Mercurial > lxmppd-hg-xmllex / changeset
changeset
mod_xmlrpc: Limit usage to admins
Sun, 08 Mar 2009 05:03:22 +0500
- author
- Waqas Hussain <waqas20@gmail.com>
- date
- Sun, 08 Mar 2009 05:03:22 +0500
- changeset 892
- 2128891180b7
- parent 891
- 236d1ce9fa99
- child 893
- cec476fcc19f
mod_xmlrpc: Limit usage to admins
| plugins/mod_xmlrpc.lua | file | annotate | diff | comparison | revisions |
--- a/plugins/mod_xmlrpc.lua Sun Mar 08 04:49:51 2009 +0500 +++ b/plugins/mod_xmlrpc.lua Sun Mar 08 05:03:22 2009 +0500 @@ -14,6 +14,11 @@ local pcall = pcall; local unpack = unpack; local tostring = tostring; +local is_admin = require "core.usermanager".is_admin; +local jid_split = require "util.jid".split; +local b64_decode = require "util.encodings".base64.decode; +local get_method = require "core.objectmanager".get_object; +local validate_credentials = require "core.usermanager".validate_credentials; local translate_request = require "util.xmlrpc".translate_request; local create_response = require "util.xmlrpc".create_response; @@ -60,13 +65,6 @@ return stanza.tags[1]; end ---[[local function get_method(method) - return function(...) - return {method = method; args = {...}}; - end -end]] -local get_method = require "core.objectmanager".get_object; - local function handle_xmlrpc_request(method, args) method = get_method(method); if not method then return create_error_response(404, "method not found"); end @@ -86,29 +84,37 @@ local query = stanza.tags[1]; if query.name == "query" then if #query.tags == 1 then - local success, method, args = pcall(translate_request, query.tags[1]); - if success then - local result = handle_xmlrpc_request(method, args); - origin.send(st.reply(stanza):tag('query', {xmlns='jabber:iq:rpc'}):add_child(result)); - else - origin.send(st.error_reply(stanza, "modify", "bad-request", method)); - end - else - origin.send(st.error_reply(stanza, "modify", "bad-request", "No content in XML-RPC request")); - end - else - origin.send(st.error_reply(stanza, "cancel", "service-unavailable")); - end + if is_admin(stanza.attr.from) then + local success, method, args = pcall(translate_request, query.tags[1]); + if success then + local result = handle_xmlrpc_request(method, args); + origin.send(st.reply(stanza):tag('query', {xmlns='jabber:iq:rpc'}):add_child(result)); + else + origin.send(st.error_reply(stanza, "modify", "bad-request", method)); + end + else origin.send(st.error_reply(stanza, "auth", "forbidden", "No content in XML-RPC request")); end + else origin.send(st.error_reply(stanza, "modify", "bad-request", "No content in XML-RPC request")); end + else origin.send(st.error_reply(stanza, "cancel", "service-unavailable")); end end module:add_iq_handler({"c2s", "s2sin"}, "jabber:iq:rpc", handle_xmpp_request); module:add_feature("jabber:iq:rpc"); +-- TODO add <identity category='automation' type='rpc'/> to disco replies -local default_headers = { ["Content-Type"] = "text/xml" }; +local default_headers = { ['Content-Type'] = 'text/xml' }; +local unauthorized_response = { status = '401 UNAUTHORIZED', headers = {['Content-Type']='text/html', ['WWW-Authenticate']='Basic realm="WallyWorld"'}; body = "<html><body>Authentication required</body></html>"; }; local function handle_http_request(method, body, request) + -- authenticate user + local username, password = b64_decode(request['authorization'] or ''):gmatch('([^:]*):(.*)')(); -- TODO digest auth + local node, host = jid_split(username); + if not validate_credentials(host, node, password) and is_admin(username) then + return unauthorized_response; + end + -- parse request local stanza = body and parse_xml(body); if (not stanza) or request.method ~= "POST" then return "<html><body>You really don't look like an XML-RPC client to me... what do you want?</body></html>"; end + -- execute request local success, method, args = pcall(translate_request, stanza); if success then return { headers = default_headers; body = tostring(handle_xmlrpc_request(method, args)) };
