core.moduleapi: Check for local role-aware sessions before e.g. s2s
The condition checked for s2sin but not s2sout, so would have ignored
bidi-enabled s2sout sessions. Components as well.
--- a/core/moduleapi.lua Mon Aug 29 15:48:07 2022 +0100
+++ b/core/moduleapi.lua Mon Aug 29 11:47:31 2022 +0200
@@ -649,7 +649,15 @@
if type(session) ~= "table" then
error("Unable to identify actor session from context");
end
- if session.type == "s2sin" or (session.type == "c2s" and session.host ~= self.host) then
+ if session.role and session.type == "c2s" and session.host == self.host then
+ local permit = session.role:may(action, context);
+ if not permit then
+ self:log("debug", "Access denied: session %s (%s) may not %s (not permitted by role %s)",
+ session.id, session.full_jid, action, session.role.name
+ );
+ end
+ return permit;
+ else
local actor_jid = context.stanza.attr.from;
local role = hosts[self.host].authz.get_jid_role(actor_jid);
if not role then
@@ -661,14 +669,6 @@
self:log("debug", "Access denied: JID <%s> may not %s (not permitted by role %s)", actor_jid, action, role.name);
end
return permit;
- elseif session.role then
- local permit = session.role:may(action, context);
- if not permit then
- self:log("debug", "Access denied: session %s (%s) may not %s (not permitted by role %s)",
- session.id, session.full_jid, action, session.role.name
- );
- end
- return permit;
end
end