# HG changeset patch
# User Matthew Wild <mwild1@gmail.com>
# Date 1686248112 -3600
# Node ID 1249ab2f797c2a079656df80179ca565af5ef46b
# Parent  fa8435a27f7e0c8d1f5bd7f639151c10d45a284c
mod_firewall: Log warning when attempting to mark/unmark remote users

diff -r fa8435a27f7e -r 1249ab2f797c mod_firewall/actions.lib.lua
--- a/mod_firewall/actions.lib.lua	Thu Jun 08 17:00:04 2023 +0100
+++ b/mod_firewall/actions.lib.lua	Thu Jun 08 19:15:12 2023 +0100
@@ -220,20 +220,29 @@
 end
 
 function action_handlers.MARK_USER(name)
-	return ([[fire_event("firewall/marked/user", {
+	return ([[if session.username and session.host == current_host then
+			fire_event("firewall/marked/user", {
 				username = session.username;
 				mark = %q;
 				timestamp = current_timestamp;
 			});
-		]]):format(assert(idsafe(name), "Invalid characters in mark name: "..name)), { "timestamp" };
+		else
+			log("warn", "Attempt to MARK a remote user - only local users may be marked");
+		end]]):format(assert(idsafe(name), "Invalid characters in mark name: "..name)), {
+			"current_host";
+			"timestamp";
+		};
 end
 
 function action_handlers.UNMARK_USER(name)
-	return ([[fire_event("firewall/unmarked/user", {
+	return ([[if session.username and session.host == current_host then
+			fire_event("firewall/unmarked/user", {
 				username = session.username;
 				mark = %q;
 			});
-		]]):format(assert(idsafe(name), "Invalid characters in mark name: "..name));
+		else
+			log("warn", "Attempt to UNMARK a remote user - only local users may be marked");
+		end]]):format(assert(idsafe(name), "Invalid characters in mark name: "..name));
 end
 
 function action_handlers.ADD_TO(spec)