From ad83ddfb78afff7c03d7b749cdf66e39898281c5 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Fri, 1 Nov 2024 13:10:45 +0100 Subject: mod_admin_shell: Reject attempt to add or remove roles for unrelated hosts The three-argument version seems to be a left-over from 0.12 --- plugins/mod_admin_shell.lua | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'plugins') diff --git a/plugins/mod_admin_shell.lua b/plugins/mod_admin_shell.lua index 3738b8ba..ae7aaf98 100644 --- a/plugins/mod_admin_shell.lua +++ b/plugins/mod_admin_shell.lua @@ -1785,6 +1785,8 @@ function def_env.user:addrole(jid, host, new_role) return nil, "No such host: "..host; elseif prosody.hosts[userhost] and not um.user_exists(username, userhost) then return nil, "No such user"; + elseif userhost ~= host then + return nil, "Can't add roles outside users own host" end return um.add_user_secondary_role(username, host, new_role); end @@ -1797,6 +1799,8 @@ function def_env.user:delrole(jid, host, role_name) return nil, "No such host: "..host; elseif prosody.hosts[userhost] and not um.user_exists(username, userhost) then return nil, "No such user"; + elseif userhost ~= host then + return nil, "Can't remove roles outside users own host" end return um.remove_user_secondary_role(username, host, role_name); end -- cgit v1.2.3