may not %s (not permitted by role %s)", actor_jid, action, role_name); | 83 self:log("debug", "Access denied: JID <%s> may not %s (not permitted by role %s)", actor_jid, action, role_name); |
| 80 end | 84 end |
| 81 return permit; | 85 return permit; |
| 82 end | 86 end |