Allow only particular user moderator rights on Secure Domain

Spemmara · March 24, 2022, 8:28pm

We have a custom jitsi installation where everybody needs to be authenticated to create / join a meeting. This results in everyone having moderator rights. Is there anyway to restrict this to only the user that created the meeting?

Thanks.

saghul · March 25, 2022, 9:53am

Are you loading the allowners module?

Spemmara · March 25, 2022, 3:07pm

No. I believe everyone is a moderator because they have all been authenticated.

shawn · March 25, 2022, 4:11pm

With Secure domain enabled, it looks like Jicofo uses a different ChatRoomRoleManager which grants moderator role to all authenticated users. With my very minimal experience with Jicofo, I don’t see any config option to easily work around that

Shouldn’t be too hard to change that code to get close to what you want, but maintaining custom changes should be a last resort since it will make future upgrades a huge hassle.

Perhaps someone more knowledgeable can offer a more concrete solution. Good luck with this challenge.

saghul · March 25, 2022, 4:18pm

Good point!

Spemmara · March 25, 2022, 4:31pm

Yes, I was hoping there will be some sort of work around using perhaps jicofo config (to override its default behaviour) and maybe custom prosody modules that can assign moderator rights to specific users.

Thanks for your reply.

damencho · March 25, 2022, 4:44pm

You can disable jicofo setting owners for participants. Not sure whether that will work with secure domain, though.

github.com

jitsi/jicofo/blob/1d8d1dba6d3c9e373087d8c00bfe04f8f4e75e53/src/main/resources/reference.conf#L179

      
        
              }
            }
            
            
colibri {
              // Whether to use the new version of COLIBRI
              enable-colibri2 = false
            }
            conference {
              // Whether to automatically grant the 'owner' role to the first participant in the conference (and subsequently to
              // the next in line when the current owner leaves).
              enable-auto-owner = true
            
            
  // How long to wait for the initial participant in a conference.
              initial-timeout = 15 seconds
            
            
  // Whether jicofo should inject a random SSRC for endpoints which don't advertise any SSRCs. This is a temporary
              // workaround for an issue with signaling endpoints for Octo.
              inject-ssrc-for-recv-only-endpoints = true
            
            
  // The maximum number of sources an endpoint is allowed to signal in a conferencee.
              max-ssrcs-per-user = 20

If it works, then you can move the role management in prosody and add your custom logic in custom module.

Spemmara · March 25, 2022, 6:20pm

Tried setting enable-auto-owner = false. This does not work for secure domain.

Is there an event I can listen to in prosody and override moderator permission set by jicofo there?

Thanks .

damencho · March 25, 2022, 8:02pm

github.com

jitsi/jitsi-meet/blob/7208e781b3eb5a0a44fb0cd11fe0e4026ac0d028/resources/prosody-plugins/mod_muc_allowners.lua#L182

      
        
            
            
    -- any revoking is disabled, everyone should be owners
                if _aff == 'none' or _aff == 'outcast' or _aff == 'member' then
                    origin.send(st.error_reply(stanza, "auth", "forbidden"));
                    return true;
                end
            end
            
            
if not disable_revoke_owners then
                -- default prosody priority for handling these is -2
                module:hook("iq-set/bare/http://jabber.org/protocol/muc#admin:query", filter_admin_set_query, 5);
                module:hook("iq-set/host/http://jabber.org/protocol/muc#admin:query", filter_admin_set_query, 5);
            end

github.com

jitsi/jitsi-meet/blob/7208e781b3eb5a0a44fb0cd11fe0e4026ac0d028/resources/prosody-plugins/mod_muc_allowners.lua#L183

      
        
                -- any revoking is disabled, everyone should be owners
                if _aff == 'none' or _aff == 'outcast' or _aff == 'member' then
                    origin.send(st.error_reply(stanza, "auth", "forbidden"));
                    return true;
                end
            end
            
            
if not disable_revoke_owners then
                -- default prosody priority for handling these is -2
                module:hook("iq-set/bare/http://jabber.org/protocol/muc#admin:query", filter_admin_set_query, 5);
                module:hook("iq-set/host/http://jabber.org/protocol/muc#admin:query", filter_admin_set_query, 5);
            end

Spemmara · March 29, 2022, 4:39pm

Thanks will try this.

Spemmara · March 31, 2022, 5:57pm

This Works !!!

Created a custom prosody module that listens to the events you mentioned. I get the room and occupant information from the stanza and call our API to determine if the occupant is the meeting creator, and if he is not I disable granting owner permission.

Thanks @damencho , @shawn and @saghul for your time.

saghul · April 1, 2022, 9:40am

Awesome! That might make a good candidate for: GitHub - jitsi-contrib/prosody-plugins: Prosody plugins for Jitsi if you feel like sending a PR.

Marco_Scammacca · April 6, 2022, 1:05pm

Hi I have the same problem as you ( Destroy the room after the last moderator leaves (prosody custom module) - Developers - Jitsi Community Forum - developers & users ), can you help me?

Spemmara · April 6, 2022, 3:31pm

module:hook(“iq-set/bare/http://jabber.org/protocol/muc#admin:query”, filter_admin_set_query, 5);
module:hook(“iq-set/host/http://jabber.org/protocol/muc#admin:query”, filter_admin_set_query, 5);

And in the function that handles these events I do something as follows. Note the code needs to be cleaned up and could be written better.

function filter_admin_set_query(event)

local origin, stanza = event.origin, event.stanza;
log("info",tostring(stanza));


-- If not focus user, do not process. This allows for the moderator to grant moderator rights to any other user
if not string.find(stanza.attr.from, "focus") then
        return nil;
end


local room_jid = jid_bare(stanza.attr.to);
local room = get_room_from_jid(room_jid);

local item = stanza.tags[1].tags[1];

if not item then return nil; end;
if not item.attr then return nil;end;
if not item.attr.affiliation then return nil;end;
if (not item.attr.jid) then return nil;end;

local aff = item.attr.affiliation;
    local occjid = item.attr.jid;
    local occbarejid = jid.bare(occjid);
    log("info",  "room_jid.."..room_jid.."; occupdant jid : "..occjid.."; occupant bare jid : "..occbarejid);
    local occ_jid = jid.node(occjid);
	local room_node = jid.node(room_jid);

-– call api and determine if user is creator of meeting
local url = myapi_url…room_node…"/"…occ_jid;
log(“info”, "Moderator check if creator - Posting to "…url);
local isCreator = http_get_with_retry(url, nil);
     if isCreator then
             log("info", "isCreator = "..isCreator);
     end
    if (isCreator == "true")  then
            log("info", "Creator allow moderator role.");
    else
            log("info", "Is NOT creator. DISALLOW moderator role");
             origin.send(st.error_reply(stanza, "auth", "forbidden"));
                return true;
    end

end

Marco_Scammacca · April 7, 2022, 8:30am

A curiosity, have you created your own lua module or have you modified mod_muc_allowners.lua?

Because I tried to modify mod_muc_allowners.lua which I then clearly added among the enabled modules (conference, muc) on the prosody conf file. But I noticed that it conflicts with the Lobby module …

Spemmara · April 7, 2022, 3:24pm

Oh…sorry I did not mention that. I created a new custom prosody module.
I do not have mod_muc_allowners enabled.

Marco_Scammacca · April 7, 2022, 3:46pm

OK thank you.
I will try to develop it as soon as I have time. He will update you
Marco

Pavelb76 · January 16, 2023, 10:01am

I added this module to the folder /usr/share/jitsi-meet/prosody-modules. Enabled it in the “conference.FQDN muc” sector, then restarted all services. Did not work.