core.moduleapi: Check for local role-aware sessions before e.g. s2s

The condition checked for s2sin but not s2sout, so would have ignored bidi-enabled s2sout sessions. Components as well.
2025-04-03 21:27:38 +03:00 · 2022-08-29 11:47:31 +02:00 · 2022-08-29 11:47:31 +02:00 · 03b3b1b9ad
commit 03b3b1b9ad
parent 1254a0de55
1 changed files with 9 additions and 9 deletions
--- a/core/moduleapi.lua
+++ b/core/moduleapi.lua
@ -649,7 +649,15 @@ function api:may(action, context)
 	if type(session) ~= "table" then
 		error("Unable to identify actor session from context");
 	end
-	if session.type == "s2sin" or (session.type == "c2s" and session.host ~= self.host) then
+	if session.role and session.type == "c2s" and session.host == self.host then
+		local permit = session.role:may(action, context);
+		if not permit then
+			self:log("debug", "Access denied: session %s (%s) may not %s (not permitted by role %s)",
+				session.id, session.full_jid, action, session.role.name
+			);
+		end
+		return permit;
+	else
 		local actor_jid = context.stanza.attr.from;
 		local role = hosts[self.host].authz.get_jid_role(actor_jid);
 		if not role then
@ -661,14 +669,6 @@ function api:may(action, context)
 			self:log("debug", "Access denied: JID <%s> may not %s (not permitted by role %s)", actor_jid, action, role.name);
 		end
 		return permit;
-	elseif session.role then
-		local permit = session.role:may(action, context);
-		if not permit then
-			self:log("debug", "Access denied: session %s (%s) may not %s (not permitted by role %s)",
-				session.id, session.full_jid, action, session.role.name
-			);
-		end
-		return permit;
 	end
 end