# HG changeset patch # User Jonas Schäfer # Date 1680343388 -7200 # Node ID 0f5657db1cfcda854ab398b857f6f7d29f1ca749 # Parent 98d5acb93439ce223ec3d42fed5a0d9563c3ca95 mod_isolate_host: handle server-generated stanzas The hook for setting the no_host_isolation is only called for c2s sessions. This does not work for stanzas generated by the server, such as PEP notifications or presence probe answers. To handle that, we do per-stanza checks for the case that the origin is local. diff -r 98d5acb93439 -r 0f5657db1cfc mod_isolate_host/mod_isolate_host.lua --- a/mod_isolate_host/mod_isolate_host.lua Fri Mar 31 16:56:42 2023 +0200 +++ b/mod_isolate_host/mod_isolate_host.lua Sat Apr 01 12:03:08 2023 +0200 @@ -22,6 +22,14 @@ except_domains:add(to_host); return; end + if origin.type == "local" then + -- this is code-generated, which means that set_session_isolation_flag has never triggered. + -- we need to check explicitly. + if not is_jid_isolated(jid_bare(event.stanza.attr.from)) then + module:log("debug", "server-generated stanza from %s is allowed, as the jid is not isolated", event.stanza.attr.from); + return; + end + end module:log("warn", "Forbidding stanza from %s to %s", stanza.attr.from or origin.full_jid, stanza.attr.to); origin.send(st.error_reply(stanza, "auth", "forbidden", "Communication with "..to_host.." is not available")); return true; @@ -36,13 +44,21 @@ module:default_permission("prosody:admin", "xmpp:federate"); -function check_user_isolated(event) +function is_jid_isolated(bare_jid) + if module:may("xmpp:federate", bare_jid) or except_users:contains(bare_jid) then + return false; + else + return true; + end +end + +function set_session_isolation_flag(event) local session = event.session; local bare_jid = jid_bare(session.full_jid); - if module:may("xmpp:federate", event) or except_users:contains(bare_jid) then + if not is_jid_isolated(bare_jid) then session.no_host_isolation = true; end module:log("debug", "%s is %sisolated", session.full_jid or "[?]", session.no_host_isolation and "" or "not "); end -module:hook("resource-bind", check_user_isolated); +module:hook("resource-bind", set_session_isolation_flag);