prosody: Prevent federation for users with prosody:restricted role (#37)
This commit is contained in:
Matthew Wild
parent
00ad72bcf1
commit
5dddfeb876
|
|
@ -75,6 +75,7 @@ modules_enabled = {
|
|||
"update_notify";
|
||||
"turncredentials";
|
||||
"admin_shell";
|
||||
"isolate_host";
|
||||
"snikket_client_id";
|
||||
"snikket_ios_preserve_push";
|
||||
|
||||
|
|
@ -203,6 +204,9 @@ if ENV_SNIKKET_TWEAK_TURNSERVER ~= "0" or ENV_SNIKKET_TWEAK_TURNSERVER_DOMAIN th
|
|||
turncredentials_secret = ENV_SNIKKET_TWEAK_TURNSERVER_SECRET or assert(io.open("/snikket/prosody/turn-auth-secret-v2")):read("*l");
|
||||
end
|
||||
|
||||
-- Allow restricted users access to push notification servers
|
||||
isolate_except_domains = { "push.snikket.net", "push-ios.snikket.net" }
|
||||
|
||||
VirtualHost (DOMAIN)
|
||||
authentication = "internal_hashed"
|
||||
|
||||
|
|
|
|||
|
|
@ -122,6 +122,7 @@
|
|||
- mod_prometheus
|
||||
- mod_spam_reporting
|
||||
- mod_watch_spam_reports
|
||||
- mod_isolate_host
|
||||
|
||||
- name: Enable wanted modules (snikket-modules)
|
||||
file:
|
||||
|
|
@ -135,6 +136,7 @@
|
|||
- mod_invites_bootstrap
|
||||
- mod_snikket_client_id
|
||||
- mod_snikket_ios_preserve_push
|
||||
- mod_snikket_restricted_users
|
||||
|
||||
- name: "Install lua-ossl for encrypted push notifications"
|
||||
apt:
|
||||
|
|
|
|||
|
|
@ -0,0 +1,16 @@
|
|||
local jid_bare = require "util.jid".bare;
|
||||
local um_get_roles = require "core.usermanager".get_roles;
|
||||
|
||||
local function check_user_isolated(event)
|
||||
local session = event.session;
|
||||
if not session.no_host_isolation then
|
||||
local bare_jid = jid_bare(session.full_jid);
|
||||
local roles = um_get_roles(bare_jid, module.host);
|
||||
if roles and not roles["prosody:restricted"] then
|
||||
-- Bypass isolation for all unrestricted users
|
||||
session.no_host_isolation = true;
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
module:hook("resource-bind", check_user_isolated, -0.5);
|
||||
Loading…
Reference in New Issue