mirrors/prosody
1
0
Fork 0
mirror of https://github.com/bjc/prosody.git synced 2025-04-03 21:27:38 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

moduleapi: Add 'peek' to :may() and new :could() helper to suppress logging

Browse source 
The current method logs scary "access denied" messages on failure - this is
generally very useful when debugging access control stuff, but in some cases
the call is simply a check to see if someone *could* perform an action, even
if they haven't requested it yet. One example is determining whether to show
the user as an admin in disco.

The 'peek' parameter, if true, will suppress such logging.

The :could() method is just a simple helper that can make the calling code a
bit more readable (suggested by Zash).
This commit is contained in:
Matthew Wild 2023-03-26 14:06:04 +01:00
parent 6b2d191b93
commit eb45f0fcf8
1 changed files with 19 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

26
core/moduleapi.lua
View file

@ -626,7 +626,11 @@ function api:default_permissions(role_name, permissions)
end
end
function api:may(action, context)
function api:could(action, context)
return self:may(action, context, true);
end
function api:may(action, context, peek)
if action:byte(1) == 58 then -- action begins with ':'
action = self.name..action; -- prepend module name
end
@ -639,12 +643,16 @@ function api:may(action, context)
role = hosts[self.host].authz.get_jid_role(context);
end
if not role then
self:log("debug", "Access denied: JID <%s> may not %s (no role found)", context, action);
if not peek then
self:log("debug", "Access denied: JID <%s> may not %s (no role found)", context, action);
end
return false;
end
local permit = role:may(action);
if not permit then
self:log("debug", "Access denied: JID <%s> may not %s (not permitted by role %s)", context, action, role.name);
if not peek then
self:log("debug", "Access denied: JID <%s> may not %s (not permitted by role %s)", context, action, role.name);
end
end
return permit;
end
@ -656,11 +664,13 @@ function api:may(action, context)
if session.type == "c2s" and session.host == self.host then
local role = session.role;
if not role then
self:log("warn", "Access denied: session %s has no role assigned");
if not peek then
self:log("warn", "Access denied: session %s has no role assigned");
end
return false;
end
local permit = role:may(action, context);
if not permit then
if not permit and not peek then
self:log("debug", "Access denied: session %s (%s) may not %s (not permitted by role %s)",
session.id, session.full_jid, action, role.name
);
@ -670,11 +680,13 @@ function api:may(action, context)
local actor_jid = context.stanza.attr.from;
local role = hosts[self.host].authz.get_jid_role(actor_jid);
if not role then
self:log("debug", "Access denied: JID <%s> may not %s (no role found)", actor_jid, action);
if not peek then
self:log("debug", "Access denied: JID <%s> may not %s (no role found)", actor_jid, action);
end
return false;
end
local permit = role:may(action, context);
if not permit then
if not permit and not peek then
self:log("debug", "Access denied: JID <%s> may not %s (not permitted by role %s)", actor_jid, action, role.name);
end
return permit;