aboutsummaryrefslogtreecommitdiffstats
path: root/core
diff options
context:
space:
mode:
Diffstat (limited to 'core')
-rw-r--r--core/moduleapi.lua63
-rw-r--r--core/sessionmanager.lua15
-rw-r--r--core/usermanager.lua6
3 files changed, 75 insertions, 9 deletions
diff --git a/core/moduleapi.lua b/core/moduleapi.lua
index 36d82193..f0b412f3 100644
--- a/core/moduleapi.lua
+++ b/core/moduleapi.lua
@@ -19,6 +19,7 @@ local promise = require "util.promise";
local time_now = require "util.time".now;
local format = require "util.format".format;
local jid_node = require "util.jid".node;
+local jid_split = require "util.jid".split;
local jid_resource = require "util.jid".resource;
local t_insert, t_remove, t_concat = table.insert, table.remove, table.concat;
@@ -601,4 +602,66 @@ function api:get_status()
return self.status_type, self.status_message, self.status_time;
end
+function api:default_permission(role_name, permission)
+ permission = permission:gsub("^:", self.name..":");
+ hosts[self.host].authz.add_default_permission(role_name, permission);
+end
+
+function api:default_permissions(role_name, permissions)
+ for _, permission in ipairs(permissions) do
+ permission = permission:gsub("^:", self.name..":");
+ self:default_permission(role_name, permission);
+ end
+end
+
+function api:may(action, context)
+ if type(context) == "string" then -- check JID permissions
+ local role;
+ local node, host = jid_split(context);
+ if host == self.host then
+ role = hosts[host].authz.get_user_role(node);
+ else
+ role = hosts[self.host].authz.get_jid_role(context);
+ end
+ if not role then
+ self:log("debug", "Access denied: JID <%s> may not %s (no role found)", context, action);
+ return false;
+ end
+ local permit = role:may(action);
+ if not permit then
+ self:log("debug", "Access denied: JID <%s> may not %s (not permitted by role %s)", context, action, role.name);
+ end
+ return permit;
+ end
+
+ local session = context.origin or context.session;
+ if not session then
+ error("Unable to identify actor session from context");
+ end
+ if action:byte(1) == 58 then -- action begins with ':'
+ action = self.name..action; -- prepend module name
+ end
+ if session.type == "s2sin" or (session.type == "c2s" and session.host ~= self.host) then
+ local actor_jid = context.stanza.attr.from;
+ local role = hosts[self.host].authz.get_jid_role(actor_jid);
+ if not role then
+ self:log("debug", "Access denied: JID <%s> may not %s (no role found)", actor_jid, action);
+ return false;
+ end
+ local permit = role:may(action, context);
+ if not permit then
+ self:log("debug", "Access denied: JID <%s> may not %s (not permitted by role %s)", actor_jid, action, role.name);
+ end
+ return permit;
+ elseif session.role then
+ local permit = session.role:may(action, context);
+ if not permit then
+ self:log("debug", "Access denied: session %s (%s) may not %s (not permitted by role %s)",
+ session.id, session.full_jid, action, session.role.name
+ );
+ end
+ return permit;
+ end
+end
+
return api;
diff --git a/core/sessionmanager.lua b/core/sessionmanager.lua
index 7f296ff1..426afa7b 100644
--- a/core/sessionmanager.lua
+++ b/core/sessionmanager.lua
@@ -123,15 +123,24 @@ local function destroy_session(session, err)
retire_session(session);
end
-local function make_authenticated(session, username, scope)
+local function make_authenticated(session, username, role_name)
username = nodeprep(username);
if not username or #username == 0 then return nil, "Invalid username"; end
session.username = username;
if session.type == "c2s_unauthed" then
session.type = "c2s_unbound";
end
- session.auth_scope = scope;
- session.log("info", "Authenticated as %s@%s", username, session.host or "(unknown)");
+
+ local role;
+ if role_name then
+ role = hosts[session.host].authz.get_role_info(role_name);
+ else
+ role = hosts[session.host].authz.get_user_default_role(username);
+ end
+ if role then
+ sessionlib.set_role(session, role);
+ end
+ session.log("info", "Authenticated as %s@%s [%s]", username, session.host or "(unknown)", role and role.name or "no role");
return true;
end
diff --git a/core/usermanager.lua b/core/usermanager.lua
index 45f104fa..970140ef 100644
--- a/core/usermanager.lua
+++ b/core/usermanager.lua
@@ -188,11 +188,6 @@ local function set_roles(jid, host, roles)
end
end
-local function is_admin(jid, host)
- local roles = get_roles(jid, host);
- return roles and roles["prosody:admin"];
-end
-
local function get_users_with_role(role, host)
if not hosts[host] then return false; end
if type(role) ~= "string" then return false; end
@@ -224,7 +219,6 @@ return {
get_provider = get_provider;
get_roles = get_roles;
set_roles = set_roles;
- is_admin = is_admin;
get_users_with_role = get_users_with_role;
get_jids_with_role = get_jids_with_role;
};