From 6b2d191b939099b598e7edaf972994c94a24ff0e Mon Sep 17 00:00:00 2001 From: Matthew Wild Date: Sat, 25 Mar 2023 19:38:41 +0000 Subject: moduleapi: may: Fail early if a local session has no role assigned We expect every session to explicitly have a role assigned. Falling back to any kind of "default" role (even the user's default role) in the absence of an explicit role could open up the possibility of accidental privilege escalation. --- core/moduleapi.lua | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'core') diff --git a/core/moduleapi.lua b/core/moduleapi.lua index aba052ab..18452e2b 100644 --- a/core/moduleapi.lua +++ b/core/moduleapi.lua @@ -653,11 +653,16 @@ function api:may(action, context) if type(session) ~= "table" then error("Unable to identify actor session from context"); end - if session.role and session.type == "c2s" and session.host == self.host then - local permit = session.role:may(action, context); + if session.type == "c2s" and session.host == self.host then + local role = session.role; + if not role then + self:log("warn", "Access denied: session %s has no role assigned"); + return false; + end + local permit = role:may(action, context); if not permit then self:log("debug", "Access denied: session %s (%s) may not %s (not permitted by role %s)", - session.id, session.full_jid, action, session.role.name + session.id, session.full_jid, action, role.name ); end return permit; -- cgit v1.2.3