Switch to a new role-based authorization framework, removing is_admin()

We began moving away from simple "is this user an admin?" permission checks before 0.12, with the introduction of mod_authz_internal and the ability to dynamically change the roles of individual users. The approach in 0.12 still had various limitations however, and apart from the introduction of roles other than "admin" and the ability to pull that info from storage, not much actually changed. This new framework shakes things up a lot, though aims to maintain the same functionality and behaviour on the surface for a default Prosody configuration. That is, if you don't take advantage of any of the new features, you shouldn't notice any change. The biggest change visible to developers is that usermanager.is_admin() (and the auth provider is_admin() method) have been removed. Gone. Completely. Permission checks should now be performed using a new module API method: module:may(action_name, context) This method accepts an action name, followed by either a JID (string) or (preferably) a table containing 'origin'/'session' and 'stanza' fields (e.g. the standard object passed to most events). It will return true if the action should be permitted, or false/nil otherwise. Modules should no longer perform permission checks based on the role name. E.g. a lot of code previously checked if the user's role was prosody:admin before permitting some action. Since many roles might now exist with similar permissions, and the permissions of prosody:admin may be redefined dynamically, it is no longer suitable to use this method for permission checks. Use module:may(). If you start an action name with ':' (recommended) then the current module's name will automatically be used as a prefix. To define a new permission, use the new module API: module:default_permission(role_name, action_name) module:default_permissions(role_name, { action_name[, action_name...] }) This grants the specified role permission to execute the named action(s) by default. This may be overridden via other mechanisms external to your module. The built-in roles that developers should use are: - prosody:user (normal user) - prosody:admin (host admin) - prosody:operator (global admin) The new prosody:operator role is intended for server-wide actions (such as shutting down Prosody). Finally, all usage of is_admin() in modules has been fixed by this commit. Some of these changes were trickier than others, but no change is expected to break existing deployments. EXCEPT: mod_auth_ldap no longer supports the ldap_admin_filter option. It's very possible nobody is using this, but if someone is then we can later update it to pull roles from LDAP somehow.
2025-04-03 21:27:38 +03:00 · 2022-06-15 12:15:01 +01:00 · 2022-06-15 12:15:01 +01:00 · d73714b4f4
commit d73714b4f4
parent 8b384dc77f
15 changed files with 269 additions and 131 deletions
--- a/.luacheckrc
+++ b/.luacheckrc
@ -62,6 +62,8 @@ files["plugins/"] = {
 		"module.broadcast",
 		"module.context",
 		"module.depends",
 		"module.default_permission",
 		"module.default_permissions",
 		"module.fire_event",
 		"module.get_directory",
 		"module.get_host",
@ -86,6 +88,7 @@ files["plugins/"] = {
 		"module.load_resource",
 		"module.log",
 		"module.log_status",
 		"module.may",
 		"module.measure",
 		"module.metric",
 		"module.open_store",
--- a/core/moduleapi.lua
+++ b/core/moduleapi.lua
@ -19,6 +19,7 @@ local promise = require "util.promise";
 local time_now = require "util.time".now;
 local format = require "util.format".format;
 local jid_node = require "util.jid".node;
 local jid_split = require "util.jid".split;
 local jid_resource = require "util.jid".resource;
 local t_insert, t_remove, t_concat = table.insert, table.remove, table.concat;
@ -601,4 +602,66 @@ function api:get_status()
 	return self.status_type, self.status_message, self.status_time;
 end
 function api:default_permission(role_name, permission)
 	permission = permission:gsub("^:", self.name..":");
 	hosts[self.host].authz.add_default_permission(role_name, permission);
 end
 function api:default_permissions(role_name, permissions)
 	for _, permission in ipairs(permissions) do
 		permission = permission:gsub("^:", self.name..":");
 		self:default_permission(role_name, permission);
 	end
 end
 function api:may(action, context)
 	if type(context) == "string" then -- check JID permissions
 		local role;
 		local node, host = jid_split(context);
 		if host == self.host then
 			role = hosts[host].authz.get_user_role(node);
 		else
 			role = hosts[self.host].authz.get_jid_role(context);
 		end
 		if not role then
 			self:log("debug", "Access denied: JID <%s> may not %s (no role found)", context, action);
 			return false;
 		end
 		local permit = role:may(action);
 		if not permit then
 			self:log("debug", "Access denied: JID <%s> may not %s (not permitted by role %s)", context, action, role.name);
 		end
 		return permit;
 	end
 	local session = context.origin or context.session;
 	if not session then
 		error("Unable to identify actor session from context");
 	end
 	if action:byte(1) == 58 then -- action begins with ':'
 		action = self.name..action; -- prepend module name
 	end
 	if session.type == "s2sin" or (session.type == "c2s" and session.host ~= self.host) then
 		local actor_jid = context.stanza.attr.from;
 		local role = hosts[self.host].authz.get_jid_role(actor_jid);
 		if not role then
 			self:log("debug", "Access denied: JID <%s> may not %s (no role found)", actor_jid, action);
 			return false;
 		end
 		local permit = role:may(action, context);
 		if not permit then
 			self:log("debug", "Access denied: JID <%s> may not %s (not permitted by role %s)", actor_jid, action, role.name);
 		end
 		return permit;
 	elseif session.role then
 		local permit = session.role:may(action, context);
 		if not permit then
 			self:log("debug", "Access denied: session %s (%s) may not %s (not permitted by role %s)",
 				session.id, session.full_jid, action, session.role.name
 			);
 		end
 		return permit;
 	end
 end
 return api;
--- a/core/sessionmanager.lua
+++ b/core/sessionmanager.lua
@ -123,15 +123,24 @@ local function destroy_session(session, err)
 	retire_session(session);
 end
-local function make_authenticated(session, username, scope)
+local function make_authenticated(session, username, role_name)
 	username = nodeprep(username);
 	if not username or #username == 0 then return nil, "Invalid username"; end
 	session.username = username;
 	if session.type == "c2s_unauthed" then
 		session.type = "c2s_unbound";
 	end
-	session.auth_scope = scope;
+
-	session.log("info", "Authenticated as %s@%s", username, session.host or "(unknown)");
+	local role;
 	if role_name then
 		role = hosts[session.host].authz.get_role_info(role_name);
 	else
 		role = hosts[session.host].authz.get_user_default_role(username);
 	end
 	if role then
 		sessionlib.set_role(session, role);
 	end
 	session.log("info", "Authenticated as %s@%s [%s]", username, session.host or "(unknown)", role and role.name or "no role");
 	return true;
 end
--- a/core/usermanager.lua
+++ b/core/usermanager.lua
@ -188,11 +188,6 @@ local function set_roles(jid, host, roles)
 	end
 end
 local function is_admin(jid, host)
 	local roles = get_roles(jid, host);
 	return roles and roles["prosody:admin"];
 end
 local function get_users_with_role(role, host)
 	if not hosts[host] then return false; end
 	if type(role) ~= "string" then return false; end
@ -224,7 +219,6 @@ return {
 	get_provider = get_provider;
 	get_roles = get_roles;
 	set_roles = set_roles;
 	is_admin = is_admin;
 	get_users_with_role = get_users_with_role;
 	get_jids_with_role = get_jids_with_role;
 };
--- a/plugins/adhoc/adhoc.lib.lua
+++ b/plugins/adhoc/adhoc.lib.lua
@ -23,10 +23,16 @@ end
 function _M.new(name, node, handler, permission)
 	if not permission then
 		error "adhoc.new() expects a permission argument, none given"
-	end
+	elseif permission == "user" then
 	if permission == "user" then
 		error "the permission mode 'user' has been renamed 'any', please update your code"
 	end
 	if permission == "admin" then
 		module:default_permission("prosody:admin", "mod_adhoc:"..node);
 		permission = "check";
 	elseif permission == "global_admin" then
 		module:default_permission("prosody:operator", "mod_adhoc:"..node);
 		permission = "check";
 	end
 	return { name = name, node = node, handler = handler, cmdtag = _cmdtag, permission = permission };
 end
--- a/plugins/adhoc/mod_adhoc.lua
+++ b/plugins/adhoc/mod_adhoc.lua
@ -7,7 +7,6 @@
 local it = require "util.iterators";
 local st = require "util.stanza";
 local is_admin = require "core.usermanager".is_admin;
 local jid_host = require "util.jid".host;
 local adhoc_handle_cmd = module:require "adhoc".handle_cmd;
 local xmlns_cmd = "http://jabber.org/protocol/commands";
@ -15,18 +14,17 @@ local commands = {};
 module:add_feature(xmlns_cmd);
 local function check_permissions(event, node, command)
 	return (command.permission == "check" and module:may("mod_adhoc:"..node, event))
 	    or (command.permission == "local_user" and jid_host(event.stanza.attr.from) == module.host)
 	    or (command.permission == "any");
 end
 module:hook("host-disco-info-node", function (event)
 	local stanza, origin, reply, node = event.stanza, event.origin, event.reply, event.node;
 	if commands[node] then
 		local from = stanza.attr.from;
 		local privileged = is_admin(from, stanza.attr.to);
 		local global_admin = is_admin(from);
 		local hostname = jid_host(from);
 		local command = commands[node];
-		if (command.permission == "admin" and privileged)
+		if check_permissions(event, node, command) then
 		    or (command.permission == "global_admin" and global_admin)
 		    or (command.permission == "local_user" and hostname == module.host)
 		    or (command.permission == "any") then
 			reply:tag("identity", { name = command.name,
 			    category = "automation", type = "command-node" }):up();
 			reply:tag("feature", { var = xmlns_cmd }):up();
@ -44,20 +42,13 @@ module:hook("host-disco-info-node", function (event)
 end);
 module:hook("host-disco-items-node", function (event)
-	local stanza, reply, disco_node = event.stanza, event.reply, event.node;
+	local reply, disco_node = event.reply, event.node;
 	if disco_node ~= xmlns_cmd then
 		return;
 	end
 	local from = stanza.attr.from;
 	local admin = is_admin(from, stanza.attr.to);
 	local global_admin = is_admin(from);
 	local hostname = jid_host(from);
 	for node, command in it.sorted_pairs(commands) do
-		if (command.permission == "admin" and admin)
+		if check_permissions(event, node, command) then
 		    or (command.permission == "global_admin" and global_admin)
 		    or (command.permission == "local_user" and hostname == module.host)
 		    or (command.permission == "any") then
 			reply:tag("item", { name = command.name,
 			    node = node, jid = module:get_host() });
 			reply:up();
@ -71,15 +62,9 @@ module:hook("iq-set/host/"..xmlns_cmd..":command", function (event)
 	local node = stanza.tags[1].attr.node
 	local command = commands[node];
 	if command then
-		local from = stanza.attr.from;
+		if not check_permissions(event, node, command) then
 		local admin = is_admin(from, stanza.attr.to);
 		local global_admin = is_admin(from);
 		local hostname = jid_host(from);
 		if (command.permission == "admin" and not admin)
 		    or (command.permission == "global_admin" and not global_admin)
 		    or (command.permission == "local_user" and hostname ~= module.host) then
 			origin.send(st.error_reply(stanza, "auth", "forbidden", "You don't have permission to execute this command"):up()
-			    :add_child(command:cmdtag("canceled")
+				:add_child(command:cmdtag("canceled")
 				:tag("note", {type="error"}):text("You don't have permission to execute this command")));
 			return true
 		end
--- a/plugins/mod_announce.lua
+++ b/plugins/mod_announce.lua
@ -9,7 +9,6 @@
 local st, jid = require "util.stanza", require "util.jid";
 local hosts = prosody.hosts;
 local is_admin = require "core.usermanager".is_admin;
 function send_to_online(message, host)
 	local sessions;
@ -34,6 +33,7 @@ function send_to_online(message, host)
 	return c;
 end
 module:default_permission("prosody:admin", ":send-announcement");
 -- Old <message>-based jabberd-style announcement sending
 function handle_announcement(event)
@ -45,8 +45,8 @@ function handle_announcement(event)
 		return; -- Not an announcement
 	end
-	if not is_admin(stanza.attr.from, host) then
+	if not module:may(":send-announcement", event) then
-		-- Not an admin? Not allowed!
+		-- Not allowed!
 		module:log("warn", "Non-admin '%s' tried to send server announcement", stanza.attr.from);
 		return;
 	end
--- a/plugins/mod_auth_ldap.lua
+++ b/plugins/mod_auth_ldap.lua
@ -1,6 +1,5 @@
 -- mod_auth_ldap
 local jid_split = require "util.jid".split;
 local new_sasl = require "util.sasl".new;
 local lualdap = require "lualdap";
@ -21,6 +20,13 @@ local ldap_admins = module:get_option_string("ldap_admin_filter",
 	module:get_option_string("ldap_admins")); -- COMPAT with mistake in documentation
 local host = ldap_filter_escape(module:get_option_string("realm", module.host));
 if ldap_admins then
 	module:log("error", "The 'ldap_admin_filter' option has been deprecated, "..
 	           "and will be ignored. Equivalent functionality may be added in "..
 	           "the future if there is demand."
 	);
 end
 -- Initiate connection
 local ld = nil;
 module.unload = function() if ld then pcall(ld, ld.close); end end
@ -133,22 +139,4 @@ else
 	module:log("error", "Unsupported ldap_mode %s", tostring(ldap_mode));
 end
 if ldap_admins then
 	function provider.is_admin(jid)
 		local username, user_host = jid_split(jid);
 		if user_host ~= module.host then
 			return false;
 		end
 		return ldap_do("search", 2, {
 			base = ldap_base;
 			scope = ldap_scope;
 			sizelimit = 1;
 			filter = ldap_admins:gsub("%$(%a+)", {
 				user = ldap_filter_escape(username);
 				host = host;
 			});
 		});
 	end
 end
 module:provides("auth", provider);
--- a/plugins/mod_authz_internal.lua
+++ b/plugins/mod_authz_internal.lua
@ -1,20 +1,89 @@
 local array = require "util.array";
 local it = require "util.iterators";
 local set = require "util.set";
-local jid_split = require "util.jid".split;
+local jid_split, jid_bare = require "util.jid".split, require "util.jid".bare;
 local normalize = require "util.jid".prep;
 local config_global_admin_jids = module:context("*"):get_option_set("admins", {}) / normalize;
 local config_admin_jids = module:get_option_inherited_set("admins", {}) / normalize;
 local host = module.host;
 local role_store = module:open_store("roles");
 local role_map_store = module:open_store("roles", "map");
-local admin_role = { ["prosody:admin"] = true };
+local role_methods = {};
 local role_mt = { __index = role_methods };
 local role_registry = {
 	["prosody:operator"] = {
 		default = true;
 		priority = 75;
 		includes = { "prosody:admin" };
 	};
 	["prosody:admin"] = {
 		default = true;
 		priority = 50;
 		includes = { "prosody:user" };
 	};
 	["prosody:user"] = {
 		default = true;
 		priority = 25;
 		includes = { "prosody:restricted" };
 	};
 	["prosody:restricted"] = {
 		default = true;
 		priority = 15;
 	};
 };
 -- Some processing on the role registry
 for role_name, role_info in pairs(role_registry) do
 	role_info.name = role_name;
 	role_info.includes = set.new(role_info.includes) / function (included_role_name)
 		return role_registry[included_role_name];
 	end;
 	if not role_info.permissions then
 		role_info.permissions = {};
 	end
 	setmetatable(role_info, role_mt);
 end
 function role_methods:may(action, context)
 	local policy = self.permissions[action];
 	if policy ~= nil then
 		return policy;
 	end
 	for inherited_role in self.includes do
 		module:log("debug", "Checking included role '%s' for %s", inherited_role.name, action);
 		policy = inherited_role:may(action, context);
 		if policy ~= nil then
 			return policy;
 		end
 	end
 	return false;
 end
 -- Public API
 local config_operator_role_set = {
 	["prosody:operator"] = role_registry["prosody:operator"];
 };
 local config_admin_role_set = {
 	["prosody:admin"] = role_registry["prosody:admin"];
 };
 function get_user_roles(user)
-	if config_admin_jids:contains(user.."@"..host) then
+	local bare_jid = user.."@"..host;
-		return admin_role;
+	if config_global_admin_jids:contains(bare_jid) then
 		return config_operator_role_set;
 	elseif config_admin_jids:contains(bare_jid) then
 		return config_admin_role_set;
 	end
-	return role_store:get(user);
+	local role_names = role_store:get(user);
 	if not role_names then return {}; end
 	local roles = {};
 	for role_name in pairs(role_names) do
 		roles[role_name] = role_registry[role_name];
 	end
 	return roles;
 end
 function set_user_roles(user, roles)
@ -22,10 +91,29 @@ function set_user_roles(user, roles)
 	return true;
 end
-function get_users_with_role(role)
+function get_user_default_role(user)
-	local storage_role_users = it.to_array(it.keys(role_map_store:get_all(role) or {}));
+	local roles = get_user_roles(user);
-	if role == "prosody:admin" then
+	if not roles then return nil; end
-		local config_admin_users = config_admin_jids / function (admin_jid)
+	local default_role;
 	for role_name, role_info in pairs(roles) do --luacheck: ignore 213/role_name
 		if role_info.default and (not default_role or role_info.priority > default_role.priority) then
 			default_role = role_info;
 		end
 	end
 	if not default_role then return nil; end
 	return default_role;
 end
 function get_users_with_role(role_name)
 	local storage_role_users = it.to_array(it.keys(role_map_store:get_all(role_name) or {}));
 	local config_set;
 	if role_name == "prosody:admin" then
 		config_set = config_admin_jids;
 	elseif role_name == "prosody:operator" then
 		config_set = config_global_admin_jids;
 	end
 	if config_set then
 		local config_admin_users = config_set / function (admin_jid)
 			local j_node, j_host = jid_split(admin_jid);
 			if j_host == host then
 				return j_node;
@ -36,24 +124,49 @@ function get_users_with_role(role)
 	return storage_role_users;
 end
-function get_jid_roles(jid)
+function get_jid_role(jid)
-	if config_admin_jids:contains(jid) then
+	local bare_jid = jid_bare(jid);
-		return admin_role;
+	if config_global_admin_jids:contains(bare_jid) then
 		return role_registry["prosody:operator"];
 	elseif config_admin_jids:contains(bare_jid) then
 		return role_registry["prosody:admin"];
 	end
 	return nil;
 end
-function set_jid_roles(jid) -- luacheck: ignore 212
+function set_jid_role(jid) -- luacheck: ignore 212
 	return false;
 end
-function get_jids_with_role(role)
+function get_jids_with_role(role_name)
 	-- Fetch role users from storage
-	local storage_role_jids = array.map(get_users_with_role(role), function (username)
+	local storage_role_jids = array.map(get_users_with_role(role_name), function (username)
 		return username.."@"..host;
 	end);
-	if role == "prosody:admin" then
+	if role_name == "prosody:admin" then
 		return it.to_array(config_admin_jids + set.new(storage_role_jids));
 	elseif role_name == "prosody:operator" then
 		return it.to_array(config_global_admin_jids + set.new(storage_role_jids));
 	end
 	return storage_role_jids;
 end
 function add_default_permission(role_name, action, policy)
 	local role = role_registry[role_name];
 	if not role then
 		module:log("warn", "Attempt to add default permission for unknown role: %s", role_name);
 		return nil, "no-such-role";
 	end
 	if role.permissions[action] == nil then
 		if policy == nil then
 			policy = true;
 		end
 		module:log("debug", "Adding permission, role '%s' may '%s': %s", role_name, action, policy and "allow" or "deny");
 		role.permissions[action] = policy;
 	end
 	return true;
 end
 function get_role_info(role_name)
 	return role_registry[role_name];
 end
--- a/plugins/mod_disco.lua
+++ b/plugins/mod_disco.lua
@ -8,7 +8,6 @@
 local get_children = require "core.hostmanager".get_children;
 local is_contact_subscribed = require "core.rostermanager".is_contact_subscribed;
 local um_is_admin = require "core.usermanager".is_admin;
 local jid_split = require "util.jid".split;
 local jid_bare = require "util.jid".bare;
 local st = require "util.stanza"
@ -162,14 +161,16 @@ module:hook("s2s-stream-features", function (event)
 	end
 end);
 module:default_permission("prosody:admin", ":be-discovered-admin");
 -- Handle disco requests to user accounts
 if module:get_host_type() ~= "local" then	return end -- skip for components
 module:hook("iq-get/bare/http://jabber.org/protocol/disco#info:query", function(event)
 	local origin, stanza = event.origin, event.stanza;
 	local node = stanza.tags[1].attr.node;
 	local username = jid_split(stanza.attr.to) or origin.username;
-	local is_admin = um_is_admin(stanza.attr.to or origin.full_jid, module.host)
+	local target_is_admin = module:may(":be-discovered-admin", stanza.attr.to or origin.full_jid);
-	if not stanza.attr.to or (expose_admins and is_admin) or is_contact_subscribed(username, module.host, jid_bare(stanza.attr.from)) then
+	if not stanza.attr.to or (expose_admins and target_is_admin) or is_contact_subscribed(username, module.host, jid_bare(stanza.attr.from)) then
 		if node and node ~= "" then
 			local reply = st.reply(stanza):tag('query', {xmlns='http://jabber.org/protocol/disco#info', node=node});
 			if not reply.attr.from then reply.attr.from = origin.username.."@"..origin.host; end -- COMPAT To satisfy Psi when querying own account
@ -185,7 +186,7 @@ module:hook("iq-get/bare/http://jabber.org/protocol/disco#info:query", function(
 		end
 		local reply = st.reply(stanza):tag('query', {xmlns='http://jabber.org/protocol/disco#info'});
 		if not reply.attr.from then reply.attr.from = origin.username.."@"..origin.host; end -- COMPAT To satisfy Psi when querying own account
-		if is_admin then
+		if target_is_admin then
 			reply:tag('identity', {category='account', type='admin'}):up();
 		elseif prosody.hosts[module.host].users.name == "anonymous" then
 			reply:tag('identity', {category='account', type='anonymous'}):up();
--- a/plugins/mod_invites_adhoc.lua
+++ b/plugins/mod_invites_adhoc.lua
@ -2,7 +2,6 @@
 local dataforms = require "util.dataforms";
 local datetime = require "util.datetime";
 local split_jid = require "util.jid".split;
 local usermanager = require "core.usermanager";
 local new_adhoc = module:require("adhoc").new;
@ -13,8 +12,7 @@ local allow_user_invites = module:get_option_boolean("allow_user_invites", false
 -- on the server, use the option above instead.
 local allow_contact_invites = module:get_option_boolean("allow_contact_invites", true);
-local allow_user_invite_roles = module:get_option_set("allow_user_invites_by_roles");
+module:default_permission(allow_user_invites and "prosody:user" or "prosody:admin", ":invite-users");
 local deny_user_invite_roles = module:get_option_set("deny_user_invites_by_roles");
 local invites;
 if prosody.shutdown then -- COMPAT hack to detect prosodyctl
@ -42,36 +40,8 @@ local invite_result_form = dataforms.new({
 -- This is for checking if the specified JID may create invites
 -- that allow people to register accounts on this host.
-local function may_invite_new_users(jid)
+local function may_invite_new_users(context)
-	if usermanager.get_roles then
+	return module:may(":invite-users", context);
 		local user_roles = usermanager.get_roles(jid, module.host);
 		if not user_roles then
 			-- User has no roles we can check, just return default
 			return allow_user_invites;
 		end
 		if user_roles["prosody:admin"] then
 			return true;
 		end
 		if allow_user_invite_roles then
 			for allowed_role in allow_user_invite_roles do
 				if user_roles[allowed_role] then
 					return true;
 				end
 			end
 		end
 		if deny_user_invite_roles then
 			for denied_role in deny_user_invite_roles do
 				if user_roles[denied_role] then
 					return false;
 				end
 			end
 		end
 	elseif usermanager.is_admin(jid, module.host) then -- COMPAT w/0.11
 		return true; -- Admins may always create invitations
 	end
 	-- No role matches, so whatever the default is
 	return allow_user_invites;
 end
 module:depends("adhoc");
@ -91,7 +61,7 @@ module:provides("adhoc", new_adhoc("Create new contact invite", "urn:xmpp:invite
 					};
 				};
 			end
-			local invite = invites.create_contact(username, may_invite_new_users(data.from), {
+			local invite = invites.create_contact(username, may_invite_new_users(data), {
 				source = data.from
 			});
 			--TODO: check errors
--- a/plugins/mod_pubsub/mod_pubsub.lua
+++ b/plugins/mod_pubsub/mod_pubsub.lua
@ -1,7 +1,6 @@
 local pubsub = require "util.pubsub";
 local st = require "util.stanza";
 local jid_bare = require "util.jid".bare;
 local usermanager = require "core.usermanager";
 local new_id = require "util.id".medium;
 local storagemanager = require "core.storagemanager";
 local xtemplate = require "util.xtemplate";
@ -177,9 +176,10 @@ module:hook("host-disco-items", function (event)
 end);
 local admin_aff = module:get_option_string("default_admin_affiliation", "owner");
 module:default_permission("prosody:admin", ":service-admin");
 local function get_affiliation(jid)
 	local bare_jid = jid_bare(jid);
-	if bare_jid == module.host or usermanager.is_admin(bare_jid, module.host) then
+	if bare_jid == module.host or module:may(":service-admin", bare_jid) then
 		return admin_aff;
 	end
 end
--- a/plugins/muc/hidden.lib.lua
+++ b/plugins/muc/hidden.lib.lua
@ -8,7 +8,7 @@
 --
 local restrict_public = not module:get_option_boolean("muc_room_allow_public", true);
-local um_is_admin = require "core.usermanager".is_admin;
+module:default_permission(restrict_public and "prosody:admin" or "prosody:user", ":create-public-room");
 local function get_hidden(room)
 	return room._data.hidden;
@ -22,8 +22,8 @@ local function set_hidden(room, hidden)
 end
 module:hook("muc-config-form", function(event)
-	if restrict_public and not um_is_admin(event.actor, module.host) then
+	if not module:may(":create-public-room", event.actor) then
-		-- Don't show option if public rooms are restricted and user is not admin of this host
+		-- Hide config option if this user is not allowed to create public rooms
 		return;
 	end
 	table.insert(event.form, {
@ -36,7 +36,7 @@ module:hook("muc-config-form", function(event)
 end, 100-9);
 module:hook("muc-config-submitted/muc#roomconfig_publicroom", function(event)
-	if restrict_public and not um_is_admin(event.actor, module.host) then
+	if not module:may(":create-public-room", event.actor) then
 		return; -- Not allowed
 	end
 	if set_hidden(event.room, not event.value) then
--- a/plugins/muc/mod_muc.lua
+++ b/plugins/muc/mod_muc.lua
@ -100,7 +100,6 @@ local jid_prep = require "util.jid".prep;
 local jid_bare = require "util.jid".bare;
 local st = require "util.stanza";
 local cache = require "util.cache";
 local um_is_admin = require "core.usermanager".is_admin;
 module:require "muc/config_form_sections";
@ -111,21 +110,23 @@ module:depends "muc_unique"
 module:require "muc/hats";
 module:require "muc/lock";
-local function is_admin(jid)
+module:default_permissions("prosody:admin", {
-	return um_is_admin(jid, module.host);
+	":automatic-ownership";
-end
+	":create-room";
 	":recreate-destroyed-room";
 });
 if module:get_option_boolean("component_admins_as_room_owners", true) then
 	-- Monkey patch to make server admins room owners
 	local _get_affiliation = room_mt.get_affiliation;
 	function room_mt:get_affiliation(jid)
-		if is_admin(jid) then return "owner"; end
+		if module:may(":automatic-ownership", jid) then return "owner"; end
 		return _get_affiliation(self, jid);
 	end
 	local _set_affiliation = room_mt.set_affiliation;
 	function room_mt:set_affiliation(actor, jid, affiliation, reason, data)
-		if affiliation ~= "owner" and is_admin(jid) then return nil, "modify", "not-acceptable"; end
+		if affiliation ~= "owner" and module:may(":automatic-ownership", jid) then return nil, "modify", "not-acceptable"; end
 		return _set_affiliation(self, actor, jid, affiliation, reason, data);
 	end
 end
@ -412,6 +413,8 @@ if module:get_option_boolean("muc_tombstones", true) then
 	end, -10);
 end
 module:default_permission("prosody:admin", ":create-room");
 do
 	local restrict_room_creation = module:get_option("restrict_room_creation");
 	if restrict_room_creation == true then
@ -422,7 +425,7 @@ do
 		module:hook("muc-room-pre-create", function(event)
 			local origin, stanza = event.origin, event.stanza;
 			local user_jid = stanza.attr.from;
-			if not is_admin(user_jid) and not (
+			if not module:may(":create-room", event) and not (
 				restrict_room_creation == "local" and
 				select(2, jid_split(user_jid)) == host_suffix
 			) then
@ -465,7 +468,7 @@ for event_name, method in pairs {
 		if room and room._data.destroyed then
 			if room._data.locked < os.time()
-			or (is_admin(stanza.attr.from) and stanza.name == "presence" and stanza.attr.type == nil) then
+			or (module:may(":recreate-destroyed-room", event) and stanza.name == "presence" and stanza.attr.type == nil) then
 				-- Allow the room to be recreated by admin or after time has passed
 				delete_room(room);
 				room = nil;
--- a/plugins/muc/persistent.lib.lua
+++ b/plugins/muc/persistent.lib.lua
@ -8,7 +8,10 @@
 --
 local restrict_persistent = not module:get_option_boolean("muc_room_allow_persistent", true);
-local um_is_admin = require "core.usermanager".is_admin;
+module:default_permission(
 	restrict_persistent and "prosody:admin" or "prosody:user",
 	":create-persistent-room"
 );
 local function get_persistent(room)
 	return room._data.persistent;
@ -22,8 +25,8 @@ local function set_persistent(room, persistent)
 end
 module:hook("muc-config-form", function(event)
-	if restrict_persistent and not um_is_admin(event.actor, module.host) then
+	if not module:may(":create-persistent-room", event.actor) then
-		-- Don't show option if hidden rooms are restricted and user is not admin of this host
+		-- Hide config option if this user is not allowed to create persistent rooms
 		return;
 	end
 	table.insert(event.form, {
@ -36,7 +39,7 @@ module:hook("muc-config-form", function(event)
 end, 100-5);
 module:hook("muc-config-submitted/muc#roomconfig_persistentroom", function(event)
-	if restrict_persistent and not um_is_admin(event.actor, module.host) then
+	if not module:may(":create-persistent-room", event.actor) then
 		return; -- Not allowed
 	end
 	if set_persistent(event.room, event.value) then