diff options
author | Kim Alvefur <zash@zash.se> | 2023-09-16 14:23:08 +0200 |
---|---|---|
committer | Kim Alvefur <zash@zash.se> | 2023-09-16 14:23:08 +0200 |
commit | df4bde023ba33f3a84538aa5cd10a0e1bda64990 (patch) | |
tree | 821e1d23dddb6663618c930b4fd97d61ed6b7857 | |
parent | eeaa713fda7927c885302b66f75ebe8b64531a01 (diff) | |
download | prosody-df4bde023ba33f3a84538aa5cd10a0e1bda64990.tar.gz prosody-df4bde023ba33f3a84538aa5cd10a0e1bda64990.zip |
mod_http_file_share: Switch to the new authz API (BC)
Behavior change: It becomes up to the authorization module whether to
allow requests. The default, mod_authz_internal, will allow users on the
*parent* host only, breaking use by some components.
Remaining question is whether to deprecate the `http_file_share_access`
setting or leave as a way to complement/bypass access control?
-rw-r--r-- | CHANGES | 1 | ||||
-rw-r--r-- | plugins/mod_http_file_share.lua | 4 |
2 files changed, 4 insertions, 1 deletions
@@ -51,6 +51,7 @@ TRUNK - mod_blocklist: New option 'migrate_legacy_blocking' to disable migration from mod_privacy - Moved all modules into the Lua namespace `prosody.` - Forwarded header from RFC 7239 supported, disabled by default +- mod_http_file_share now uses roles framework, affecting access from e.g. components ## Removed diff --git a/plugins/mod_http_file_share.lua b/plugins/mod_http_file_share.lua index a1c725f8..6df9e3c3 100644 --- a/plugins/mod_http_file_share.lua +++ b/plugins/mod_http_file_share.lua @@ -47,6 +47,8 @@ local create_jwt, verify_jwt = require"prosody.util.jwt".init("HS256", secret, s local access = module:get_option_set(module.name .. "_access", {}); +module:default_permission("prosody:registered", ":upload"); + if not external_base_url then module:depends("http"); end @@ -136,7 +138,7 @@ end function may_upload(uploader, filename, filesize, filetype) -- > boolean, error local uploader_host = jid.host(uploader); - if not ((access:empty() and prosody.hosts[uploader_host]) or access:contains(uploader) or access:contains(uploader_host)) then + if not (module:may(":upload", uploader) or access:contains(uploader) or access:contains(uploader_host)) then return false, upload_errors.new("access"); end |