| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
This gives us more granular control over different types of user account.
Accounts registered by IBR get assigned prosody:registered by default, while
accounts provisioned by an admin (e.g. via prosodyctl shell) will receive
prosody:member by default.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
New behaviour (muc_room_allow_persistent = true, the default):
- Parent host users are not restricted by default (prosody:user)
- Users without roles (by default that is non-admins, non-parent-host users,
and users on other servers) can no longer configure persistence by default.
muc_room_allow_persistent = false will restrict persistence to prosody:admin.
Parent-host users should not be restricted by default, and this can be
configured via the new roles/permissions options.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
change)
With this change and 427dd01f0864, room creation is now effectively restricted
to parent-host users by default. This is a better default than previous
Prosody versions (where room creation was not restricted).
The "local" option for restrict_room_creation is no longer used (any value
other than true/false won't change the default behaviour).
restrict_room_creation = true will grant prosody:admin the ability to create
rooms.
restrict_room_creation = false disables all permission checks.
Anything between these two can be achieved using custom roles and permissions.
|
|
|
|
|
|
|
|
|
|
| |
Non-admins don't have a role on MUC services by default. Not even
prosody:user. This meant they had no :create-persistent-room permission, even
if muc_room_allow_persistent was true (the default).
Now we only check the role permissions if persistent room creation is
restricted, otherwise we skip any permission checks, just like previous
versions.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We began moving away from simple "is this user an admin?" permission checks
before 0.12, with the introduction of mod_authz_internal and the ability to
dynamically change the roles of individual users.
The approach in 0.12 still had various limitations however, and apart from
the introduction of roles other than "admin" and the ability to pull that info
from storage, not much actually changed.
This new framework shakes things up a lot, though aims to maintain the same
functionality and behaviour on the surface for a default Prosody
configuration. That is, if you don't take advantage of any of the new
features, you shouldn't notice any change.
The biggest change visible to developers is that usermanager.is_admin() (and
the auth provider is_admin() method) have been removed. Gone. Completely.
Permission checks should now be performed using a new module API method:
module:may(action_name, context)
This method accepts an action name, followed by either a JID (string) or
(preferably) a table containing 'origin'/'session' and 'stanza' fields (e.g.
the standard object passed to most events). It will return true if the action
should be permitted, or false/nil otherwise.
Modules should no longer perform permission checks based on the role name.
E.g. a lot of code previously checked if the user's role was prosody:admin
before permitting some action. Since many roles might now exist with similar
permissions, and the permissions of prosody:admin may be redefined
dynamically, it is no longer suitable to use this method for permission
checks. Use module:may().
If you start an action name with ':' (recommended) then the current module's
name will automatically be used as a prefix.
To define a new permission, use the new module API:
module:default_permission(role_name, action_name)
module:default_permissions(role_name, { action_name[, action_name...] })
This grants the specified role permission to execute the named action(s) by
default. This may be overridden via other mechanisms external to your module.
The built-in roles that developers should use are:
- prosody:user (normal user)
- prosody:admin (host admin)
- prosody:operator (global admin)
The new prosody:operator role is intended for server-wide actions (such as
shutting down Prosody).
Finally, all usage of is_admin() in modules has been fixed by this commit.
Some of these changes were trickier than others, but no change is expected to
break existing deployments.
EXCEPT: mod_auth_ldap no longer supports the ldap_admin_filter option. It's
very possible nobody is using this, but if someone is then we can later update
it to pull roles from LDAP somehow.
|
|
|
|
|
|
|
|
|
|
| |
This is allowed by XEP-0045, which states:
"A moderator SHOULD NOT be allowed to revoke moderation privileges from
someone with a higher affiliation than themselves (i.e., an unaffiliated
moderator SHOULD NOT be allowed to revoke moderation privileges from an admin
or an owner, and an admin SHOULD NOT be allowed to revoke moderation
privileges from an owner)."
|
| |
|
| |
|
|
|
|
|
| |
Including the payload of the stanza that caused the error is optional
and we're generally not doing it anywhere else.
|
|
|
|
|
| |
Mistake introduced in cbe524ed1a6a. Removing because this is a query to
the bare JID where the error origin matches the resulting stanza 'from'.
|
|
|
|
|
|
| |
The numeric error codes seems to have been removed from the examples in
XEP-0045 version 1.24, and were deprecated even by RFC 3920 in 2004,
only allowed for backwards compatibility.
|
|
|
|
|
|
| |
I spend several minutes confused over where the bug was until I
remembered I had set myself as visitor in the previous debug session.
This would have helped.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
.affiliation
It appears nothing currently uses this field in prosody or prosody-modules
|
| |
|
|
|
|
| |
...and fixing the logic bug that broke everything in the previous commit.
|
|
|
|
| |
data
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This was originally not done based on my interpretation of XEP-0045. Today's
reading, however, revealed that it actually says the result
> SHOULD contain **at least** a <username/> element
(emphasis mine)
I take this to mean that including a form **is** allowed (and I think this is
sensible). Tigase already includes the form I believe.
I've gated the new behaviour behind a (default off) option, because it hasn't
been tested for compatibility with clients. My primary desire for it is in
Snikket, where the clients will be tested to ensure compatibility with this.
I don't anticipate that (m)any clients would break, so maybe after 0.12 we can
experiment with enabling it by default and eventually remove the option.
|
|
|
|
|
|
|
|
|
|
| |
XEP-0045 states:
> Affiliations are granted, revoked, and maintained based on the user's
> bare JID, not the nick as with roles.
Therefore inclusion of a full JID in affiliation queries is invalid.
Thanks to Ge0rG and Poezio for discovering this issue.
|
|\ |
|
| |
| |
| |
| |
| |
| | |
Fixes https://prosody.im/security/advisory_20210722/
Backs out 4d7b925652d9
|
| |
| |
| |
| |
| | |
Optimizes away all the processing on every message in case the
end-result is zero history.
|
|\| |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The de-facto interpretation of this (undocumented) option is to indicate to
the client whether it is allowed to invite other users to the MUC.
This is differs from the existing option in our config form, which only
controls the behaviour of sending of invites in a members-only MUC (we always
allow invites in open rooms).
Conversations is one client known to use this disco#info item to determine
whether it may send invites.
|
| |
| |
| |
| |
| |
| |
| | |
Use case: Enable module that provides a virtual occupant object for bots
Before, if there is no occupant then either some other part of MUC would
reject the message or `occupant.nick` would have caused an error.
|
| |
| |
| |
| | |
Should help inform on whether the cache size should be increased.
|
| | |
|
| |
| |
| |
| | |
Also test for self-probes
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The following patch allows Prosody to respond to `probe` presences and send out the probed occupant's current presence.
This is based on line 17.3 in XEP-0045:
A MUC service MAY handle presence probes sent to the room JID <room@service> or an occupant JID <room@service/nick>
(e.g, these might be sent by an occupant's home server to determine if the room is still online or to synchronize
presence information if the user or the user's server has gone offline temporarily or has started sharing presence again,
as for instance when Stanza Interception and Filtering Technology (XEP-0273) is used).
|
|\| |
|
| |
| |
| |
| | |
(thanks damencho)
|
| | |
|
| |
| |
| |
| |
| |
| |
| | |
Why do we still include this? Deprecated in 2007, obsoleted in 2009.
Removes redundant timestamp that nobody should be looking at since many
years and a redundant copy of the room JID.
|
|\| |
|
| |
| |
| |
| | |
#1595) (thanks lessthan3)
|
|\| |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Thanks pep. and lovetox
XEP-0045 §6.4:
> any field defined for the muc\#roomconfig FORM_TYPE can be included in
> the extended service discovery fields
Probably happened because the same mistake is in #1155
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Behavior with turning empty name into localpart was originally introduced
in 711eb5bf94b4
This has caused some problems for clients, making it difficult to
differentiate between a room actually named like the localpart from a
room without a name.
Breaking:
The function signature of the :get_name() method changes from always
returning a string to optional string.
|
| |
| |
| |
| | |
Updates #1533
|
| | |
|
| |
| |
| |
| |
| |
| |
| | |
If nickname enforcement is enabled this would otherwise let you bypass
the join check in muc.lib by registering an invalid nickname and then
joining with any nickname, letting register.lib change it to the invalid
registered nick.
|
| |
| |
| |
| |
| |
| | |
This is the subset of mod_mam rules I believe makes sense in MUC.
Note that mod_muc_mam does not have its own rules, but uses these.
|
|\| |
|
| | |
|
| | |
|