Extend ACL conditions with match = "any_hosted_domain" #3504
Conversation
The 'any_hosted_domain' option could be used e.g. to preventing users from external servers to access srvices like external components.
Codecov Report
@@ Coverage Diff @@
## acl-spec-map #3504 +/- ##
================================================
- Coverage 80.94% 80.94% -0.01%
================================================
Files 418 418
Lines 32318 32320 +2
================================================
Hits 26160 26160
- Misses 6158 6160 +2
Continue to review full report at Codecov.
|
|
small_tests_24 / small_tests / 1488d26 small_tests_23 / small_tests / 1488d26 dynamic_domains_pgsql_mnesia_24 / pgsql_mnesia / 1488d26 dynamic_domains_mysql_redis_24 / mysql_redis / 1488d26 dynamic_domains_pgsql_mnesia_23 / pgsql_mnesia / 1488d26 dynamic_domains_mssql_mnesia_24 / odbc_mssql_mnesia / 1488d26 ldap_mnesia_23 / ldap_mnesia / 1488d26 ldap_mnesia_24 / ldap_mnesia / 1488d26 internal_mnesia_24 / internal_mnesia / 1488d26 elasticsearch_and_cassandra_24 / elasticsearch_and_cassandra_mnesia / 1488d26 pgsql_mnesia_23 / pgsql_mnesia / 1488d26 mysql_redis_24 / mysql_redis / 1488d26 mssql_mnesia_24 / odbc_mssql_mnesia / 1488d26 pgsql_mnesia_24 / pgsql_mnesia / 1488d26 riak_mnesia_24 / riak_mnesia / 1488d26 |
| @@ -131,6 +131,8 @@ match_step(none, _Domain, _JID) -> | |||
| -spec check(acl_spec_key(), binary(), jid:lserver(), jid:jid()) -> boolean(). | |||
| check(match, all, _, _) -> true; | |||
| check(match, none, _, _) -> false; | |||
| check(match, any_hosted_domain, _, JID) -> | |||
| mongoose_domain_api:get_host_type(JID#jid.lserver) =/= {error, not_found}; | |||
There was a problem hiding this comment.
This has just made me realise of how used I got to the C habit of putting the static value to the left of the comparison, just so that if you accidentally miss-type the comparison as an assignment, the compiler would already complain 😳
This condition makes it possible to allow access for all locally hosted domains and deny access for all external domains.
This was possible before #3501, but undocumented and very implicit, e.g. it was used when checking if a user could send data to an external component, but only if user(regexp) was set in the pattern.
Now it is back, but this time is fully controllable by the user in a predicatable way.