Skip to content

SecurityModule — Access Control

File: src/mxuserbot/modules/sudo.py Class: SecurityModule Tags: settings

Description

Access control module. Lets you grant SUDO rights to other users, open access to specific modules or commands, and grant temporary access to commands for a set duration.

Access Levels

  • OWNER — bot owner (full access to everything)
  • SUDO — trusted users (access to commands with SUDO level)
  • EVERYONE — all users (public commands like .help)
  • mod_perms — granular access to modules/commands
  • tsec — temporary time-based access to commands

Commands

.sudo add/rm/list @user:server

Access: OWNER

Manage the SUDO user list.

.sudo add @friend:matrix.org
# → 👤 User @friend:matrix.org is now SUDO.

.sudo list
# → 👤 SUDO users:
#    • @friend:matrix.org

.sudo rm @friend:matrix.org
# → 👤 User @friend:matrix.org is no longer SUDO.

Auto-extract MXID: If you reply to a user's message, the bot automatically extracts the MXID from formatted_body (parses href). This lets you add users to SUDO without manually typing their MXID.

MXID validation: Checks against ^@.+:.+$ regex.

.modaccess add/rm @user:server <name>

Access: OWNER

Grant granular access to a specific module (by class name) or command (by name).

.modaccess add @user:server PingPongModule   # entire PingPong module
.modaccess add @user:server ping              # only the .ping command
.modaccess rm @user:server ping               # revoke access

Checks if the specified module or command exists before applying.

.tsec @user:server <command> <minutes>

Access: OWNER

Temporary access to a command for a specified number of minutes. When time expires, the bot automatically sends a notification to the chat where access was granted.

.tsec @guest:server ping 5
# → ⏱ @guest:server now has 5 min. for command ping

After expiration: 

⏰ | guest, your time is up. you can no longer use the ping command

Data Structures

mod_perms

{
    "@user:server": ["PingPongModule", "ping", ...]
}
Stored in DB: core.mod_perms

tsec_users

[
    {
        "target": "@user:server",
        "command": "ping",
        "expires": 1234567890.0,
        "room_id": "!room:server"
    }
]
Stored in DB: core.tsec_users

Details

  • Access checking happens in core/security.py via check_access()
  • tsec lifetime is checked on every command invocation
  • Expired tsec entries are automatically removed from the list
  • All changes are immediately saved to the DB
  • Works together with core/security.py and core/callback.py