From 03b3b1b9ad4b6a0b749d0345b34591694bb0cd90 Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Mon, 29 Aug 2022 11:47:31 +0200
Subject: core.moduleapi: Check for local role-aware sessions before e.g. s2s

The condition checked for s2sin but not s2sout, so would have ignored
bidi-enabled s2sout sessions.  Components as well.
---
 core/moduleapi.lua | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/core/moduleapi.lua b/core/moduleapi.lua
index 73ce4911..fd54500d 100644
--- a/core/moduleapi.lua
+++ b/core/moduleapi.lua
@@ -649,7 +649,15 @@ function api:may(action, context)
 	if type(session) ~= "table" then
 		error("Unable to identify actor session from context");
 	end
-	if session.type == "s2sin" or (session.type == "c2s" and session.host ~= self.host) then
+	if session.role and session.type == "c2s" and session.host == self.host then
+		local permit = session.role:may(action, context);
+		if not permit then
+			self:log("debug", "Access denied: session %s (%s) may not %s (not permitted by role %s)",
+				session.id, session.full_jid, action, session.role.name
+			);
+		end
+		return permit;
+	else
 		local actor_jid = context.stanza.attr.from;
 		local role = hosts[self.host].authz.get_jid_role(actor_jid);
 		if not role then
@@ -661,14 +669,6 @@ function api:may(action, context)
 			self:log("debug", "Access denied: JID <%s> may not %s (not permitted by role %s)", actor_jid, action, role.name);
 		end
 		return permit;
-	elseif session.role then
-		local permit = session.role:may(action, context);
-		if not permit then
-			self:log("debug", "Access denied: session %s (%s) may not %s (not permitted by role %s)",
-				session.id, session.full_jid, action, session.role.name
-			);
-		end
-		return permit;
 	end
 end
 
-- 
cgit v1.2.3