Allow testing user pattern directly in access rules

diff --git a/src/acl.erl b/src/acl.erl
index 58b80b6ade61eda8319c748b5914bdeb396bc53e..06202c67e1af17f908c945f15706cf63648c64be 100644 (file)
--- a/src/acl.erl
+++ b/src/acl.erl
@@ -31,7 +31,7 @@
 
 -export([start/0, to_record/3, add/3, add_list/3,
         add_local/3, add_list_local/3, load_from_config/0,
-        match_rule/3, match_acl/3, transform_options/1,
+        match_rule/3, match_access/4, match_acl/3, transform_options/1,
         opt_type/1]).
 
 -export([add_access/3, clear/0]).
@@ -255,6 +255,19 @@ normalize_spec(Spec) ->
             end
     end.
 
+-spec match_access(global | binary(), access_name(),
+                   jid() | ljid() | inet:ip_address(),
+                   atom()) -> any().
+
+match_access(_Host, all, _JID, _Default) ->
+    allow;
+match_access(_Host, none, _JID, _Default) ->
+    deny;
+match_access(_Host, {user, UserPattern}, JID, Default) ->
+    match_user_spec({user, UserPattern}, JID, Default);
+match_access(Host, AccessRule, JID, _Default) ->
+    match_rule(Host, AccessRule, JID).
+
 -spec match_rule(global | binary(), access_name(),
                  jid() | ljid() | inet:ip_address()) -> any().
 
@@ -357,6 +370,16 @@ match_acl(ACL, JID, Host) ->
 get_aclspecs(ACL, Host) ->
       ets:lookup(acl, {ACL, Host}) ++ ets:lookup(acl, {ACL, global}).
 
+
+match_user_spec(Spec, JID, Default) ->
+    case do_match_user_spec(Spec, jid:tolower(JID)) of
+        true -> Default;
+        false -> deny
+    end.
+
+do_match_user_spec({user, {U, S}}, {User, Server, _Resource}) ->
+    U == User andalso S == Server.
+
 is_regexp_match(String, RegExp) ->
     case ejabberd_regexp:run(String, RegExp) of
       nomatch -> false;

diff --git a/test/acl_test.exs b/test/acl_test.exs
index 1b1035bc668a18fdb43aaa1c8f1123799608ff8a..db6584308f5851e22378e11c67f78f62d984dab9 100644 (file)
--- a/test/acl_test.exs
+++ b/test/acl_test.exs
@@ -100,4 +100,29 @@ defmodule ACLTest do
     assert :acl.match_rule(:global, :mixed_rule_2, {127,0,0,1}) == :allow
   end
 
+  test "acl:match_access can match directly on user pattern" do
+    pattern = {:user, {"test1", "domain1"}}
+    assert :acl.match_access(:global, pattern, :jid.from_string("test1@domain1"), :allow) == :allow
+    assert :acl.match_access(:global, pattern, :jid.from_string("test2@domain1"), :allow) == :deny
+  end
+
+  ## Checking ACL on both user pattern and IP
+  ## ========================================
+
+  # Typical example is mod_register
+
+  # Deprecated approach
+  test "module can test both IP and user through two independent :acl.match_rule check (deprecated)" do
+    :acl.add(:global, :user_acl, {:user, {"test1", "domain1"}})
+    :acl.add(:global, :ip_acl, {:ip, "127.0.0.0/24"})
+    :acl.add_access(:global, :user_rule, [{:user_acl, :allow}])
+    :acl.add_access(:global, :ip_rule, [{:ip_acl, :allow}])
+
+    # acl module in 16.03 is not able to provide a function for compound result:
+    assert :acl.match_rule(:global, :user_rule, :jid.from_string("test1@domain1")) == :allow
+    assert :acl.match_rule(:global, :ip_rule, {127,0,0,1}) == :allow
+    assert :acl.match_rule(:global, :user_rule, :jid.from_string("test2@domain1")) == :deny
+    assert :acl.match_rule(:global, :ip_rule, {127,0,1,1}) == :deny
+  end
+
 end