# HG changeset patch
# User Matthew Wild <mwild1@gmail.com>
# Date 1638790056 0
# Node ID 1c2b8d10ceedc9490bae77389bbb1a73c3f3d08f
# Parent  2073137bc9436a544b2bdb3b9562a5b18e852288
rtbl_admin: Add access control around commands

diff -r 2073137bc943 -r 1c2b8d10ceed plugins/rtbl_admin.lua
--- a/plugins/rtbl_admin.lua	Mon Dec 06 11:27:16 2021 +0000
+++ b/plugins/rtbl_admin.lua	Mon Dec 06 11:27:36 2021 +0000
@@ -7,7 +7,14 @@
 
 	local config = bot.config.rtbl_admin;
 
+	local permitted_affiliations = config.permitted_affiliations or { admin = true, owner = true };
+
 	bot:hook("commands/rtbl-add", function (command)
+		if config.control_room ~= (command.room and command.room.jid) then
+			return;
+		elseif not permitted_affiliations[command.sender.affiliation] then
+			return "You have insufficient permissions to use this command";
+		end
 		local reported_jid = command.param and jid.prep(command.param:match("^%S+"));
 		local hash = sha256(reported_jid, true);
 		bot.stream.pubsub(config.host, config.node):publish(
@@ -25,9 +32,15 @@
 				command:reply("RTBL entry added");
 			end
 		);
+		return true;
 	end);
 
 	bot:hook("commands/rtbl-remove", function (command)
+		if config.control_room ~= (command.room and command.room.jid) then
+			return;
+		elseif not permitted_affiliations[command.sender.affiliation] then
+			return "You have insufficient permissions to use this command";
+		end
 		local reported_jid = command.param and jid.prep(command.param:match("^%S+"));
 		local hash = sha256(reported_jid, true);
 		bot.stream.pubsub(config.host, config.node):retract(
@@ -41,5 +54,6 @@
 				command:reply("RTBL entry removed");
 			end
 		);
+		return true;
 	end);
 end