aboutsummaryrefslogtreecommitdiffstats
path: root/core/moduleapi.lua
diff options
context:
space:
mode:
authorKim Alvefur <zash@zash.se>2022-08-29 11:47:31 +0200
committerKim Alvefur <zash@zash.se>2022-08-29 11:47:31 +0200
commit03b3b1b9ad4b6a0b749d0345b34591694bb0cd90 (patch)
tree168923d834d98307cc9dc5992030712e9eaff3e7 /core/moduleapi.lua
parent1254a0de555478847dcea21c3d3b519624a9e5a6 (diff)
downloadprosody-03b3b1b9ad4b6a0b749d0345b34591694bb0cd90.tar.gz
prosody-03b3b1b9ad4b6a0b749d0345b34591694bb0cd90.zip
core.moduleapi: Check for local role-aware sessions before e.g. s2s
The condition checked for s2sin but not s2sout, so would have ignored bidi-enabled s2sout sessions. Components as well.
Diffstat (limited to 'core/moduleapi.lua')
-rw-r--r--core/moduleapi.lua18
1 files changed, 9 insertions, 9 deletions
diff --git a/core/moduleapi.lua b/core/moduleapi.lua
index 73ce4911..fd54500d 100644
--- a/core/moduleapi.lua
+++ b/core/moduleapi.lua
@@ -649,7 +649,15 @@ function api:may(action, context)
if type(session) ~= "table" then
error("Unable to identify actor session from context");
end
- if session.type == "s2sin" or (session.type == "c2s" and session.host ~= self.host) then
+ if session.role and session.type == "c2s" and session.host == self.host then
+ local permit = session.role:may(action, context);
+ if not permit then
+ self:log("debug", "Access denied: session %s (%s) may not %s (not permitted by role %s)",
+ session.id, session.full_jid, action, session.role.name
+ );
+ end
+ return permit;
+ else
local actor_jid = context.stanza.attr.from;
local role = hosts[self.host].authz.get_jid_role(actor_jid);
if not role then
@@ -661,14 +669,6 @@ function api:may(action, context)
self:log("debug", "Access denied: JID <%s> may not %s (not permitted by role %s)", actor_jid, action, role.name);
end
return permit;
- elseif session.role then
- local permit = session.role:may(action, context);
- if not permit then
- self:log("debug", "Access denied: session %s (%s) may not %s (not permitted by role %s)",
- session.id, session.full_jid, action, session.role.name
- );
- end
- return permit;
end
end