diff options
| author | Matthew Wild <mwild1@gmail.com> | 2022-08-17 16:38:53 +0100 |
|---|---|---|
| committer | Matthew Wild <mwild1@gmail.com> | 2022-08-17 16:38:53 +0100 |
| commit | f5768f63c993cee9f7f8e3c89db7e4e3080beab5 (patch) | |
| tree | 8de97d71efdbbfbdb54fdd7c0da47c811bb7a183 /core | |
| parent | 2b0676396dc84dad48735a9e3782bb4f13b36471 (diff) | |
| download | prosody-f5768f63c993cee9f7f8e3c89db7e4e3080beab5.tar.gz prosody-f5768f63c993cee9f7f8e3c89db7e4e3080beab5.zip | |
mod_authz_internal, and more: New iteration of role API
These changes to the API (hopefully the last) introduce a cleaner separation
between the user's primary (default) role, and their secondary (optional)
roles.
To keep the code sane and reduce complexity, a data migration is needed for
people using stored roles in 0.12. This can be performed with
prosodyctl mod_authz_internal migrate <host>
Diffstat (limited to 'core')
| -rw-r--r-- | core/moduleapi.lua | 3 | ||||
| -rw-r--r-- | core/sessionmanager.lua | 2 | ||||
| -rw-r--r-- | core/usermanager.lua | 68 |
3 files changed, 52 insertions, 21 deletions
diff --git a/core/moduleapi.lua b/core/moduleapi.lua index 8790a9d3..73ce4911 100644 --- a/core/moduleapi.lua +++ b/core/moduleapi.lua @@ -538,6 +538,7 @@ function api:load_resource(path, mode) end function api:open_store(name, store_type) + if self.host == "*" then return nil, "global-storage-not-supported"; end return require"core.storagemanager".open(self.host, name or self.name, store_type); end @@ -629,7 +630,7 @@ function api:may(action, context) local role; local node, host = jid_split(context); if host == self.host then - role = hosts[host].authz.get_user_default_role(node); + role = hosts[host].authz.get_user_role(node); else role = hosts[self.host].authz.get_jid_role(context); end diff --git a/core/sessionmanager.lua b/core/sessionmanager.lua index 924c4968..dec21674 100644 --- a/core/sessionmanager.lua +++ b/core/sessionmanager.lua @@ -135,7 +135,7 @@ local function make_authenticated(session, username, role_name) if role_name then role = hosts[session.host].authz.get_role_by_name(role_name); else - role = hosts[session.host].authz.get_user_default_role(username); + role = hosts[session.host].authz.get_user_role(username); end if role then sessionlib.set_role(session, role); diff --git a/core/usermanager.lua b/core/usermanager.lua index 0a2f5c4d..cf54fc31 100644 --- a/core/usermanager.lua +++ b/core/usermanager.lua @@ -37,13 +37,17 @@ end local fallback_authz_provider = { get_user_roles = function (user) end; --luacheck: ignore 212/user get_jids_with_role = function (role) end; --luacheck: ignore 212 - set_user_roles = function (user, roles) end; -- luacheck: ignore 212 - set_jid_roles = function (jid, roles) end; -- luacheck: ignore 212 - get_user_default_role = function (user) end; -- luacheck: ignore 212 - get_users_with_role = function (role_name) end; -- luacheck: ignore 212 + get_user_role = function (user) end; -- luacheck: ignore 212 + set_user_role = function (user, roles) end; -- luacheck: ignore 212 + + add_user_secondary_role = function (user, host, role_name) end; --luacheck: ignore 212 + remove_user_secondary_role = function (user, host, role_name) end; --luacheck: ignore 212 + get_jid_role = function (jid) end; -- luacheck: ignore 212 - set_jid_role = function (jid) end; -- luacheck: ignore 212 + set_jid_role = function (jid, role) end; -- luacheck: ignore 212 + + get_users_with_role = function (role_name) end; -- luacheck: ignore 212 add_default_permission = function (role_name, action, policy) end; -- luacheck: ignore 212 get_role_by_name = function (role_name) end; -- luacheck: ignore 212 }; @@ -140,39 +144,63 @@ local function get_provider(host) return hosts[host].users; end --- Returns a map of { [role_name] = role, ... } that a user is allowed to assume -local function get_user_roles(user, host) +local function get_user_role(user, host) if host and not hosts[host] then return false; end if type(user) ~= "string" then return false; end - return hosts[host].authz.get_user_roles(user); + return hosts[host].authz.get_user_role(user); end -local function get_user_default_role(user, host) +local function set_user_role(user, host, role_name) if host and not hosts[host] then return false; end if type(user) ~= "string" then return false; end - return hosts[host].authz.get_user_default_role(user); + local role, err = hosts[host].authz.set_user_role(user, role_name); + if role then + prosody.events.fire_event("user-role-changed", { + username = user, host = host, role = role; + }); + end + return role, err; end --- Accepts a set of role names which the user is allowed to assume -local function set_user_roles(user, host, roles) +local function add_user_secondary_role(user, host, role_name) if host and not hosts[host] then return false; end if type(user) ~= "string" then return false; end - local ok, err = hosts[host].authz.set_user_roles(user, roles); + local role, err = hosts[host].authz.add_user_secondary_role(user, role_name); + if role then + prosody.events.fire_event("user-role-added", { + username = user, host = host, role = role; + }); + end + return role, err; +end + +local function remove_user_secondary_role(user, host, role_name) + if host and not hosts[host] then return false; end + if type(user) ~= "string" then return false; end + + local ok, err = hosts[host].authz.remove_user_secondary_role(user, role_name); if ok then - prosody.events.fire_event("user-roles-changed", { - username = user, host = host + prosody.events.fire_event("user-role-removed", { + username = user, host = host, role_name = role_name; }); end return ok, err; end +local function get_user_secondary_roles(user, host) + if host and not hosts[host] then return false; end + if type(user) ~= "string" then return false; end + + return hosts[host].authz.get_user_secondary_roles(user); +end + local function get_jid_role(jid, host) local jid_node, jid_host = jid_split(jid); if host == jid_host and jid_node then - return hosts[host].authz.get_user_default_role(jid_node); + return hosts[host].authz.get_user_role(jid_node); end return hosts[host].authz.get_jid_role(jid); end @@ -230,9 +258,11 @@ return { users = users; get_sasl_handler = get_sasl_handler; get_provider = get_provider; - get_user_default_role = get_user_default_role; - get_user_roles = get_user_roles; - set_user_roles = set_user_roles; + get_user_role = get_user_role; + set_user_role = set_user_role; + add_user_secondary_role = add_user_secondary_role; + remove_user_secondary_role = remove_user_secondary_role; + get_user_secondary_roles = get_user_secondary_roles; get_users_with_role = get_users_with_role; get_jid_role = get_jid_role; set_jid_role = set_jid_role; |