From 70bf19d33b05335a70d83218e93132ed49446700 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonas=20Sch=C3=A4fer?= Date: Wed, 29 Mar 2023 17:48:26 +0200 Subject: [PATCH] Delegate authorization from groups.$DOMAIN to $DOMAIN This allows us to set the avatar of circles both from the app and from the web portal (with snikket-web-portal#150). However, this also makes all admins owners in all circles. This may be problematic, or may not be. The upside is that it also automatically allows managing the avatar through the apps. The downside is that it exposes a bunch of dangerous controls (banning, kicking) which desyncs the group membership from MUC membership. We might want a reconciliation loop for that, or figure out something else which overrides outcast-ness or forbids banning or stuff like that, *or* which alternatively reflects that change in the circle UI. --- ansible/files/prosody.cfg.lua | 3 +++ ansible/snikket.yml | 2 +- ansible/tasks/prosody.yml | 1 + 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ansible/files/prosody.cfg.lua b/ansible/files/prosody.cfg.lua index b1cd724..2af5a71 100644 --- a/ansible/files/prosody.cfg.lua +++ b/ansible/files/prosody.cfg.lua @@ -257,6 +257,9 @@ Component ("groups."..DOMAIN) "muc" restrict_room_creation = "local" muc_local_only = { "general@groups."..DOMAIN } + authorization = "delegate" + authz_delegate_to = DOMAIN + -- Default configuration for rooms (typically overwritten by the client) muc_room_default_allow_member_invites = true muc_room_default_persistent = true diff --git a/ansible/snikket.yml b/ansible/snikket.yml index cd1cfb6..d525e0d 100644 --- a/ansible/snikket.yml +++ b/ansible/snikket.yml @@ -9,7 +9,7 @@ package: "prosody-trunk" snapshot: "2023-03-29" prosody_modules: - revision: "5178c13deb78" + revision: "dddac5a3f447" tasks: - import_tasks: tasks/prosody.yml - import_tasks: tasks/supervisor.yml diff --git a/ansible/tasks/prosody.yml b/ansible/tasks/prosody.yml index b21b80b..2a0cf60 100644 --- a/ansible/tasks/prosody.yml +++ b/ansible/tasks/prosody.yml @@ -118,6 +118,7 @@ - mod_measure_lua - mod_measure_malloc - mod_http_xep227 + - mod_authz_delegate - name: Enable wanted modules (snikket-modules) file: