mirrors/prosody
1
0
Fork 0
mirror of https://github.com/bjc/prosody.git synced 2025-04-04 13:47:41 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

moduleapi: may: Fail early if a local session has no role assigned

Browse source 
We expect every session to explicitly have a role assigned. Falling back to
any kind of "default" role (even the user's default role) in the absence of
an explicit role could open up the possibility of accidental privilege
escalation.
This commit is contained in:
Matthew Wild 2023-03-25 19:38:41 +00:00
parent e53ef27a1c
commit 6b2d191b93
1 changed files with 8 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

11
core/moduleapi.lua
View file

@ -653,11 +653,16 @@ function api:may(action, context)
if type(session) ~= "table" then
error("Unable to identify actor session from context");
end
if session.role and session.type == "c2s" and session.host == self.host then
local permit = session.role:may(action, context);
if session.type == "c2s" and session.host == self.host then
local role = session.role;
if not role then
self:log("warn", "Access denied: session %s has no role assigned");
return false;
end
local permit = role:may(action, context);
if not permit then
self:log("debug", "Access denied: session %s (%s) may not %s (not permitted by role %s)",
session.id, session.full_jid, action, session.role.name
session.id, session.full_jid, action, role.name
);
end
return permit;