ACL: enforce ACLs in Lua scripts as well.

1 files changed, 16 insertions, 0 deletions

diff --git a/src/scripting.c b/src/scripting.c
index f6df38400..cbbf43fb1 100644
--- a/src/scripting.c
+++ b/src/scripting.c
@@ -460,6 +460,7 @@ int luaRedisGenericCommand(lua_State *lua, int raise_error) {
     /* Setup our fake client for command execution */
     c->argv = argv;
     c->argc = argc;
+    c->user = server.lua_caller->user;
 
     /* Log the command if debugging is active. */
     if (ldb.active && ldb.step) {
@@ -497,6 +498,19 @@ int luaRedisGenericCommand(lua_State *lua, int raise_error) {
         goto cleanup;
     }
 
+    /* Check the ACLs. */
+    int acl_retval = ACLCheckCommandPerm(c);
+    if (acl_retval != ACL_OK) {
+        if (acl_retval == ACL_DENIED_CMD)
+            luaPushError(lua, "The user executing the script can't run this "
+                              "command or subcommand");
+        else
+            luaPushError(lua, "The user executing the script can't access "
+                              "at least one of the keys mentioned in the "
+                              "command arguments");
+        goto cleanup;
+    }
+
     /* Write commands are forbidden against read-only slaves, or if a
      * command marked as non-deterministic was already called in the context
      * of this script. */
@@ -655,6 +669,8 @@ cleanup:
         argv_size = 0;
     }
 
+    c->user = NULL;
+
     if (raise_error) {
         /* If we are here we should have an error in the stack, in the
          * form of a table with an "err" field. Extract the string to