| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The current method logs scary "access denied" messages on failure - this is
generally very useful when debugging access control stuff, but in some cases
the call is simply a check to see if someone *could* perform an action, even
if they haven't requested it yet. One example is determining whether to show
the user as an admin in disco.
The 'peek' parameter, if true, will suppress such logging.
The :could() method is just a simple helper that can make the calling code a
bit more readable (suggested by Zash).
|
|
|
|
|
|
|
| |
We expect every session to explicitly have a role assigned. Falling back to
any kind of "default" role (even the user's default role) in the absence of
an explicit role could open up the possibility of accidental privilege
escalation.
|
| |
|
|
|
|
|
| |
Useful to know why a module was auto-loaded without having to dig trough
all other modules for the one that depends on it.
|
| |
|
|
|
|
|
| |
The condition checked for s2sin but not s2sout, so would have ignored
bidi-enabled s2sout sessions. Components as well.
|
|
|
|
|
|
|
|
|
|
|
| |
These changes to the API (hopefully the last) introduce a cleaner separation
between the user's primary (default) role, and their secondary (optional)
roles.
To keep the code sane and reduce complexity, a data migration is needed for
people using stored roles in 0.12. This can be performed with
prosodyctl mod_authz_internal migrate <host>
|
|
|
|
|
| |
Non-table but truthy values would trigger "attempt to index a foo value"
on the next line otherwise
|
| |
|
|
|
|
|
|
| |
Roles and permissions will always happen in the context of a host.
Prevents error upon indexing since `hosts["*"] == nil`
|
|
|
|
|
|
| |
Ensures it applies to the context as string case
Somehow this fixes everything
|
|
|
|
|
|
| |
`get_user_role()` did not exist anywhere else.
MattJ said `get_user_default_role()` was indented
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We began moving away from simple "is this user an admin?" permission checks
before 0.12, with the introduction of mod_authz_internal and the ability to
dynamically change the roles of individual users.
The approach in 0.12 still had various limitations however, and apart from
the introduction of roles other than "admin" and the ability to pull that info
from storage, not much actually changed.
This new framework shakes things up a lot, though aims to maintain the same
functionality and behaviour on the surface for a default Prosody
configuration. That is, if you don't take advantage of any of the new
features, you shouldn't notice any change.
The biggest change visible to developers is that usermanager.is_admin() (and
the auth provider is_admin() method) have been removed. Gone. Completely.
Permission checks should now be performed using a new module API method:
module:may(action_name, context)
This method accepts an action name, followed by either a JID (string) or
(preferably) a table containing 'origin'/'session' and 'stanza' fields (e.g.
the standard object passed to most events). It will return true if the action
should be permitted, or false/nil otherwise.
Modules should no longer perform permission checks based on the role name.
E.g. a lot of code previously checked if the user's role was prosody:admin
before permitting some action. Since many roles might now exist with similar
permissions, and the permissions of prosody:admin may be redefined
dynamically, it is no longer suitable to use this method for permission
checks. Use module:may().
If you start an action name with ':' (recommended) then the current module's
name will automatically be used as a prefix.
To define a new permission, use the new module API:
module:default_permission(role_name, action_name)
module:default_permissions(role_name, { action_name[, action_name...] })
This grants the specified role permission to execute the named action(s) by
default. This may be overridden via other mechanisms external to your module.
The built-in roles that developers should use are:
- prosody:user (normal user)
- prosody:admin (host admin)
- prosody:operator (global admin)
The new prosody:operator role is intended for server-wide actions (such as
shutting down Prosody).
Finally, all usage of is_admin() in modules has been fixed by this commit.
Some of these changes were trickier than others, but no change is expected to
break existing deployments.
EXCEPT: mod_auth_ldap no longer supports the ldap_admin_filter option. It's
very possible nobody is using this, but if someone is then we can later update
it to pull roles from LDAP somehow.
|
|
|
|
|
| |
Added in d278a770eddc avoid having to deal with its absence in Lua 5.1.
No longer needed when Lua 5.1 support is dropped.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The 'global' property should reflect whether the module API instance
represents the global context or a VirtualHost or Component context.
However the module:context() method did not override this, leading the
property of the previous module shining trough, leading to bugs in code
relying on the 'global' property.
See also #1736
|
| |
|
|
|
|
|
|
| |
The goal is to allow module:provides("foo-bar") with a mod_foo_bar_ prefix
being stripped. It will break any existing modules that use a prefix and have
hyphens instead of underscores. No such modules are known.
|
| |
|
| |
|
|
|
|
| |
Lets you know what to look for with stats:show()
|
|
|
|
|
|
|
| |
hook_stanza was renamed hook_tag in 2012 in 2087d42f1e77
Why do we still have hook_stanza?
Why is this only a warning anyway?
|
|
|
|
|
|
| |
To prevent a situation where you for whatever reason use a full JID that
is currently online and the response ends up routed there instead of the
module:send_iq() handlers.
|
|
|
|
|
| |
Since we don't currently have hooks that includes type and id here, we
need to check those attributes in the handlers.
|
|
|
|
|
|
|
|
|
|
|
| |
This is primarily something that happens with an internal query to
mod_mam, which calls origin.send() several times with results, leading
to the first such result being treated as the final response and
resolving the promise.
Now, these responses pass trough to the underlying origin.send(), where
they can be caught. Tricky but not impossible. For remote queries, it's
even trickier, you would likely need to bind a resource or similar.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The metric subsystem of Prosody has had some shortcomings from
the perspective of the current state-of-the-art in metric
observability.
The OpenMetrics standard [0] is a formalization of the data
model (and serialization format) of the well-known and
widely-used Prometheus [1] software stack.
The previous stats subsystem of Prosody did not map well to that
format (see e.g. [2] and [3]); the key reason is that it was
trying to do too much math on its own ([2]) while lacking
first-class support for "families" of metrics ([3]) and
structured metric metadata (despite the `extra` argument to
metrics, there was no standard way of representing common things
like "tags" or "labels").
Even though OpenMetrics has grown from the Prometheus world of
monitoring, it maps well to other popular monitoring stacks
such as:
- InfluxDB (labels can be mapped to tags and fields as necessary)
- Carbon/Graphite (labels can be attached to the metric name with
dot-separation)
- StatsD (see graphite when assuming that graphite is used as
backend, which is the default)
The util.statsd module has been ported to use the OpenMetrics
model as a proof of concept. An implementation which exposes
the util.statistics backend data as Prometheus metrics is
ready for publishing in prosody-modules (most likely as
mod_openmetrics_prometheus to avoid breaking existing 0.11
deployments).
At the same time, the previous measure()-based API had one major
advantage: It is really simple and easy to use without requiring
lots of knowledge about OpenMetrics or similar concepts. For that
reason as well as compatibility with existing code, it is preserved
and may even be extended in the future.
However, code relying on the `stats-updated` event as well as
`get_stats` from `statsmanager` will break because the data
model has changed completely; in case of `stats-updated`, the
code will simply not run (as the event was renamed in order
to avoid conflicts); the `get_stats` function has been removed
completely (so it will cause a traceback when it is attempted
to be used).
Note that the measure_*_event methods have been removed from
the module API. I was unable to find any uses or documentation
and thus deemed they should not be ported. Re-implementation is
possible when necessary.
[0]: https://openmetrics.io/
[1]: https://prometheus.io/
[2]: #959
[3]: #960
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
:get_directory has so far returned the base directory of the current
module source code. This has worked well so far to load resources which
tend to be included in the same directory, but with the plugin installer
using LuaRocks, extra resources (e.g. templates and other assets) these
are saved in a completely different directory.
In be73df6765b9 core.modulemanager gained some code for finding that
directory and saving it in module.resource_path but now the question is
how this should be reflected in the API.
A survey of community modules suggest the vast majority use the
:get_directory method for locating templates and other assets, rather
than the code (which would use module:require instead).
Therefore this commit changes :get_directory to return the resource_path
when available. This should work for most modules.
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Unclear exactly why, but replies to some queries to local modules would
be discarded by stanza_router. This appears to fix it.
|
|
|
|
|
| |
In rare cases, module.host can be a bare JID, in which case this test
did the wrong thing.
|
|
|
|
| |
It's called 'errors' everywhere else except here.
|
|
|
|
|
| |
It got passed as argument to reject() instead of the util.error
function and was lost.
|
|
|
|
|
| |
All cleanup in one spot instead of two, and at the end which fits with
cleanup happening afterwards.
|
|
|
|
| |
It's written like that elsewhere in the send_iq method
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
Explicitly disabled module should stay disabled.
|
| |
|
|
|
|
|
|
| |
Multiple paths are rarely used, and leads to less clear code than just
calling module:shared() once per shared table. It also prevents us from
extending the API with new parameters in the future.
|
| |
|
| |
|
| |
|