From 6b2d191b939099b598e7edaf972994c94a24ff0e Mon Sep 17 00:00:00 2001
From: Matthew Wild <mwild1@gmail.com>
Date: Sat, 25 Mar 2023 19:38:41 +0000
Subject: moduleapi: may: Fail early if a local session has no role assigned

We expect every session to explicitly have a role assigned. Falling back to
any kind of "default" role (even the user's default role) in the absence of
an explicit role could open up the possibility of accidental privilege
escalation.
---
 core/moduleapi.lua | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

(limited to 'core/moduleapi.lua')

diff --git a/core/moduleapi.lua b/core/moduleapi.lua
index aba052ab..18452e2b 100644
--- a/core/moduleapi.lua
+++ b/core/moduleapi.lua
@@ -653,11 +653,16 @@ function api:may(action, context)
 	if type(session) ~= "table" then
 		error("Unable to identify actor session from context");
 	end
-	if session.role and session.type == "c2s" and session.host == self.host then
-		local permit = session.role:may(action, context);
+	if session.type == "c2s" and session.host == self.host then
+		local role = session.role;
+		if not role then
+			self:log("warn", "Access denied: session %s has no role assigned");
+			return false;
+		end
+		local permit = role:may(action, context);
 		if not permit then
 			self:log("debug", "Access denied: session %s (%s) may not %s (not permitted by role %s)",
-				session.id, session.full_jid, action, session.role.name
+				session.id, session.full_jid, action, role.name
 			);
 		end
 		return permit;
-- 
cgit v1.2.3