aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatthew Wild <mwild1@gmail.com>2023-03-26 14:06:04 +0100
committerMatthew Wild <mwild1@gmail.com>2023-03-26 14:06:04 +0100
commiteb45f0fcf8c049c9c78c7d4dd967866baf47f043 (patch)
treec57303398f4d3ea9c7ba6cbec5fea3afeb75fe57
parent6b2d191b939099b598e7edaf972994c94a24ff0e (diff)
downloadprosody-eb45f0fcf8c049c9c78c7d4dd967866baf47f043.tar.gz
prosody-eb45f0fcf8c049c9c78c7d4dd967866baf47f043.zip
moduleapi: Add 'peek' to :may() and new :could() helper to suppress logging
The current method logs scary "access denied" messages on failure - this is generally very useful when debugging access control stuff, but in some cases the call is simply a check to see if someone *could* perform an action, even if they haven't requested it yet. One example is determining whether to show the user as an admin in disco. The 'peek' parameter, if true, will suppress such logging. The :could() method is just a simple helper that can make the calling code a bit more readable (suggested by Zash).
-rw-r--r--core/moduleapi.lua26
1 files changed, 19 insertions, 7 deletions
diff --git a/core/moduleapi.lua b/core/moduleapi.lua
index 18452e2b..00b2ae16 100644
--- a/core/moduleapi.lua
+++ b/core/moduleapi.lua
@@ -626,7 +626,11 @@ function api:default_permissions(role_name, permissions)
end
end
-function api:may(action, context)
+function api:could(action, context)
+ return self:may(action, context, true);
+end
+
+function api:may(action, context, peek)
if action:byte(1) == 58 then -- action begins with ':'
action = self.name..action; -- prepend module name
end
@@ -639,12 +643,16 @@ function api:may(action, context)
role = hosts[self.host].authz.get_jid_role(context);
end
if not role then
- self:log("debug", "Access denied: JID <%s> may not %s (no role found)", context, action);
+ if not peek then
+ self:log("debug", "Access denied: JID <%s> may not %s (no role found)", context, action);
+ end
return false;
end
local permit = role:may(action);
if not permit then
- self:log("debug", "Access denied: JID <%s> may not %s (not permitted by role %s)", context, action, role.name);
+ if not peek then
+ self:log("debug", "Access denied: JID <%s> may not %s (not permitted by role %s)", context, action, role.name);
+ end
end
return permit;
end
@@ -656,11 +664,13 @@ function api:may(action, context)
if session.type == "c2s" and session.host == self.host then
local role = session.role;
if not role then
- self:log("warn", "Access denied: session %s has no role assigned");
+ if not peek then
+ self:log("warn", "Access denied: session %s has no role assigned");
+ end
return false;
end
local permit = role:may(action, context);
- if not permit then
+ if not permit and not peek then
self:log("debug", "Access denied: session %s (%s) may not %s (not permitted by role %s)",
session.id, session.full_jid, action, role.name
);
@@ -670,11 +680,13 @@ function api:may(action, context)
local actor_jid = context.stanza.attr.from;
local role = hosts[self.host].authz.get_jid_role(actor_jid);
if not role then
- self:log("debug", "Access denied: JID <%s> may not %s (no role found)", actor_jid, action);
+ if not peek then
+ self:log("debug", "Access denied: JID <%s> may not %s (no role found)", actor_jid, action);
+ end
return false;
end
local permit = role:may(action, context);
- if not permit then
+ if not permit and not peek then
self:log("debug", "Access denied: JID <%s> may not %s (not permitted by role %s)", actor_jid, action, role.name);
end
return permit;