From 9dcd3f40805033a13bbfdbfab222fc0af11ad8c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micka=C3=ABl=20R=C3=A9mond?= Date: Wed, 7 Jun 2006 08:38:37 +0000 Subject: [PATCH] * src/mod_pubsub/mod_pubsub.erl: Support for pubsub node creation ACL. It is now possible to limit the node creation rights using an ACL from ejabberd config file (Thanks to Christophe Romain) (EJAB-104). * doc/guide.tex: Likewise. * src/ejabberd.cfg.example. SVN Revision: 577 --- ChangeLog | 8 ++++++ doc/dev.html | 42 +++++++++++++-------------- doc/guide.html | 8 ++++-- doc/guide.tex | 6 +++- src/ejabberd.cfg.example | 4 ++- src/mod_pubsub/mod_pubsub.erl | 53 ++++++++++++++++++++++------------- 6 files changed, 75 insertions(+), 46 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8781a885e..ca73c8ace 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2006-06-07 Mickael Remond + + * src/mod_pubsub/mod_pubsub.erl: Support for pubsub node creation ACL. + It is now possible to limit the node creation rights using an ACL from + ejabberd config file (Thanks to Christophe Romain). + * doc/guide.tex: Likewise. + * src/ejabberd.cfg.example. + 2006-06-02 Mickael Remond * src/web/ejabberd_http_poll.erl: Messages polled between the diff --git a/doc/dev.html b/doc/dev.html index 65a85172a..0daaf175b 100644 --- a/doc/dev.html +++ b/doc/dev.html @@ -4,7 +4,7 @@ -Ejabberd 1.0.0 Developers Guide +Ejabberd 1.1.1 Developers Guide @@ -34,7 +34,7 @@ BLOCKQUOTE{margin-left:4ex;margin-right:4ex;text-align:left;} @@ -101,16 +101,16 @@ BLOCKQUOTE{margin-left:4ex;margin-right:4ex;text-align:left;}
  • Multiplatform: ejabberd runs under Microsoft Windows and Unix derived systems such as Linux, FreeBSD and NetBSD.

    -
  • Distributed: You can run ejabberd on a cluster of machines and all of them will serve one Jabber domain. When you need more capacity you can simply add a new cheap node to your cluster. Accordingly, you do not need to buy an expensive high-end machine to support tens of thousands concurrent users.
    +
  • Distributed: You can run ejabberd on a cluster of machines and all of them will serve the same Jabber domain(s). When you need more capacity you can simply add a new cheap node to your cluster. Accordingly, you do not need to buy an expensive high-end machine to support tens of thousands concurrent users.

  • Fault-tolerant: You can deploy an ejabberd cluster so that all the information required for a properly working service will be replicated permanently on all nodes. This means that if one of the nodes crashes, the others will continue working without disruption. In addition, nodes also can be added or replaced “on the fly”.

  • Administrator Friendly: ejabberd is built on top of the Open Source Erlang. As a result you do not need to install an external database, an external web server, amongst others because everything is already included, and ready to run out of the box. Other administrator benefits include:
    • Comprehensive documentation. -
    • Straightforward installers for Windows and Linux. +
    • Straightforward installers for Linux, Mac OS X, and Windows.
    • Web interface for administration tasks. -
    • Shared Roster groups. +
    • Shared Roster Groups.
    • Command line administration tool.
    • Can integrate with existing authentication mechanisms.
    • Capability to send announce messages. @@ -124,7 +124,7 @@ Translated in 11 languages.
    • Open Standards: ejabberd is the first Open Source Jabber server claiming to fully comply to the XMPP standard.
    @@ -136,7 +136,7 @@ Fully XMPP compliant Besides common Jabber server features, ejabberd comes with a wide range of other features:
    • -Modular: ejabberd's modular architecture allows easy customization: +Modular
      • Load only the modules you want.
      • Extend ejabberd with your own custom modules. @@ -145,37 +145,33 @@ Load only the modules you want.
        • SASL and STARTTLS for c2s and s2s connections.
        • STARTTLS and Dialback s2s connections. -
        • Obsolete SSL for c2s connections also supported.
        • Web interface accessible via HTTPS secure access.
      • Databases
        • -Native PostgreSQL support. +Native MySQL support. +
        • Native PostgreSQL support.
        • Mnesia.
        • ODBC data storage support.
      • Authentication
        • -LDAP. +LDAP and ODBC.
        • External Authentication script.
        • Internal Authentication.
        -
      • The ability to interface via external components with networks such as: -
        • -AIM -
        • ICQ -
        • MSN -
      • Others
        • -IPv6 support both for c2s and s2s connections. -
        • Support for virtual hosting. -
        • HTTP Polling service -
        • Multi-User Chat module. -
        • IRC transport. -
        • Publish-Subscribe component. -
        • Users Directory based on users vCards. +Compressing XML streams with Stream Compression (JEP-0138). +
        • Interface with networks such as AIM, ICQ and MSN.
        • Statistics via Statistics Gathering (JEP-0039). +
        • IPv6 support both for c2s and s2s connections. +
        • Multi-User Chat module with logging. +
        • Users Directory based on users vCards. +
        • Publish-Subscribe component. +
        • Support for virtual hosting. +
        • HTTP Polling service. +
        • IRC transport.
      diff --git a/doc/guide.html b/doc/guide.html index cf24854e3..7dc2ddc22 100644 --- a/doc/guide.html +++ b/doc/guide.html @@ -2188,14 +2188,18 @@ Options:
      served_hosts
      To specify which hosts needs to be served, you can use this option. If absent, only the main ejabberd - host is served. + host is served.
      access_createnode
      + Restricts which users are allowed to create pubsub nodes using ACL and ACCESS. + Default: pubsub_createnode. + Example: 
         {modules,
    [
     ...
     {mod_pubsub, [{served_hosts, ["example.com",
-                                  "example.org"]}]}
+                                  "example.org"]},
+                  {access_createnode, pubsub_createnode}]}
     ...
    ]}.
      diff --git a/doc/guide.tex b/doc/guide.tex index 3bf520849..99e2df91a 100644 --- a/doc/guide.tex +++ b/doc/guide.tex @@ -1913,6 +1913,9 @@ Options: \titem{served\_hosts} \ind{options!served\_hosts}To specify which hosts needs to be served, you can use this option. If absent, only the main \ejabberd{} host is served. % Not a straigtforward description! This needs to be improved! +\titem{access\_createnode} \ind{options!access\_createnode} + Restricts which users are allowed to create pubsub nodes using ACL and ACCESS. + Default: \term{pubsub\_createnode}. \end{description} Example: @@ -1921,7 +1924,8 @@ Example: [ ... {mod_pubsub, [{served_hosts, ["example.com", - "example.org"]}]} + "example.org"]}, + {access_createnode, pubsub_createnode}]} ... ]}. \end{verbatim} diff --git a/src/ejabberd.cfg.example b/src/ejabberd.cfg.example index e8ef5a4c5..bcc103385 100644 --- a/src/ejabberd.cfg.example +++ b/src/ejabberd.cfg.example @@ -20,6 +20,8 @@ %{acl, test, {user_regexp, "^test"}}. %{acl, test, {user_glob, "test*"}}. +% Everybody can create pubsub nodes +{access, pubsub_createnode, [{allow, all}]}. % Only admins can use configuration interface: {access, configure, [{allow, admin}]}. @@ -171,7 +173,7 @@ {access_admin, muc_admin}]}, % {mod_muc_log, []}, % {mod_shared_roster, []}, - {mod_pubsub, []}, + {mod_pubsub, [{access_createnode, pubsub_createnode}]}, {mod_time, []}, {mod_last, []}, {mod_version, []} diff --git a/src/mod_pubsub/mod_pubsub.erl b/src/mod_pubsub/mod_pubsub.erl index a96515343..6c46ffdb3 100644 --- a/src/mod_pubsub/mod_pubsub.erl +++ b/src/mod_pubsub/mod_pubsub.erl @@ -33,7 +33,7 @@ -include("ejabberd.hrl"). -include("jlib.hrl"). --record(state, {host}). +-record(state, {host, server_host, access}). -define(DICT, dict). -define(MAXITEMS, 20). @@ -122,6 +122,7 @@ init([ServerHost, Opts]) -> update_table(Host), mnesia:add_table_index(pubsub_node, host_parent), ServedHosts = gen_mod:get_opt(served_hosts, Opts, []), + Access = gen_mod:get_opt(access_createnode, Opts, all), ejabberd_router:register_route(Host), create_new_node(Host, ["pubsub"], ?MYJID), @@ -133,7 +134,7 @@ init([ServerHost, Opts]) -> end, ServedHosts), ets:new(gen_mod:get_module_proc(Host, pubsub_presence), [set, named_table]), - {ok, #state{host = Host}}. + {ok, #state{host = Host, server_host = ServerHost, access = Access}}. %%-------------------------------------------------------------------- %% Function: %% handle_call(Request, From, State) -> {reply, Reply, State} | @@ -162,8 +163,9 @@ handle_cast(_Msg, State) -> %% {stop, Reason, State} %% Description: Handling all non call/cast messages %%-------------------------------------------------------------------- -handle_info({route, From, To, Packet}, State) -> - case catch do_route(To#jid.lserver, From, To, Packet) of +handle_info({route, From, To, Packet}, +#state{server_host = ServerHost, access = Access} = State) -> + case catch do_route(To#jid.lserver, ServerHost, Access, From, To, Packet) of {'EXIT', Reason} -> ?ERROR_MSG("~p", [Reason]); _ -> @@ -194,7 +196,7 @@ code_change(_OldVsn, State, _Extra) -> %%-------------------------------------------------------------------- %%% Internal functions %%-------------------------------------------------------------------- -do_route(Host, From, To, Packet) -> +do_route(Host, ServerHost, Access, From, To, Packet) -> {xmlelement, Name, Attrs, Els} = Packet, case To of #jid{luser = "", lresource = ""} -> @@ -232,7 +234,7 @@ do_route(Host, From, To, Packet) -> #iq{type = Type, xmlns = ?NS_PUBSUB = XMLNS, sub_el = SubEl} = IQ -> Res = - case iq_pubsub(Host, From, Type, SubEl) of + case iq_pubsub(Host, ServerHost, From, Type, SubEl, Access) of {result, IQRes} -> jlib:iq_to_xml( IQ#iq{type = result, @@ -397,7 +399,7 @@ iq_get_vcard(Lang) -> "Copyright (c) 2003-2006 Alexey Shchepin")}]}]. -iq_pubsub(Host, From, Type, SubEl) -> +iq_pubsub(Host, ServerHost, From, Type, SubEl, Access) -> {xmlelement, _, _, SubEls} = SubEl, case xml:remove_cdata(SubEls) of [{xmlelement, Name, Attrs, Els}] -> @@ -405,7 +407,7 @@ iq_pubsub(Host, From, Type, SubEl) -> Node = string:tokens(SNode, "/"), case {Type, Name} of {set, "create"} -> - create_new_node(Host, Node, From); + create_new_node(Host, Node, From, ServerHost, Access); {set, "publish"} -> case xml:remove_cdata(Els) of [{xmlelement, "item", ItemAttrs, Payload}] -> @@ -484,13 +486,17 @@ iq_pubsub(Host, From, Type, SubEl) -> %% Create new pubsub nodes %% This function is used during init to create the first bootstrap nodes create_new_node(Host, Node, Owner) -> + %% This is the case use during "bootstrapping to create the initial + %% hierarchy. Should always be ... undefined,all + create_new_node(Host, Node, Owner, undefined, all). +create_new_node(Host, Node, Owner, ServerHost, Access) -> case Node of [] -> {LOU, LOS, _} = jlib:jid_tolower(Owner), HomeNode = ["home", LOS, LOU], - create_new_node(Host, HomeNode, Owner), + create_new_node(Host, HomeNode, Owner, ServerHost, Access), NewNode = ["home", LOS, LOU, randoms:get_string()], - create_new_node(Host, NewNode, Owner); + create_new_node(Host, NewNode, Owner, ServerHost, Access); _ -> LOwner = jlib:jid_tolower(jlib:jid_remove_resource(Owner)), Parent = lists:sublist(Node, length(Node) - 1), @@ -525,7 +531,7 @@ create_new_node(Host, Node, Owner) -> end end end, - case check_create_permission(Host, Node, Owner) of + case check_create_permission(Host, Node, Owner, ServerHost, Access) of true -> case mnesia:transaction(F) of {atomic, ok} -> @@ -1052,14 +1058,23 @@ subscription_to_string(Subscription) -> end. -check_create_permission(Host, Node, Owner) -> - if - Owner#jid.lserver == Host -> - true; - true -> - #jid{luser = User, lserver = Server} = Owner, - case Node of - ["home", Server, User | _] -> +check_create_permission(Host, Node, Owner, ServerHost, Access) -> + #jid{luser = User, lserver = Server, lresource = Resource} = Owner, + case acl:match_rule(ServerHost, Access, {User, Server, Resource}) of + allow -> + if Server == Host -> + true; + true -> + case Node of + ["home", Server, User | _] -> + true; + _ -> + false + end + end; + _ -> + case Owner of + ?MYJID -> true; _ -> false
-

Ejabberd 1.0.0 Developers Guide

+

Ejabberd 1.1.1 Developers Guide

Alexey Shchepin
mailto:alexey@sevcom.net
xmpp:aleksey@jabber.ru