search

errbotio / errbot

Errbot is a chatbot, a daemon that connects to your favorite chat service and bring your tools and some fun into the conversation.
http://errbot.io
GNU General Public License v3.0
3.12k stars 614 forks source link

Include command arguments as part of the ACL. #1509

Closed nzlosh closed 3 years ago

nzlosh commented 3 years ago

Access control lists are based on command but can't discriminate based on arguments supplied to a command. This patch adds denyargs and allowargs lists that are evaluated by globbing, in the same way usernames and rooms are evaluated.

To provide an example of how argument ACLs work, here is a configuration that limits the echo command to ACL_BOT_USER in the #test_channel supplying the arguments hello or hi*:

ACL_BOT_USER = ["Uxxxxxxxx"]
ACL_EVERYONE = ["*"]
ACCESS_CONTROLS = {
    'echo':{
        'allowargs': ["hello", "hi*"],
        'allowrooms': ['#test_channel'],
        'allowusers': ACL_BOT_USER
    },
}

This results in the following behaviour:

Carlos  18:35
!echo hello

myerrbot APP  18:35
hello

Carlos  18:36
!echo hi everyone

myerrbot APP  18:36
hi everyone

Carlos  18:36
!echo goodbye

myerrbot APP  18:36
You're not allowed to access this command using the provided arguments

The configuration has been implemented to be non disruptive for existing bot configurations. Security rules will be applied as before until a bot administrator explicitly adds the needed configuration for argument parsing.

sijis commented 3 years ago

@nzlosh This is a great feature! I added some additional commits.

Thank you.

nzlosh commented 3 years ago

Thanks, for subsequent PRs I'll include tests and docs.