Mercurial > prosody-modules
changeset 5296:0f5657db1cfc
mod_isolate_host: handle server-generated stanzas
The hook for setting the no_host_isolation is only called for c2s
sessions. This does not work for stanzas generated by the server,
such as PEP notifications or presence probe answers.
To handle that, we do per-stanza checks for the case that the origin
is local.
author | Jonas Schäfer <jonas@wielicki.name> |
---|---|
date | Sat, 01 Apr 2023 12:03:08 +0200 |
parents | 98d5acb93439 |
children | 4bba2d27ffaf |
files | mod_isolate_host/mod_isolate_host.lua |
diffstat | 1 files changed, 19 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_isolate_host/mod_isolate_host.lua Fri Mar 31 16:56:42 2023 +0200 +++ b/mod_isolate_host/mod_isolate_host.lua Sat Apr 01 12:03:08 2023 +0200 @@ -22,6 +22,14 @@ except_domains:add(to_host); return; end + if origin.type == "local" then + -- this is code-generated, which means that set_session_isolation_flag has never triggered. + -- we need to check explicitly. + if not is_jid_isolated(jid_bare(event.stanza.attr.from)) then + module:log("debug", "server-generated stanza from %s is allowed, as the jid is not isolated", event.stanza.attr.from); + return; + end + end module:log("warn", "Forbidding stanza from %s to %s", stanza.attr.from or origin.full_jid, stanza.attr.to); origin.send(st.error_reply(stanza, "auth", "forbidden", "Communication with "..to_host.." is not available")); return true; @@ -36,13 +44,21 @@ module:default_permission("prosody:admin", "xmpp:federate"); -function check_user_isolated(event) +function is_jid_isolated(bare_jid) + if module:may("xmpp:federate", bare_jid) or except_users:contains(bare_jid) then + return false; + else + return true; + end +end + +function set_session_isolation_flag(event) local session = event.session; local bare_jid = jid_bare(session.full_jid); - if module:may("xmpp:federate", event) or except_users:contains(bare_jid) then + if not is_jid_isolated(bare_jid) then session.no_host_isolation = true; end module:log("debug", "%s is %sisolated", session.full_jid or "[?]", session.no_host_isolation and "" or "not "); end -module:hook("resource-bind", check_user_isolated); +module:hook("resource-bind", set_session_isolation_flag);