[packages/ejabberd.git] / ejabberd-vcard-access-get.patch

From b489d2017d046c305598a79e31127c26bc9a98fd Mon Sep 17 00:00:00 2001
From: Badlop <badlop@process-one.net>
Date: Fri, 7 Jun 2013 19:00:07 +0200
Subject: [PATCH] New options access_get and access_set in mod_vcard, _ldap
 and _odbc (EJAB-797)

---
 doc/guide.tex          |   23 +++++++++++++++++++++--
 src/mod_vcard.erl      |   24 ++++++++++++++++--------
 src/mod_vcard_ldap.erl |   45 +++++++++++++++++++++++++++------------------
 3 files changed, 64 insertions(+), 28 deletions(-)

diff --git a/doc/guide.tex b/doc/guide.tex
index 71f88ee..d5bcfbb 100644
--- a/doc/guide.tex
+++ b/doc/guide.tex
@@ -4616,6 +4616,17 @@ Options:
 \hostitem{vjud}
 \iqdiscitem{\ns{vcard-temp}}
 \dbtype
+\titem{access\_get}\ind{options!accessget} Access rule that defines
+  who is allowed to see vCard of local users.
+  If a rule returns `deny' on the requester
+  user name, that user cannot see vCards of local users.
+  By default anybody can see the vCards of local users.
+\titem{access\_set}\ind{options!accessset} Access rule that defines
+  who is allowed to modify his vCard.
+  If a rule returns `deny' on the requester
+  user name, that user cannot modify his vCard.
+  By default each local account can modify his own local vCard.
+  Notice that vCard of a user can only be edited by the user himself.
 \titem{\{search, true|false\}}\ind{options!search}This option specifies whether the search
   functionality is enabled or not
   If disabled, the option \term{host} will be ignored and the
@@ -4651,14 +4662,17 @@ Examples:
  ]}.
 \end{verbatim}
 \item The second situation differs in a way that search results are not limited,
-  and that all virtual hosts will be searched instead of only the current one:
+  and that all virtual hosts will be searched instead of only the current one.
+  Also, vCards of local users can only be seen by Local users.
 \begin{verbatim}
+{access, vcard_get, [{allow, local}]}.
 {modules,
  [
   ...
   {mod_vcard, [{search, true},
                {matches, infinity},
-               {allow_return_all, true}]},
+               {allow_return_all, true},
+               {access_get, vcard_get}]},
   ...
  ]}.
 \end{verbatim}
@@ -4696,6 +4710,11 @@ consists of the following \modvcardldap{}-specific options:
 \begin{description}
 \hostitem{vjud}
 \iqdiscitem{\ns{vcard-temp}}
+\titem{access\_get}\ind{options!accessget} Access rule that defines
+  who is allowed to see vCard of local users.
+  If a rule returns `deny' on the requester
+  user name, that user cannot see vCards of local users.
+  By default anybody can see the vCards of local users.
 \titem{\{search, true|false\}}\ind{options!search}This option specifies whether the search
   functionality is enabled (value: \term{true}) or disabled (value:
   \term{false}). If disabled, the option \term{host} will be ignored and the
diff --git a/src/mod_vcard.erl b/src/mod_vcard.erl
index 3b70fe2..0629de6 100644
--- a/src/mod_vcard.erl
+++ b/src/mod_vcard.erl
@@ -181,7 +181,9 @@ process_sm_iq(From, To, #iq{type = Type, sub_el = SubEl} = IQ) ->
     case Type of
 	set ->
 	    #jid{user = User, lserver = LServer} = From,
-	    case lists:member(LServer, ?MYHOSTS) of
+	    Access = gen_mod:get_module_opt(LServer, ?MODULE, access_set, all),
+	    case lists:member(LServer, ?MYHOSTS) andalso
+	     (acl:match_rule(LServer, Access, From) == allow) of
 		true ->
 		    set_vcard(User, LServer, SubEl),
 		    IQ#iq{type = result, sub_el = []};
@@ -190,13 +192,19 @@ process_sm_iq(From, To, #iq{type = Type, sub_el = SubEl} = IQ) ->
 	    end;
 	get ->
 	    #jid{luser = LUser, lserver = LServer} = To,
-            case get_vcard(LUser, LServer) of
-                error ->
-                    IQ#iq{type = error,
-			  sub_el = [SubEl, ?ERR_INTERNAL_SERVER_ERROR]};
-                Els ->
-                    IQ#iq{type = result, sub_el = Els}
-            end
+           Access = gen_mod:get_module_opt(LServer, ?MODULE, access_get, all),
+           case acl:match_rule(LServer, Access, From) of
+               allow ->
+					case get_vcard(LUser, LServer) of
+						error ->
+							IQ#iq{type = error,
+						sub_el = [SubEl, ?ERR_INTERNAL_SERVER_ERROR]};
+						Els ->
+							IQ#iq{type = result, sub_el = Els}
+					end;
+               deny ->
+                   IQ#iq{type = error, sub_el = [SubEl, ?ERR_NOT_ALLOWED]}
+           end
     end.
 
 get_vcard(LUser, LServer) ->
diff --git a/src/mod_vcard_ldap.erl b/src/mod_vcard_ldap.erl
index d3e6077..b17b1a3 100644
--- a/src/mod_vcard_ldap.erl
+++ b/src/mod_vcard_ldap.erl
@@ -242,38 +242,47 @@ process_local_iq(_From, _To, #iq{type = Type, lang = Lang, sub_el = SubEl} = IQ)
 			     ]}]}
     end.
 
-process_sm_iq(_From, #jid{lserver=LServer} = To, #iq{sub_el = SubEl} = IQ) ->
-    case catch process_vcard_ldap(To, IQ, LServer) of
+process_sm_iq(From, #jid{lserver=LServer} = To, #iq{sub_el = SubEl} = IQ) ->
+    case catch process_vcard_ldap(From, To, IQ, LServer) of
 	{'EXIT', _} ->
 	    IQ#iq{type = error, sub_el = [SubEl, ?ERR_INTERNAL_SERVER_ERROR]};
 	Other ->
 	    Other
     end.
 
-process_vcard_ldap(To, IQ, Server) ->
+process_vcard_ldap(From, To, IQ, Server) ->
     {ok, State} = eldap_utils:get_state(Server, ?PROCNAME),
     #iq{type = Type, sub_el = SubEl} = IQ,
     case Type of
 	set ->
 	    IQ#iq{type = error, sub_el = [SubEl, ?ERR_NOT_ALLOWED]};
 	get ->
-	    #jid{luser = LUser} = To,
-	    LServer = State#state.serverhost,
-	    case ejabberd_auth:is_user_exists(LUser, LServer) of
-		true ->
-		    VCardMap = State#state.vcard_map,
-		    case find_ldap_user(LUser, State) of
-			#eldap_entry{attributes = Attributes} ->
-			    Vcard = ldap_attributes_to_vcard(Attributes, VCardMap, {LUser, LServer}),
-			    IQ#iq{type = result, sub_el = Vcard};
-			_ ->
-			    IQ#iq{type = result, sub_el = []}
-		    end;
-		_ ->
-		    IQ#iq{type = result, sub_el = []}
-	    end
+	    process_vcard_ldap_get_maybe(From, To, IQ, State)
 	end.
 
+process_vcard_ldap_get_maybe(From, To, IQ, State) ->
+    #jid{luser = LUser} = To,
+    #jid{lserver = FromLServer} = From,
+    LServer = State#state.serverhost,
+    Access = gen_mod:get_module_opt(LServer, ?MODULE, access_get, all),
+    case ejabberd_auth:is_user_exists(LUser, LServer) andalso
+	(acl:match_rule(FromLServer, Access, From) == allow) of
+	true ->
+	    process_vcard_ldap_get(LUser, LServer, IQ, State);
+	_ ->
+	    IQ#iq{type = result, sub_el = []}
+    end.
+
+process_vcard_ldap_get(LUser, LServer, IQ, State) ->
+    VCardMap = State#state.vcard_map,
+    case find_ldap_user(LUser, State) of
+	#eldap_entry{attributes = Attributes} ->
+	    Vcard = ldap_attributes_to_vcard(Attributes, VCardMap, {LUser, LServer}),
+	    IQ#iq{type = result, sub_el = Vcard};
+	_ ->
+	    IQ#iq{type = result, sub_el = []}
+    end.
+
 handle_call(get_state, _From, State) ->
     {reply, {ok, State}, State};
 handle_call(stop, _From, State) ->
-- 
1.7.10.4
Commit	Line	Data
f2da2f0c AM	1	From b489d2017d046c305598a79e31127c26bc9a98fd Mon Sep 17 00:00:00 2001
	2	From: Badlop <badlop@process-one.net>
	3	Date: Fri, 7 Jun 2013 19:00:07 +0200
	4	Subject: [PATCH] New options access_get and access_set in mod_vcard, _ldap
	5	and _odbc (EJAB-797)
	6
	7	---
	8	doc/guide.tex \| 23 +++++++++++++++++++++--
	9	src/mod_vcard.erl \| 24 ++++++++++++++++--------
	10	src/mod_vcard_ldap.erl \| 45 +++++++++++++++++++++++++++------------------
	11	3 files changed, 64 insertions(+), 28 deletions(-)
	12
52421ab2	13	diff --git a/doc/guide.tex b/doc/guide.tex
f2da2f0c	14	index 71f88ee..d5bcfbb 100644
52421ab2	15	--- a/doc/guide.tex
52421ab2	16	+++ b/doc/guide.tex
f2da2f0c	17	@@ -4616,6 +4616,17 @@ Options:
52421ab2	18	\hostitem{vjud}
52421ab2	19	\iqdiscitem{\ns{vcard-temp}}
f2da2f0c	20	\dbtype
52421ab2	21	+\titem{access\_get}\ind{options!accessget} Access rule that defines
	22	+ who is allowed to see vCard of local users.
	23	+ If a rule returns `deny' on the requester
	24	+ user name, that user cannot see vCards of local users.
	25	+ By default anybody can see the vCards of local users.
	26	+\titem{access\_set}\ind{options!accessset} Access rule that defines
	27	+ who is allowed to modify his vCard.
	28	+ If a rule returns `deny' on the requester
	29	+ user name, that user cannot modify his vCard.
	30	+ By default each local account can modify his own local vCard.
	31	+ Notice that vCard of a user can only be edited by the user himself.
	32	\titem{\{search, true\|false\}}\ind{options!search}This option specifies whether the search
	33	functionality is enabled or not
	34	If disabled, the option \term{host} will be ignored and the
f2da2f0c	35	@@ -4651,14 +4662,17 @@ Examples:
52421ab2	36	]}.
	37	\end{verbatim}
	38	\item The second situation differs in a way that search results are not limited,
	39	- and that all virtual hosts will be searched instead of only the current one:
	40	+ and that all virtual hosts will be searched instead of only the current one.
	41	+ Also, vCards of local users can only be seen by Local users.
	42	\begin{verbatim}
	43	+{access, vcard_get, [{allow, local}]}.
	44	{modules,
	45	[
	46	...
	47	{mod_vcard, [{search, true},
	48	{matches, infinity},
	49	- {allow_return_all, true}]},
	50	+ {allow_return_all, true},
	51	+ {access_get, vcard_get}]},
	52	...
	53	]}.
	54	\end{verbatim}
f2da2f0c AM	55	@@ -4696,6 +4710,11 @@ consists of the following \modvcardldap{}-specific options:
	56	\begin{description}
	57	\hostitem{vjud}
	58	\iqdiscitem{\ns{vcard-temp}}
	59	+\titem{access\_get}\ind{options!accessget} Access rule that defines
	60	+ who is allowed to see vCard of local users.
	61	+ If a rule returns `deny' on the requester
	62	+ user name, that user cannot see vCards of local users.
	63	+ By default anybody can see the vCards of local users.
	64	\titem{\{search, true\|false\}}\ind{options!search}This option specifies whether the search
	65	functionality is enabled (value: \term{true}) or disabled (value:
	66	\term{false}). If disabled, the option \term{host} will be ignored and the
52421ab2	67	diff --git a/src/mod_vcard.erl b/src/mod_vcard.erl
f2da2f0c	68	index 3b70fe2..0629de6 100644
52421ab2	69	--- a/src/mod_vcard.erl
52421ab2	70	+++ b/src/mod_vcard.erl
f2da2f0c	71	@@ -181,7 +181,9 @@ process_sm_iq(From, To, #iq{type = Type, sub_el = SubEl} = IQ) ->
52421ab2	72	case Type of
	73	set ->
	74	#jid{user = User, lserver = LServer} = From,
	75	- case lists:member(LServer, ?MYHOSTS) of
	76	+ Access = gen_mod:get_module_opt(LServer, ?MODULE, access_set, all),
	77	+ case lists:member(LServer, ?MYHOSTS) andalso
	78	+ (acl:match_rule(LServer, Access, From) == allow) of
	79	true ->
	80	set_vcard(User, LServer, SubEl),
	81	IQ#iq{type = result, sub_el = []};
f2da2f0c	82	@@ -190,13 +192,19 @@ process_sm_iq(From, To, #iq{type = Type, sub_el = SubEl} = IQ) ->
52421ab2	83	end;
	84	get ->
	85	#jid{luser = LUser, lserver = LServer} = To,
f2da2f0c AM	86	- case get_vcard(LUser, LServer) of
	87	- error ->
	88	- IQ#iq{type = error,
	89	- sub_el = [SubEl, ?ERR_INTERNAL_SERVER_ERROR]};
	90	- Els ->
	91	- IQ#iq{type = result, sub_el = Els}
	92	- end
	93	+ Access = gen_mod:get_module_opt(LServer, ?MODULE, access_get, all),
	94	+ case acl:match_rule(LServer, Access, From) of
	95	+ allow ->
	96	+ case get_vcard(LUser, LServer) of
	97	+ error ->
	98	+ IQ#iq{type = error,
	99	+ sub_el = [SubEl, ?ERR_INTERNAL_SERVER_ERROR]};
	100	+ Els ->
	101	+ IQ#iq{type = result, sub_el = Els}
	102	+ end;
	103	+ deny ->
	104	+ IQ#iq{type = error, sub_el = [SubEl, ?ERR_NOT_ALLOWED]}
	105	+ end
52421ab2	106	end.
52421ab2	107
f2da2f0c	108	get_vcard(LUser, LServer) ->
52421ab2	109	diff --git a/src/mod_vcard_ldap.erl b/src/mod_vcard_ldap.erl
f2da2f0c	110	index d3e6077..b17b1a3 100644
52421ab2	111	--- a/src/mod_vcard_ldap.erl
52421ab2	112	+++ b/src/mod_vcard_ldap.erl
f2da2f0c	113	@@ -242,38 +242,47 @@ process_local_iq(_From, _To, #iq{type = Type, lang = Lang, sub_el = SubEl} = IQ)
52421ab2	114	]}]}
	115	end.
	116
	117	-process_sm_iq(_From, #jid{lserver=LServer} = To, #iq{sub_el = SubEl} = IQ) ->
	118	- case catch process_vcard_ldap(To, IQ, LServer) of
	119	+process_sm_iq(From, #jid{lserver=LServer} = To, #iq{sub_el = SubEl} = IQ) ->
	120	+ case catch process_vcard_ldap(From, To, IQ, LServer) of
	121	{'EXIT', _} ->
	122	IQ#iq{type = error, sub_el = [SubEl, ?ERR_INTERNAL_SERVER_ERROR]};
	123	Other ->
	124	Other
	125	end.
	126
	127	-process_vcard_ldap(To, IQ, Server) ->
	128	+process_vcard_ldap(From, To, IQ, Server) ->
	129	{ok, State} = eldap_utils:get_state(Server, ?PROCNAME),
	130	#iq{type = Type, sub_el = SubEl} = IQ,
	131	case Type of
	132	set ->
	133	IQ#iq{type = error, sub_el = [SubEl, ?ERR_NOT_ALLOWED]};
	134	get ->
	135	- #jid{luser = LUser} = To,
	136	- LServer = State#state.serverhost,
	137	- case ejabberd_auth:is_user_exists(LUser, LServer) of
	138	- true ->
	139	- VCardMap = State#state.vcard_map,
	140	- case find_ldap_user(LUser, State) of
	141	- #eldap_entry{attributes = Attributes} ->
	142	- Vcard = ldap_attributes_to_vcard(Attributes, VCardMap, {LUser, LServer}),
	143	- IQ#iq{type = result, sub_el = Vcard};
	144	- _ ->
	145	- IQ#iq{type = result, sub_el = []}
	146	- end;
	147	- _ ->
	148	- IQ#iq{type = result, sub_el = []}
	149	- end
	150	+ process_vcard_ldap_get_maybe(From, To, IQ, State)
	151	end.
	152
	153	+process_vcard_ldap_get_maybe(From, To, IQ, State) ->
	154	+ #jid{luser = LUser} = To,
	155	+ #jid{lserver = FromLServer} = From,
	156	+ LServer = State#state.serverhost,
	157	+ Access = gen_mod:get_module_opt(LServer, ?MODULE, access_get, all),
d803d5e7	158	+ case ejabberd_auth:is_user_exists(LUser, LServer) andalso
d803d5e7	159	+ (acl:match_rule(FromLServer, Access, From) == allow) of
52421ab2	160	+ true ->
	161	+ process_vcard_ldap_get(LUser, LServer, IQ, State);
	162	+ _ ->
	163	+ IQ#iq{type = result, sub_el = []}
	164	+ end.
	165	+
	166	+process_vcard_ldap_get(LUser, LServer, IQ, State) ->
	167	+ VCardMap = State#state.vcard_map,
	168	+ case find_ldap_user(LUser, State) of
	169	+ #eldap_entry{attributes = Attributes} ->
	170	+ Vcard = ldap_attributes_to_vcard(Attributes, VCardMap, {LUser, LServer}),
	171	+ IQ#iq{type = result, sub_el = Vcard};
	172	+ _ ->
	173	+ IQ#iq{type = result, sub_el = []}
	174	+ end.
	175	+
	176	handle_call(get_state, _From, State) ->
	177	{reply, {ok, State}, State};
	178	handle_call(stop, _From, State) ->
f2da2f0c AM	179	--
	180	1.7.10.4
	181