[ejabberd] ejabberd_xmlrpc and permissions

Badlop badlop at gmail.com
Mon Mar 2 21:56:00 MSK 2009


2009/3/1 Pablo Platt <pablo.platt at yahoo.com>:
> When using ejabberd_xmlrpc module is there a way to restrict the commands
> that can be used?
> For example, I want to let someone create an account but not to be able to
> shout down the ejabberd server.

I've recently committed that feature to ejabberd_xmlrpc SVN.

For example, to allow robot at localhost to register and unregister
accounts in the server "jabber.example.org":

{acl, xmlrpcbot, {user, "robot", "localhost"}}.
{access, xmlrpcaccess, [{allow, xmlrpcbot}]}.
{listen, [
  {{4560, "127.0.0.1"}, ejabberd_xmlrpc, [
    {access_commands, [
      {xmlrpcaccess, [register, unregister], [{host, "localhost"}]}
    ]}
  ]},
  ...
 ]}.


This XML-RPC call succeeds:
xmlrpc:call({127, 0, 0, 1}, 4560, "/", {call, register, [
 {struct, [{user, "robot"}, {server, "localhost"}, {password, "aaa"}]},
 {struct, [{user, "testuserasdasd"}, {host, "localhost"}, {password, "bbbb"}]}
]}).

The result is:
{ok,{response,[{struct,[{res,0},
                        {text,"User testuserasdasd at localhost
succesfully registered"}]}]}}

But other XML-RPC would fail. For example, if:
* Tries to register an account in another vhost
* Tries to execute other command, like stop, restart...
* The password of the account robot at localhost is not correct
* Other account different than robot is used to authenticate in the
XML-RPC server

Some of those error messages are:
{ok,{response,{fault,-102,
                     "Error -102\nAccount credentials not valid
(account doesn't exist or invalid password)"}}}

{ok,{response,{fault,-103,
                     "Error -103\nAccount does not have access privilege"}}}



> In addition, is it reasonable to use the trunk version of ejabberd in
> production?

In general: no. But the current ejabberd trunk SVN runs quite well for me.


---
Badlop,
ProcessOne


More information about the ejabberd mailing list