mod_pubsub: Check new role framework for node creation privileges

This enables granting regular users permission to create nodes via the
new roles framework. Previously this required either making everyone an
admin or writing a custom mod_pubsub variant with different permission
details.

Previous default behavior of only allowing creation by admin is kept as
to not give out unexpected permissions on upgrade, but could be
reevaluated at a later time.

Fixes #1324

1 files changed, 14 insertions, 2 deletions

diff --git a/plugins/mod_pubsub/mod_pubsub.lua b/plugins/mod_pubsub/mod_pubsub.lua
index 4f83088a..6efc419f 100644
--- a/plugins/mod_pubsub/mod_pubsub.lua
+++ b/plugins/mod_pubsub/mod_pubsub.lua
@@ -190,10 +190,22 @@ module:hook("host-disco-items", function (event)
 end);
 
 local admin_aff = module:get_option_enum("default_admin_affiliation", "owner", "publisher", "member", "outcast", "none");
+
 module:default_permission("prosody:admin", ":service-admin");
-local function get_affiliation(jid)
+module:default_permission("prosody:admin", ":create-node");
+
+local function get_affiliation(jid, _, action)
 	local bare_jid = jid_bare(jid);
-	if bare_jid == module.host or module:may(":service-admin", bare_jid) then
+	if bare_jid == module.host then
+		-- The host itself (i.e. local modules) is treated as an admin.
+		-- Check this first as to avoid sendig a host JID to :may()
+		return admin_aff;
+	end
+	if action == "create" and module:may(":create-node", bare_jid) then
+		-- Only one affiliation is allowed to create nodes by default
+		return "owner";
+	end
+	if module:may(":service-admin", bare_jid) then
 		return admin_aff;
 	end
 end