diff options
author | Kim Alvefur <zash@zash.se> | 2022-08-29 11:47:31 +0200 |
---|---|---|
committer | Kim Alvefur <zash@zash.se> | 2022-08-29 11:47:31 +0200 |
commit | 03b3b1b9ad4b6a0b749d0345b34591694bb0cd90 (patch) | |
tree | 168923d834d98307cc9dc5992030712e9eaff3e7 /core/moduleapi.lua | |
parent | 1254a0de555478847dcea21c3d3b519624a9e5a6 (diff) | |
download | prosody-03b3b1b9ad4b6a0b749d0345b34591694bb0cd90.tar.gz prosody-03b3b1b9ad4b6a0b749d0345b34591694bb0cd90.zip |
core.moduleapi: Check for local role-aware sessions before e.g. s2s
The condition checked for s2sin but not s2sout, so would have ignored
bidi-enabled s2sout sessions. Components as well.
Diffstat (limited to 'core/moduleapi.lua')
-rw-r--r-- | core/moduleapi.lua | 18 |
1 files changed, 9 insertions, 9 deletions
diff --git a/core/moduleapi.lua b/core/moduleapi.lua index 73ce4911..fd54500d 100644 --- a/core/moduleapi.lua +++ b/core/moduleapi.lua @@ -649,7 +649,15 @@ function api:may(action, context) if type(session) ~= "table" then error("Unable to identify actor session from context"); end - if session.type == "s2sin" or (session.type == "c2s" and session.host ~= self.host) then + if session.role and session.type == "c2s" and session.host == self.host then + local permit = session.role:may(action, context); + if not permit then + self:log("debug", "Access denied: session %s (%s) may not %s (not permitted by role %s)", + session.id, session.full_jid, action, session.role.name + ); + end + return permit; + else local actor_jid = context.stanza.attr.from; local role = hosts[self.host].authz.get_jid_role(actor_jid); if not role then @@ -661,14 +669,6 @@ function api:may(action, context) self:log("debug", "Access denied: JID <%s> may not %s (not permitted by role %s)", actor_jid, action, role.name); end return permit; - elseif session.role then - local permit = session.role:may(action, context); - if not permit then - self:log("debug", "Access denied: session %s (%s) may not %s (not permitted by role %s)", - session.id, session.full_jid, action, session.role.name - ); - end - return permit; end end |