Delegate authorization from groups.$DOMAIN to $DOMAIN

This allows us to set the avatar of circles both from the app and from the web portal (with snikket-web-portal#150). However, this also makes all admins owners in all circles. This may be problematic, or may not be. The upside is that it also automatically allows managing the avatar through the apps. The downside is that it exposes a bunch of dangerous controls (banning, kicking) which desyncs the group membership from MUC membership. We might want a reconciliation loop for that, or figure out something else which overrides outcast-ness or forbids banning or stuff like that, *or* which alternatively reflects that change in the circle UI.
snikket-im · Mar 29, 2023 · 70bf19d · 70bf19d
1 parent 9899515
commit 70bf19d
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 1 deletion.
diff --git a/ansible/files/prosody.cfg.lua b/ansible/files/prosody.cfg.lua
@@ -257,6 +257,9 @@ Component ("groups."..DOMAIN) "muc"
 	restrict_room_creation = "local"
 	muc_local_only = { "general@groups."..DOMAIN }
 
+	authorization = "delegate"
+	authz_delegate_to = DOMAIN
+
 	-- Default configuration for rooms (typically overwritten by the client)
 	muc_room_default_allow_member_invites = true
 	muc_room_default_persistent = true

diff --git a/ansible/snikket.yml b/ansible/snikket.yml
@@ -9,7 +9,7 @@
       package: "prosody-trunk"
       snapshot: "2023-03-29"
     prosody_modules:
-      revision: "5178c13deb78"
+      revision: "dddac5a3f447"
   tasks:
     - import_tasks: tasks/prosody.yml
     - import_tasks: tasks/supervisor.yml

diff --git a/ansible/tasks/prosody.yml b/ansible/tasks/prosody.yml
@@ -118,6 +118,7 @@
     - mod_measure_lua
     - mod_measure_malloc
     - mod_http_xep227
+    - mod_authz_delegate
 
 - name: Enable wanted modules (snikket-modules)
   file: