changeset 49:59f490390528

mod_adhoc, mod_adhoc_cmd_admin: Check permissions in one place for all commands
author Florian Zeitz <florob@babelmonkeys.de>
date Sat, 17 Oct 2009 01:37:25 +0200
parents 7fbaf590dc12
children a96d3f37d845
files mod_adhoc/adhoc/mod_adhoc.lua mod_adhoc_cmd_admin/mod_adhoc_cmd_admin.lua
diffstat 2 files changed, 8 insertions(+), 13 deletions(-) [+]
line wrap: on
line diff
--- a/mod_adhoc/adhoc/mod_adhoc.lua	Sat Oct 17 01:36:25 2009 +0200
+++ b/mod_adhoc/adhoc/mod_adhoc.lua	Sat Oct 17 01:37:25 2009 +0200
@@ -34,6 +34,14 @@
         local node = stanza.tags[1].attr.node
 		for i = 1, #commands do
 			if commands[i].node == node then
+				-- check whether user has permission to execute this command first
+				if commands[i].permission == "admin" and not is_admin(stanza.attr.from) then
+					origin.send(st.error_reply(stanza, "auth", "forbidden", "You don't have permission to execute this command"):up()
+						:add_child(commands[i]:cmdtag("canceled")
+							:tag("note", {type="error"}):text("You don't have permission to execute this command")));
+					return true
+				end
+				-- User has permission now execute the command
 				return commands[i].handler(commands[i], origin, stanza);
 			end
 		end
--- a/mod_adhoc_cmd_admin/mod_adhoc_cmd_admin.lua	Sat Oct 17 01:36:25 2009 +0200
+++ b/mod_adhoc_cmd_admin/mod_adhoc_cmd_admin.lua	Sat Oct 17 01:37:25 2009 +0200
@@ -39,13 +39,6 @@
 };
 
 function add_user_command_handler(item, origin, stanza)
-	if not is_admin(stanza.attr.from) then
-		module:log("warn", "Non-admin %s tried to add a user", tostring(jid.bare(stanza.attr.from)));
-		origin.send(st.error_reply(stanza, "auth", "forbidden", "You don't have permission to add a user"):up()
-			:add_child(item:cmdtag("canceled")
-				:tag("note", {type="error"}):text("You don't have permission to add a user")));
-		return true;
-	end
 	if stanza.tags[1].attr.sessionid and sessions[stanza.tags[1].attr.sessionid] then
 		if stanza.tags[1].attr.action == "cancel" then
 			origin.send(st.reply(stanza):add_child(item:cmdtag("canceled", stanza.tags[1].attr.sessionid)));
@@ -96,12 +89,6 @@
 end
 
 function get_online_users_command_handler(item, origin, stanza)
-	if not is_admin(stanza.attr.from) then
-		origin.send(st.error_reply(stanza, "auth", "forbidden", "You don't have permission to request a list of online users"):up()
-			:add_child(item:cmdtag("canceled")
-				:tag("note", {type="error"}):text("You don't have permission to request a list of online users")));
-		return true;
-	end
 	if stanza.tags[1].attr.sessionid and sessions[stanza.tags[1].attr.sessionid] then
 		if stanza.tags[1].attr.action == "cancel" then
 			origin.send(st.reply(stanza):add_child(item:cmdtag("canceled", stanza.tags[1].attr.sessionid)));