mod_tokenauth: Support selection of _no_ role at all

If a grant does not have a role, we should not go and make one up. While not very useful for XMPP if you can't even login, it may be useful for OAuth2/OIDC.
author: Kim Alvefur <zash@zash.se> 2023-05-07 20:34:07 +0200
committer: Kim Alvefur <zash@zash.se> 2023-05-07 20:34:07 +0200
commit: e80cd078fd8fd352453ba97733b319b1de88413d (patch)
tree: c7deae3b6f648774f5c62899ca31e647a28d109b /plugins
parent: 98d5a50eb6f0183bcce937fa2d18019e2c6006bd (diff)
download: prosody-e80cd078fd8fd352453ba97733b319b1de88413d.tar.gz
prosody-e80cd078fd8fd352453ba97733b319b1de88413d.zip
1 files changed, 6 insertions, 5 deletions
diff --git a/plugins/mod_tokenauth.lua b/plugins/mod_tokenauth.lua
index 4f0e6c54..4364c2c8 100644
--- a/plugins/mod_tokenauth.lua
+++ b/plugins/mod_tokenauth.lua
@@ -10,11 +10,12 @@ local token_store = module:open_store("auth_tokens", "keyval+");
 
 local access_time_granularity = module:get_option_number("token_auth_access_time_granularity", 60);
 
-local function select_role(username, host, role)
-	if role then
-		return prosody.hosts[host].authz.get_role_by_name(role);
-	end
-	return usermanager.get_user_role(username, host);
+local function select_role(username, host, role_name)
+	if not role_name then return end
+	local role = usermanager.get_role_by_name(role_name, host);
+	if not role then return end
+	if not usermanager.user_can_assume_role(username, host, role.name) then return end
+	return role;
 end
 
 function create_grant(actor_jid, grant_jid, grant_ttl, grant_data)
author	Kim Alvefur <zash@zash.se>	2023-05-07 20:34:07 +0200
committer	Kim Alvefur <zash@zash.se>	2023-05-07 20:34:07 +0200
commit	e80cd078fd8fd352453ba97733b319b1de88413d (patch)
tree	c7deae3b6f648774f5c62899ca31e647a28d109b /plugins
parent	98d5a50eb6f0183bcce937fa2d18019e2c6006bd (diff)
download	prosody-e80cd078fd8fd352453ba97733b319b1de88413d.tar.gz prosody-e80cd078fd8fd352453ba97733b319b1de88413d.zip