From 66d7dbfd0e042143ca8769031e64f5cfbf6f2405 Mon Sep 17 00:00:00 2001
From: Waqas Hussain <waqas20@gmail.com>
Date: Sat, 25 Jul 2009 18:38:47 +0500
Subject: mod_xmlrpc: Added support for secure calls by non-admins

---
 plugins/mod_xmlrpc.lua | 28 ++++++++++++++++------------
 1 file changed, 16 insertions(+), 12 deletions(-)

(limited to 'plugins/mod_xmlrpc.lua')

diff --git a/plugins/mod_xmlrpc.lua b/plugins/mod_xmlrpc.lua
index 46edcaee..56312fc7 100644
--- a/plugins/mod_xmlrpc.lua
+++ b/plugins/mod_xmlrpc.lua
@@ -16,6 +16,7 @@ local unpack = unpack;
 local tostring = tostring;
 local is_admin = require "core.usermanager".is_admin;
 local jid_split = require "util.jid".split;
+local jid_bare = require "util.jid".bare;
 local b64_decode = require "util.encodings".base64.decode;
 local get_method = require "core.objectmanager".get_object;
 local validate_credentials = require "core.usermanager".validate_credentials;
@@ -65,10 +66,15 @@ local function parse_xml(xml)
 	return stanza.tags[1];
 end
 
-local function handle_xmlrpc_request(method, args)
+local function handle_xmlrpc_request(jid, method, args)
+	local is_secure_call = (method:sub(1,7) ~= "secure/");
+	if not is_admin(jid) and not is_secure_call then
+		return create_error_response(401, "not authorized");
+	end
 	method = get_method(method);
 	if not method then return create_error_response(404, "method not found"); end
 	args = args or {};
+	if is_secure_call then t_insert(args, 1, jid); end
 	local success, result = pcall(method, unpack(args));
 	if success then
 		success, result = pcall(create_response, result or "nil");
@@ -84,15 +90,13 @@ local function handle_xmpp_request(origin, stanza)
 	local query = stanza.tags[1];
 	if query.name == "query" then
 		if #query.tags == 1 then
-			if is_admin(stanza.attr.from) then
-				local success, method, args = pcall(translate_request, query.tags[1]);
-				if success then
-					local result = handle_xmlrpc_request(method, args);
-					origin.send(st.reply(stanza):tag('query', {xmlns='jabber:iq:rpc'}):add_child(result));
-				else
-					origin.send(st.error_reply(stanza, "modify", "bad-request", method));
-				end
-			else origin.send(st.error_reply(stanza, "auth", "forbidden", "No content in XML-RPC request")); end
+			local success, method, args = pcall(translate_request, query.tags[1]);
+			if success then
+				local result = handle_xmlrpc_request(jid_bare(stanza.attr.from), method, args);
+				origin.send(st.reply(stanza):tag('query', {xmlns='jabber:iq:rpc'}):add_child(result));
+			else
+				origin.send(st.error_reply(stanza, "modify", "bad-request", method));
+			end
 		else origin.send(st.error_reply(stanza, "modify", "bad-request", "No content in XML-RPC request")); end
 	else origin.send(st.error_reply(stanza, "cancel", "service-unavailable")); end
 end
@@ -106,7 +110,7 @@ local function handle_http_request(method, body, request)
 	-- authenticate user
 	local username, password = b64_decode(request['authorization'] or ''):gmatch('([^:]*):(.*)')(); -- TODO digest auth
 	local node, host = jid_split(username);
-	if not validate_credentials(host, node, password) and is_admin(username) then
+	if not validate_credentials(host, node, password) then
 		return unauthorized_response;
 	end
 	-- parse request
@@ -117,7 +121,7 @@ local function handle_http_request(method, body, request)
 	-- execute request
 	local success, method, args = pcall(translate_request, stanza);
 	if success then
-		return { headers = default_headers; body = tostring(handle_xmlrpc_request(method, args)) };
+		return { headers = default_headers; body = tostring(handle_xmlrpc_request(node.."@"..host, method, args)) };
 	end
 	return "<html><body>Error parsing XML-RPC request: "..tostring(method).."</body></html>";
 end
-- 
cgit v1.2.3