<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0">
  <channel>
    <link>http://hg.omfa.de/prosody-hg/</link>
    <language>en-us</language>

    <title>prosody-hg: plugins/mod_authz_internal.lua history</title>
    <description>plugins/mod_authz_internal.lua revision history</description>
    <item>
    <title>mod_authz_internal: Improve error message when invalid role specified</title>
    <link>http://hg.omfa.de/prosody-hg/log/bcb69302423e/plugins/mod_authz_internal.lua</link>
    <description><![CDATA[mod_authz_internal: Improve error message when invalid role specified]]></description>
    <author>&#77;&#97;&#116;&#116;&#104;&#101;&#119;&#32;&#87;&#105;&#108;&#100;&#32;&#60;&#109;&#119;&#105;&#108;&#100;&#49;&#64;&#103;&#109;&#97;&#105;&#108;&#46;&#99;&#111;&#109;&#62;</author>
    <pubDate>Fri, 04 Apr 2025 16:49:55 +0100</pubDate>
</item>
<item>
    <title>mod_authz_internal: Fix error messages</title>
    <link>http://hg.omfa.de/prosody-hg/log/f5c7fe7bbe3b/plugins/mod_authz_internal.lua</link>
    <description><![CDATA[mod_authz_internal: Fix error messages]]></description>
    <author>&#77;&#97;&#116;&#116;&#104;&#101;&#119;&#32;&#87;&#105;&#108;&#100;&#32;&#60;&#109;&#119;&#105;&#108;&#100;&#49;&#64;&#103;&#109;&#97;&#105;&#108;&#46;&#99;&#111;&#109;&#62;</author>
    <pubDate>Thu, 13 Feb 2025 15:31:14 +0000</pubDate>
</item>
<item>
    <title>mod_authz_internal: Fix return values of secondary role management methods</title>
    <link>http://hg.omfa.de/prosody-hg/log/acb87cc2d48b/plugins/mod_authz_internal.lua</link>
    <description><![CDATA[mod_authz_internal: Fix return values of secondary role management methods<br/>
<br/>
usermanager expects (role, err) and (ok, err)]]></description>
    <author>&#77;&#97;&#116;&#116;&#104;&#101;&#119;&#32;&#87;&#105;&#108;&#100;&#32;&#60;&#109;&#119;&#105;&#108;&#100;&#49;&#64;&#103;&#109;&#97;&#105;&#108;&#46;&#99;&#111;&#109;&#62;</author>
    <pubDate>Thu, 13 Feb 2025 15:30:23 +0000</pubDate>
</item>
<item>
    <title>mod_authz_internal: Make host considered the parent configurable</title>
    <link>http://hg.omfa.de/prosody-hg/log/eb676b6f05e3/plugins/mod_authz_internal.lua</link>
    <description><![CDATA[mod_authz_internal: Make host considered the parent configurable<br/>
<br/>
This bestows the role specified by the 'host_user_role' setting onto<br/>
users of that host. For simplicity, only a single host can be specified.<br/>
<br/>
Making it configurable allows for setups where VirtualHost and related<br/>
Components may be siblings instead of having a subdomain relationship.<br/>
<br/>
For setups with many VirtualHosts sharing a single Component, the<br/>
'server_user_role' setting is more appropriate. Even more complicated<br/>
setups would have to resort to mod_firewall or similar.]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Mon, 13 Jan 2025 11:50:03 +0100</pubDate>
</item>
<item>
    <title>mod_authz_internal: Make 'prosody:guest' default role for all unknown JIDs</title>
    <link>http://hg.omfa.de/prosody-hg/log/fdb2e0568cf8/plugins/mod_authz_internal.lua</link>
    <description><![CDATA[mod_authz_internal: Make 'prosody:guest' default role for all unknown JIDs<br/>
<br/>
This fixes an issue where e.g. remote users or even other users on the server<br/>
were unable to list MUC rooms.<br/>
<br/>
We want to define a permission to list MUC rooms, but we want it to be<br/>
available to everyone by default (the traditional behaviour).<br/>
<br/>
prosody:guest is the lowest role we have. I ran a quick check and it isn't<br/>
really used for anything right now that would be concerning.<br/>
<br/>
It was originally designed for anonymous logins. I think it's safe to treat<br/>
remote JIDs as equivalent, since we have no trust relationship with anonymous<br/>
users either.]]></description>
    <author>&#77;&#97;&#116;&#116;&#104;&#101;&#119;&#32;&#87;&#105;&#108;&#100;&#32;&#60;&#109;&#119;&#105;&#108;&#100;&#49;&#64;&#103;&#109;&#97;&#105;&#108;&#46;&#99;&#111;&#109;&#62;</author>
    <pubDate>Tue, 07 Jan 2025 14:41:32 +0000</pubDate>
</item>
<item>
    <title>mod_authz_internal: Hint at roles for external JIDs being read-only</title>
    <link>http://hg.omfa.de/prosody-hg/log/3dc3781d02cd/plugins/mod_authz_internal.lua</link>
    <description><![CDATA[mod_authz_internal: Hint at roles for external JIDs being read-only<br/>
<br/>
Roles for JIDs outside the current host are derived from configuration<br/>
only with this module.]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Fri, 01 Nov 2024 13:08:35 +0100</pubDate>
</item>
<item>
    <title>plugins: Use get_option_array for some list shaped options</title>
    <link>http://hg.omfa.de/prosody-hg/log/e0ab20519ce5/plugins/mod_authz_internal.lua</link>
    <description><![CDATA[plugins: Use get_option_array for some list shaped options<br/>
<br/>
Passing something from module:get_option() to ipairs() suggests that the<br/>
option is a list of some sort.]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Fri, 21 Jul 2023 22:48:54 +0200</pubDate>
</item>
<item>
    <title>core, plugins: Split prosody:user role into prosody:{guest,registered,member}</title>
    <link>http://hg.omfa.de/prosody-hg/log/082c7d856e61/plugins/mod_authz_internal.lua</link>
    <description><![CDATA[core, plugins: Split prosody:user role into prosody:{guest,registered,member}<br/>
<br/>
This gives us more granular control over different types of user account.<br/>
Accounts registered by IBR get assigned prosody:registered by default, while<br/>
accounts provisioned by an admin (e.g. via prosodyctl shell) will receive<br/>
prosody:member by default.]]></description>
    <author>&#77;&#97;&#116;&#116;&#104;&#101;&#119;&#32;&#87;&#105;&#108;&#100;&#32;&#60;&#109;&#119;&#105;&#108;&#100;&#49;&#64;&#103;&#109;&#97;&#105;&#108;&#46;&#99;&#111;&#109;&#62;</author>
    <pubDate>Thu, 29 Jun 2023 15:36:13 +0100</pubDate>
</item>
<item>
    <title>plugins: Prefix module imports with prosody namespace</title>
    <link>http://hg.omfa.de/prosody-hg/log/74b9e05af71e/plugins/mod_authz_internal.lua</link>
    <description><![CDATA[plugins: Prefix module imports with prosody namespace]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Fri, 24 Mar 2023 13:15:28 +0100</pubDate>
</item>
<item>
    <title>mod_authz_internal: Fix wrong role name field in user_can_assume_role()</title>
    <link>http://hg.omfa.de/prosody-hg/log/6cb339423928/plugins/mod_authz_internal.lua</link>
    <description><![CDATA[mod_authz_internal: Fix wrong role name field in user_can_assume_role()<br/>
<br/>
Made it reject the primary role since it compares against a non-existent<br/>
field, i.e. nil.]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Thu, 09 Mar 2023 16:02:55 +0100</pubDate>
</item>
<item>
    <title>authz: Add method for retrieving all roles</title>
    <link>http://hg.omfa.de/prosody-hg/log/cdb996637b08/plugins/mod_authz_internal.lua</link>
    <description><![CDATA[authz: Add method for retrieving all roles<br/>
<br/>
Some of the OAuth stuff highlights a small need to retrieve a list of<br/>
roles somehow. Handy if you ever need a role selector in adhoc or<br/>
something.<br/>
<br/>
Unless there's some O(n) thing we were avoiding?]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Sat, 04 Mar 2023 18:40:43 +0100</pubDate>
</item>
<item>
    <title>mod_authz_internal: Fix warning due to global use</title>
    <link>http://hg.omfa.de/prosody-hg/log/f58c6ae5edc1/plugins/mod_authz_internal.lua</link>
    <description><![CDATA[mod_authz_internal: Fix warning due to global use<br/>
<br/>
Thanks Menel and Martin]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Tue, 04 Oct 2022 12:04:43 +0200</pubDate>
</item>
<item>
    <title>mod_authz_internal: Allow specifying default role for public (remote) users</title>
    <link>http://hg.omfa.de/prosody-hg/log/2167e1639aab/plugins/mod_authz_internal.lua</link>
    <description><![CDATA[mod_authz_internal: Allow specifying default role for public (remote) users]]></description>
    <author>&#77;&#97;&#116;&#116;&#104;&#101;&#119;&#32;&#87;&#105;&#108;&#100;&#32;&#60;&#109;&#119;&#105;&#108;&#100;&#49;&#64;&#103;&#109;&#97;&#105;&#108;&#46;&#99;&#111;&#109;&#62;</author>
    <pubDate>Thu, 29 Sep 2022 12:46:02 +0100</pubDate>
</item>
<item>
    <title>mod_authz_internal: Allow configuring role of local-server/parent-host users</title>
    <link>http://hg.omfa.de/prosody-hg/log/427dd01f0864/plugins/mod_authz_internal.lua</link>
    <description><![CDATA[mod_authz_internal: Allow configuring role of local-server/parent-host users<br/>
<br/>
'host_user_role' is the default role of users who have JIDs on the &quot;parent&quot;<br/>
host (i.e. jabber.org users on conference.jabber.org). Defaults to<br/>
'prosody:user'.<br/>
<br/>
'server_user_roles' is the default role of users who have JIDs on any active<br/>
host on the current Prosody instance. Default to nil (no role).<br/>
<br/>
This finally allows better permissions splitting between host and server<br/>
users, which has previously been done (e.g. in MUC) with options like<br/>
'restrict_room_creation' and 'muc_room_allow_persistent'. Using roles makes<br/>
these permissions a lot more flexible, and easier for developers to integrate.]]></description>
    <author>&#77;&#97;&#116;&#116;&#104;&#101;&#119;&#32;&#87;&#105;&#108;&#100;&#32;&#60;&#109;&#119;&#105;&#108;&#100;&#49;&#64;&#103;&#109;&#97;&#105;&#108;&#46;&#99;&#111;&#109;&#62;</author>
    <pubDate>Thu, 29 Sep 2022 12:10:14 +0100</pubDate>
</item>
<item>
    <title>mod_authz_internal: Expose convenience method to test if user can assume role</title>
    <link>http://hg.omfa.de/prosody-hg/log/cf88f6b03942/plugins/mod_authz_internal.lua</link>
    <description><![CDATA[mod_authz_internal: Expose convenience method to test if user can assume role]]></description>
    <author>&#77;&#97;&#116;&#116;&#104;&#101;&#119;&#32;&#87;&#105;&#108;&#100;&#32;&#60;&#109;&#119;&#105;&#108;&#100;&#49;&#64;&#103;&#109;&#97;&#105;&#108;&#46;&#99;&#111;&#109;&#62;</author>
    <pubDate>Thu, 18 Aug 2022 10:37:59 +0100</pubDate>
</item>
<item>
    <title>mod_authz_internal, and more: New iteration of role API</title>
    <link>http://hg.omfa.de/prosody-hg/log/07424992d7fc/plugins/mod_authz_internal.lua</link>
    <description><![CDATA[mod_authz_internal, and more: New iteration of role API<br/>
<br/>
These changes to the API (hopefully the last) introduce a cleaner separation<br/>
between the user's primary (default) role, and their secondary (optional)<br/>
roles.<br/>
<br/>
To keep the code sane and reduce complexity, a data migration is needed for<br/>
people using stored roles in 0.12. This can be performed with<br/>
<br/>
  prosodyctl mod_authz_internal migrate &lt;host&gt;]]></description>
    <author>&#77;&#97;&#116;&#116;&#104;&#101;&#119;&#32;&#87;&#105;&#108;&#100;&#32;&#60;&#109;&#119;&#105;&#108;&#100;&#49;&#64;&#103;&#109;&#97;&#105;&#108;&#46;&#99;&#111;&#109;&#62;</author>
    <pubDate>Wed, 17 Aug 2022 16:38:53 +0100</pubDate>
</item>
<item>
    <title>mod_authz_internal: Use util.roles, some API changes and config support</title>
    <link>http://hg.omfa.de/prosody-hg/log/f299e570a0fe/plugins/mod_authz_internal.lua</link>
    <description><![CDATA[mod_authz_internal: Use util.roles, some API changes and config support<br/>
<br/>
This commit was too awkward to split (hg record didn't like it), so:<br/>
<br/>
- Switch to the new util.roles lib to provide a consistent representation of<br/>
  a role object.<br/>
<br/>
- Change API method from get_role_info() to get_role_by_name() (touches<br/>
  sessionmanager and usermanager)<br/>
<br/>
- Change get_roles() to get_user_roles(), take a username instead of a JID<br/>
  This is more consistent with all other usermanager API methods.<br/>
<br/>
- Support configuration of custom roles and permissions via the config file<br/>
  (to be documented).]]></description>
    <author>&#77;&#97;&#116;&#116;&#104;&#101;&#119;&#32;&#87;&#105;&#108;&#100;&#32;&#60;&#109;&#119;&#105;&#108;&#100;&#49;&#64;&#103;&#109;&#97;&#105;&#108;&#46;&#99;&#111;&#109;&#62;</author>
    <pubDate>Tue, 19 Jul 2022 18:02:02 +0100</pubDate>
</item>
<item>
    <title>Switch to a new role-based authorization framework, removing is_admin()</title>
    <link>http://hg.omfa.de/prosody-hg/log/9061f9621330/plugins/mod_authz_internal.lua</link>
    <description><![CDATA[Switch to a new role-based authorization framework, removing is_admin()<br/>
<br/>
We began moving away from simple &quot;is this user an admin?&quot; permission checks<br/>
before 0.12, with the introduction of mod_authz_internal and the ability to<br/>
dynamically change the roles of individual users.<br/>
<br/>
The approach in 0.12 still had various limitations however, and apart from<br/>
the introduction of roles other than &quot;admin&quot; and the ability to pull that info<br/>
from storage, not much actually changed.<br/>
<br/>
This new framework shakes things up a lot, though aims to maintain the same<br/>
functionality and behaviour on the surface for a default Prosody<br/>
configuration. That is, if you don't take advantage of any of the new<br/>
features, you shouldn't notice any change.<br/>
<br/>
The biggest change visible to developers is that usermanager.is_admin() (and<br/>
the auth provider is_admin() method) have been removed. Gone. Completely.<br/>
<br/>
Permission checks should now be performed using a new module API method:<br/>
<br/>
  module:may(action_name, context)<br/>
<br/>
This method accepts an action name, followed by either a JID (string) or<br/>
(preferably) a table containing 'origin'/'session' and 'stanza' fields (e.g.<br/>
the standard object passed to most events). It will return true if the action<br/>
should be permitted, or false/nil otherwise.<br/>
<br/>
Modules should no longer perform permission checks based on the role name.<br/>
E.g. a lot of code previously checked if the user's role was prosody:admin<br/>
before permitting some action. Since many roles might now exist with similar<br/>
permissions, and the permissions of prosody:admin may be redefined<br/>
dynamically, it is no longer suitable to use this method for permission<br/>
checks. Use module:may().<br/>
<br/>
If you start an action name with ':' (recommended) then the current module's<br/>
name will automatically be used as a prefix.<br/>
<br/>
To define a new permission, use the new module API:<br/>
<br/>
  module:default_permission(role_name, action_name)<br/>
  module:default_permissions(role_name, { action_name[, action_name...] })<br/>
<br/>
This grants the specified role permission to execute the named action(s) by<br/>
default. This may be overridden via other mechanisms external to your module.<br/>
<br/>
The built-in roles that developers should use are:<br/>
<br/>
 - prosody:user (normal user)<br/>
 - prosody:admin (host admin)<br/>
 - prosody:operator (global admin)<br/>
<br/>
The new prosody:operator role is intended for server-wide actions (such as<br/>
shutting down Prosody).<br/>
<br/>
Finally, all usage of is_admin() in modules has been fixed by this commit.<br/>
Some of these changes were trickier than others, but no change is expected to<br/>
break existing deployments.<br/>
<br/>
EXCEPT: mod_auth_ldap no longer supports the ldap_admin_filter option. It's<br/>
very possible nobody is using this, but if someone is then we can later update<br/>
it to pull roles from LDAP somehow.]]></description>
    <author>&#77;&#97;&#116;&#116;&#104;&#101;&#119;&#32;&#87;&#105;&#108;&#100;&#32;&#60;&#109;&#119;&#105;&#108;&#100;&#49;&#64;&#103;&#109;&#97;&#105;&#108;&#46;&#99;&#111;&#109;&#62;</author>
    <pubDate>Wed, 15 Jun 2022 12:15:01 +0100</pubDate>
</item>
<item>
    <title>usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role</title>
    <link>http://hg.omfa.de/prosody-hg/log/3a2d58a39872/plugins/mod_authz_internal.lua</link>
    <description><![CDATA[usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role]]></description>
    <author>&#77;&#97;&#116;&#116;&#104;&#101;&#119;&#32;&#87;&#105;&#108;&#100;&#32;&#60;&#109;&#119;&#105;&#108;&#100;&#49;&#64;&#103;&#109;&#97;&#105;&#108;&#46;&#99;&#111;&#109;&#62;</author>
    <pubDate>Thu, 26 Aug 2021 16:35:43 +0100</pubDate>
</item>
<item>
    <title>mod_authz_internal: Ignore unused argument for now [luachec]</title>
    <link>http://hg.omfa.de/prosody-hg/log/8fba807e5256/plugins/mod_authz_internal.lua</link>
    <description><![CDATA[mod_authz_internal: Ignore unused argument for now [luachec]]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Mon, 22 Mar 2021 22:01:49 +0100</pubDate>
</item>
<item>
    <title>mod_authz_internal: add support for setting roles of a local user</title>
    <link>http://hg.omfa.de/prosody-hg/log/c32753ceb0f0/plugins/mod_authz_internal.lua</link>
    <description><![CDATA[mod_authz_internal: add support for setting roles of a local user]]></description>
    <author>&#74;&#111;&#110;&#97;&#115;&#32;&#83;&#99;&#104;&#228;&#102;&#101;&#114;&#32;&#60;&#106;&#111;&#110;&#97;&#115;&#64;&#119;&#105;&#101;&#108;&#105;&#99;&#107;&#105;&#46;&#110;&#97;&#109;&#101;&#62;</author>
    <pubDate>Mon, 22 Mar 2021 21:24:43 +0100</pubDate>
</item>
<item>
    <title>usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter</title>
    <link>http://hg.omfa.de/prosody-hg/log/8f95308c3c45/plugins/mod_authz_internal.lua</link>
    <description><![CDATA[usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter]]></description>
    <author>&#77;&#97;&#116;&#116;&#104;&#101;&#119;&#32;&#87;&#105;&#108;&#100;&#32;&#60;&#109;&#119;&#105;&#108;&#100;&#49;&#64;&#103;&#109;&#97;&#105;&#108;&#46;&#99;&#111;&#109;&#62;</author>
    <pubDate>Sun, 23 Feb 2020 12:38:43 +0000</pubDate>
</item>
<item>
    <title>usermanager, mod_authz_internal: Move admin-checking functionality into a module. Fixes #517 (ish).</title>
    <link>http://hg.omfa.de/prosody-hg/log/d1cc6af0fb97/plugins/mod_authz_internal.lua</link>
    <description><![CDATA[usermanager, mod_authz_internal: Move admin-checking functionality into a module. Fixes #517 (ish).<br/>
<br/>
Note: Removes the ability for mod_auth_* providers to determine user admin status. Such<br/>
modules will need to have their is_admin methods ported to be a mod_authz_* provider.]]></description>
    <author>&#77;&#97;&#116;&#116;&#104;&#101;&#119;&#32;&#87;&#105;&#108;&#100;&#32;&#60;&#109;&#119;&#105;&#108;&#100;&#49;&#64;&#103;&#109;&#97;&#105;&#108;&#46;&#99;&#111;&#109;&#62;</author>
    <pubDate>Mon, 27 Jan 2020 21:54:59 +0000</pubDate>
</item>

  </channel>
</rss>
