access_from - anonymous registration bug?

Using the following ACL and mod_register rules I can:

a) Register a new user when logged in as the admin user - GOOD
b) Registration denied when I'm logged in as a non-admin user - GOOD
c) Register a new user when connected _without_ authentication - BAD!!!!!!!!

Can someone shed light on the fact that access_from is reliable with its ACL until an anonymous user attempts the registration? Shouldn't it be disabled? Am I missing something in the ACL, like {deny, s2s} ?

{access, restrict_others, [{allow, admin}, {deny, all}]}.


{modules,
 [
  {mod_register, [{access_from, restrict_others} ] }
 ]}.

The option access_from was

The option access_from was only designed to restrict JIDs of authenticated users.

But I think removing two lines allows far more configurations:

--- a/src/mod_register.erl
+++ b/src/mod_register.erl
@@ -414,8 +414,6 @@ send_registration_notifications(UJID, Source) ->
            ok
     end.
 
-check_from(#jid{user = "", server = ""}, _Server) ->
-    allow;
 check_from(JID, Server) ->
     Access = gen_mod:get_module_opt(Server, ?MODULE, access_from, none),
     acl:match_rule(Server, Access, JID).

With that patch now I can configure what you want:

%% Only admins can register accounts, not even unauthenticated users (requires patch)
{access, register_from, [{allow, admin}, {deny, all}]}.

%% Only authenticated users can register (requires patch)
%%{acl, unauthenticated, {user, "", ""}}.
%%{access, register_from, [{deny, unauthenticated}, {allow, all}]}.

Thank you so much! We will

Thank you so much! We will definitely apply this... I wonder if this should become a trunk modification for future users of access_from ?

Gordon wrote: Thank you so

Gordon wrote:

Thank you so much! We will definitely apply this... I wonder if this should become a trunk modification for future users of access_from ?

Once you try it and comment here that it works perfectly, I'll request the change for inclusion in trunk.

Gordon? Have you tested this

Gordon? Have you tested this yet? I need this feature too.

Syndicate content