--- a/core/moduleapi.lua	Tue Nov 07 11:50:59 2023 +0000
+++ b/core/moduleapi.lua	Tue Nov 07 11:53:57 2023 +0000
@@ -715,29 +715,35 @@
 	if action:byte(1) == 58 then -- action begins with ':'
 		action = self.name..action; -- prepend module name
 	end
-	if type(context) == "string" then -- check JID permissions
-		local role;
-		local node, host = jid_split(context);
-		if host == self.host then
-			role = hosts[host].authz.get_user_role(node);
-		else
-			role = hosts[self.host].authz.get_jid_role(context);
+
+	do
+		-- JID-based actor
+		local actor_jid = type(context) == "string" and context or context.actor_jid;
+		if actor_jid then -- check JID permissions
+			local role;
+			local node, host = jid_split(actor_jid);
+			if host == self.host then
+				role = hosts[host].authz.get_user_role(node);
+			else
+				role = hosts[self.host].authz.get_jid_role(actor_jid);
+			end
+			if not role then
+				if not peek then
+					self:log("debug", "Access denied: JID <%s> may not %s (no role found)", actor_jid, action);
+				end
+				return false;
+			end
+			local permit = role:may(action);
+			if not permit then
+				if not peek then
+					self:log("debug", "Access denied: JID <%s> may not %s (not permitted by role %s)", actor_jid, action, role.name);
+				end
+			end
+			return permit;
 		end
-		if not role then
-			if not peek then
-				self:log("debug", "Access denied: JID <%s> may not %s (no role found)", context, action);
-			end
-			return false;
-		end
-		local permit = role:may(action);
-		if not permit then
-			if not peek then
-				self:log("debug", "Access denied: JID <%s> may not %s (not permitted by role %s)", context, action, role.name);
-			end
-		end
-		return permit;
 	end
 
+	-- Session-based actor
 	local session = context.origin or context.session;
 	if type(session) ~= "table" then
 		error("Unable to identify actor session from context");