ircd:Ⓜ️:resource: Add method flag for operator access requirement.

2023-03-02 19:23:34 -08:00 · 2023-03-02 19:23:34 -08:00 · 605245953a
parent 371c50cfcc
commit 605245953a
2 changed files with 18 additions and 1 deletions
--- a/include/ircd/m/resource.h
+++ b/include/ircd/m/resource.h
@ -66,6 +66,9 @@ enum ircd::m::resource::method::flag
 	/// Method will verify X-Matrix-authorization. This is used on the
 	/// federation API.
 	VERIFY_ORIGIN = 0x0002'0000,
+
+	/// Method requires operator access. This is used on the client-server API.
+	REQUIRES_OPER = 0x0004'0000,
 };

 struct ircd::m::resource::request
--- a/matrix/resource.cc
+++ b/matrix/resource.cc
@ -342,10 +342,16 @@ ircd::m::authenticate_user(const resource::method &method,
                           const client &client,
                           resource::request &request)
 {
+	static const auto auth_requires
+	{0
+		| resource::method::REQUIRES_AUTH
+		| resource::method::REQUIRES_OPER
+	};
+
 	assert(method.opts);
 	const auto requires_auth
 	{
-		method.opts->flags & resource::method::REQUIRES_AUTH
+		method.opts->flags & auth_requires
 	};

 	if(!requires_auth && !request.access_token)
@ -397,6 +403,14 @@ ircd::m::authenticate_user(const resource::method &method,
 			"Credentials for this method are required but invalid."
 		};

+	// Operator access required for method.
+	if(method.opts->flags & resource::method::REQUIRES_OPER)
+		if(!is_oper(m::user::id(sender)))
+			throw m::ACCESS_DENIED
+			{
+				"You are not an operator."
+			};
+
 	return sender;
 }