John Livingston f0088671ea
New features: announcements WIP (#518):
* prevent annoucement spoofing on backend.
2024-09-12 11:44:35 +02:00

45 lines
1.6 KiB
Lua

-- mod_muc_peertubelivechat_announcements
--
-- SPDX-FileCopyrightText: 2024 John Livingston <https://www.john-livingston.fr/>
-- SPDX-License-Identifier: AGPL-3.0-only
--
-- This file is AGPL-v3 licensed.
-- Please see the Peertube livechat plugin copyright information.
-- https://livingston.frama.io/peertube-plugin-livechat/credits/
--
local st = require "util.stanza";
local jid_bare = require "util.jid".bare;
-- security check: only MUC owner/admin can add the x-livechat-announcement-type attribute on the body.
function handle_groupchat(event)
local origin, stanza = event.origin, event.stanza;
local room = event.room;
local body = stanza:get_child("body")
if not body or not body.attr then
return;
end
if not body.attr["x-livechat-announcement-type"] then
return;
end
local from = stanza.attr.from;
local from_affiliation = room:get_affiliation(from);
if (from_affiliation == "owner" or from_affiliation == "admin") then
return;
end
module:log("info", "Someone tried to spoof x-livechat-announcement-type, bouncing the message.");
local reply = st.error_reply(
stanza,
-- error_type = 'modify' (see descriptions in RFC 6120 https://xmpp.org/rfcs/rfc6120.html#stanzas-error-syntax)
"modify",
-- error_condition = 'policy-violation' (see RFC 6120 Defined Error Conditions https://xmpp.org/rfcs/rfc6120.html#stanzas-error-conditions)
"policy-violation",
"Only owner and admin can send announcements."
);
origin.send(reply);
return true; -- stoping propagation
end
module:hook("muc-occupant-groupchat", handle_groupchat, 500);