Merge pull request #1249 from weiss:push-requirements

Merge branch 'push-requirements' of https://github.com/weiss/ejabberd into weiss-push-requirements
Allow to create room with custom config
2016-09-13 14:31:39 +02:00 · 2016-09-13 14:29:14 +02:00 · 2016-09-13 11:52:59 +02:00 · 2016-09-13 11:27:59 +02:00 · 2016-09-12 15:40:38 +02:00 · 2016-09-12 15:40:38 +02:00
200 changed files with 9692 additions and 3573 deletions
@@ -184,7 +184,8 @@ install: all copy-files
 		-e "s*{{sysconfdir}}*@sysconfdir@*" \
 		-e "s*{{localstatedir}}*@localstatedir@*" \
 		-e "s*{{docdir}}*@docdir@*" \
-		-e "s*{{erl}}*@ERL@*" ejabberdctl.template \
+		-e "s*{{erl}}*@ERL@*" \
+		-e "s*{{epmd}}*@EPMD@*" ejabberdctl.template \
 		> ejabberdctl.example
 	[ -f $(ETCDIR)/ejabberdctl.cfg ] \
 		&& $(INSTALL) -b -m 640 $(G_USER) ejabberdctl.cfg.example $(ETCDIR)/ejabberdctl.cfg-new \
@@ -4,7 +4,7 @@ use Mix.Config
 config :ejabberd,
  file: "config/ejabberd.yml",
  log_path: 'log/ejabberd.log'
- 
+
 # Customize Mnesia directory:
 config :mnesia,
  dir: 'mnesiadb/'
@@ -0,0 +1,169 @@
+defmodule Ejabberd.ConfigFile do
+  use Ejabberd.Config
+
+  def start do
+    [loglevel: 4,
+     log_rotate_size: 10485760,
+     log_rotate_date: "",
+     log_rotate_count: 1,
+     log_rate_limit: 100,
+     auth_method: :internal,
+     max_fsm_queue: 1000,
+     language: "en",
+     allow_contrib_modules: true,
+     hosts: ["localhost"],
+     shaper: shaper,
+     acl: acl,
+     access: access]
+  end
+
+  defp shaper do
+    [normal: 1000,
+      fast: 50000,
+      max_fsm_queue: 1000]
+  end
+
+  defp acl do
+    [local:
+      [user_regexp: "", loopback: [ip: "127.0.0.0/8"]]]
+  end
+
+  defp access do
+    [max_user_sessions: [all: 10],
+     max_user_offline_messages: [admin: 5000, all: 100],
+     local: [local: :allow],
+     c2s: [blocked: :deny, all: :allow],
+     c2s_shaper: [admin: :none, all: :normal],
+     s2s_shaper: [all: :fast],
+     announce: [admin: :allow],
+     configure: [admin: :allow],
+     muc_admin: [admin: :allow],
+     muc_create: [local: :allow],
+     muc: [all: :allow],
+     pubsub_createnode: [local: :allow],
+     register: [all: :allow],
+     trusted_network: [loopback: :allow]]
+  end
+
+  listen :ejabberd_c2s do
+    @opts [
+      port: 5222,
+      max_stanza_size: 65536,
+      shaper: :c2s_shaper,
+      access: :c2s]
+  end
+
+  listen :ejabberd_s2s_in do
+    @opts [port: 5269]
+  end
+
+  listen :ejabberd_http do
+    @opts [
+      port: 5280,
+      web_admin: true,
+      http_poll: true,
+      http_bind: true,
+      captcha: true]
+  end
+
+  module :mod_adhoc do
+  end
+
+  module :mod_announce do
+    @opts [access: :announce]
+  end
+
+  module :mod_blocking do
+  end
+
+  module :mod_caps do
+  end
+
+  module :mod_carboncopy do
+  end
+
+  module :mod_client_state do
+    @opts [
+      drop_chat_states: true,
+      queue_presence: false]
+  end
+
+  module :mod_configure do
+  end
+
+  module :mod_disco do
+  end
+
+  module :mod_irc do
+  end
+
+  module :mod_http_bind do
+  end
+
+  module :mod_last do
+  end
+
+  module :mod_muc do
+    @opts [
+      access: :muc,
+      access_create: :muc_create,
+      access_persistent: :muc_create,
+      access_admin: :muc_admin]
+  end
+
+  module :mod_offline do
+    @opts [access_max_user_messages: :max_user_offline_messages]
+  end
+
+  module :mod_ping do
+  end
+
+  module :mod_privacy do
+  end
+
+  module :mod_private do
+  end
+
+  module :mod_pubsub do
+    @opts [
+      access_createnode: :pubsub_createnode,
+      ignore_pep_from_offline: true,
+      last_item_cache: true,
+      plugins: ["flat", "hometree", "pep"]]
+  end
+
+  module :mod_register do
+    @opts [welcome_message: [
+      subject: "Welcome!",
+      body: "Hi.\nWelcome to this XMPP Server",
+      ip_access: :trusted_network,
+      access: :register]]
+  end
+
+  module :mod_roster do
+  end
+
+  module :mod_shared_roster do
+  end
+
+  module :mod_stats do
+  end
+
+  module :mod_time do
+  end
+
+  module :mod_version do
+  end
+
+  # Example of how to define a hook, called when the event
+  # specified is triggered.
+  #
+  # @event: Name of the event
+  # @opts: Params are optional. Available: :host and :priority.
+  #        If missing, defaults are used. (host: :global | priority: 50)
+  # @callback Could be an anonymous function or a callback from a module,
+  #           use the &ModuleName.function/arity format for that.
+  hook :register_user, [host: "localhost"], fn(user, server) ->
+    info("User registered: #{user} on #{server}")
+  end
+end
@@ -0,0 +1,667 @@
+###
+###               ejabberd configuration file
+###
+###
+
+### The parameters used in this configuration file are explained in more detail
+### in the ejabberd Installation and Operation Guide.
+### Please consult the Guide in case of doubts, it is included with
+### your copy of ejabberd, and is also available online at
+### http://www.process-one.net/en/ejabberd/docs/
+
+### The configuration file is written in YAML.
+### Refer to http://en.wikipedia.org/wiki/YAML for the brief description.
+### However, ejabberd treats different literals as different types:
+###
+### - unquoted or single-quoted strings. They are called "atoms".
+###   Example: dog, 'Jupiter', '3.14159', YELLOW
+###
+### - numeric literals. Example: 3, -45.0, .0
+###
+### - quoted or folded strings.
+###   Examples of quoted string: "Lizzard", "orange".
+###   Example of folded string:
+###   > Art thou not Romeo,
+###     and a Montague?
+
+###   =======
+###   LOGGING
+
+##
+## loglevel: Verbosity of log files generated by ejabberd.
+## 0: No ejabberd log at all (not recommended)
+## 1: Critical
+## 2: Error
+## 3: Warning
+## 4: Info
+## 5: Debug
+##
+loglevel: 4
+
+##
+## rotation: Describe how to rotate logs. Either size and/or date can trigger
+## log rotation. Setting count to N keeps N rotated logs. Setting count to 0
+## does not disable rotation, it instead rotates the file and keeps no previous
+## versions around. Setting size to X rotate log when it reaches X bytes.
+## To disable rotation set the size to 0 and the date to ""
+## Date syntax is taken from the syntax newsyslog uses in newsyslog.conf.
+## Some examples:
+##  $D0     rotate every night at midnight
+##  $D23    rotate every day at 23:00 hr
+##  $W0D23  rotate every week on Sunday at 23:00 hr
+##  $W5D16  rotate every week on Friday at 16:00 hr
+##  $M1D0   rotate on the first day of every month at midnight
+##  $M5D6   rotate on every 5th day of the month at 6:00 hr
+##
+log_rotate_size: 10485760
+log_rotate_date: ""
+log_rotate_count: 1
+
+##
+## overload protection: If you want to limit the number of messages per second
+## allowed from error_logger, which is a good idea if you want to avoid a flood
+## of messages when system is overloaded, you can set a limit.
+## 100 is ejabberd's default.
+log_rate_limit: 100
+
+##
+## watchdog_admins: Only useful for developers: if an ejabberd process
+## consumes a lot of memory, send live notifications to these XMPP
+## accounts.
+##
+## watchdog_admins:
+##   - "bob@example.com"
+
+
+###   ================
+###   SERVED HOSTNAMES
+
+##
+## hosts: Domains served by ejabberd.
+## You can define one or several, for example:
+## hosts:
+##   - "example.net"
+##   - "example.com"
+##   - "example.org"
+##
+hosts:
+  - "localhost"
+
+##
+## route_subdomains: Delegate subdomains to other XMPP servers.
+## For example, if this ejabberd serves example.org and you want
+## to allow communication with an XMPP server called im.example.org.
+##
+## route_subdomains: s2s
+
+###   ===============
+###   LISTENING PORTS
+
+##
+## listen: The ports ejabberd will listen on, which service each is handled
+## by and what options to start it with.
+##
+listen:
+  -
+    port: 5222
+    module: ejabberd_c2s
+    ##
+    ## If TLS is compiled in and you installed a SSL
+    ## certificate, specify the full path to the
+    ## file and uncomment these lines:
+    ##
+    ## certfile: "/path/to/ssl.pem"
+    ## starttls: true
+    ##
+    ## To enforce TLS encryption for client connections,
+    ## use this instead of the "starttls" option:
+    ##
+    ## starttls_required: true
+    ##
+    ## Custom OpenSSL options
+    ##
+    ## protocol_options:
+    ##   - "no_sslv3"
+    ##   - "no_tlsv1"
+    max_stanza_size: 65536
+    shaper: c2s_shaper
+    access: c2s
+  -
+    port: 5269
+    module: ejabberd_s2s_in
+  ##
+  ## ejabberd_service: Interact with external components (transports, ...)
+  ##
+  ## -
+  ##   port: 8888
+  ##   module: ejabberd_service
+  ##   access: all
+  ##   shaper_rule: fast
+  ##   ip: "127.0.0.1"
+  ##   hosts:
+  ##     "icq.example.org":
+  ##       password: "secret"
+  ##     "sms.example.org":
+  ##       password: "secret"
+
+  ##
+  ## ejabberd_stun: Handles STUN Binding requests
+  ##
+  ## -
+  ##   port: 3478
+  ##   transport: udp
+  ##   module: ejabberd_stun
+
+  ##
+  ## To handle XML-RPC requests that provide admin credentials:
+  ##
+  ## -
+  ##   port: 4560
+  ##   module: ejabberd_xmlrpc
+  -
+    port: 5280
+    module: ejabberd_http
+    ## request_handlers:
+    ##   "/pub/archive": mod_http_fileserver
+    web_admin: true
+    http_poll: true
+    http_bind: true
+    ## register: true
+    captcha: true
+
+##
+## s2s_use_starttls: Enable STARTTLS + Dialback for S2S connections.
+## Allowed values are: false optional required required_trusted
+## You must specify a certificate file.
+##
+## s2s_use_starttls: optional
+
+##
+## s2s_certfile: Specify a certificate file.
+##
+## s2s_certfile: "/path/to/ssl.pem"
+
+## Custom OpenSSL options
+##
+## s2s_protocol_options:
+##   - "no_sslv3"
+##   - "no_tlsv1"
+
+##
+## domain_certfile: Specify a different certificate for each served hostname.
+##
+## host_config:
+##   "example.org":
+##     domain_certfile: "/path/to/example_org.pem"
+##   "example.com":
+##     domain_certfile: "/path/to/example_com.pem"
+
+##
+## S2S whitelist or blacklist
+##
+## Default s2s policy for undefined hosts.
+##
+## s2s_access: s2s
+
+##
+## Outgoing S2S options
+##
+## Preferred address families (which to try first) and connect timeout
+## in milliseconds.
+##
+## outgoing_s2s_families:
+##   - ipv4
+##   - ipv6
+## outgoing_s2s_timeout: 10000
+
+###   ==============
+###   AUTHENTICATION
+
+##
+## auth_method: Method used to authenticate the users.
+## The default method is the internal.
+## If you want to use a different method,
+## comment this line and enable the correct ones.
+##
+auth_method: internal
+
+##
+## Store the plain passwords or hashed for SCRAM:
+## auth_password_format: plain
+## auth_password_format: scram
+##
+## Define the FQDN if ejabberd doesn't detect it:
+## fqdn: "server3.example.com"
+
+##
+## Authentication using external script
+## Make sure the script is executable by ejabberd.
+##
+## auth_method: external
+## extauth_program: "/path/to/authentication/script"
+
+##
+## Authentication using ODBC
+## Remember to setup a database in the next section.
+##
+## auth_method: odbc
+
+##
+## Authentication using PAM
+##
+## auth_method: pam
+## pam_service: "pamservicename"
+
+##
+## Authentication using LDAP
+##
+## auth_method: ldap
+##
+## List of LDAP servers:
+## ldap_servers:
+##   - "localhost"
+##
+## Encryption of connection to LDAP servers:
+## ldap_encrypt: none
+## ldap_encrypt: tls
+##
+## Port to connect to on LDAP servers:
+## ldap_port: 389
+## ldap_port: 636
+##
+## LDAP manager:
+## ldap_rootdn: "dc=example,dc=com"
+##
+## Password of LDAP manager:
+## ldap_password: "******"
+##
+## Search base of LDAP directory:
+## ldap_base: "dc=example,dc=com"
+##
+## LDAP attribute that holds user ID:
+## ldap_uids:
+##   - "mail": "%u@mail.example.org"
+##
+## LDAP filter:
+## ldap_filter: "(objectClass=shadowAccount)"
+
+##
+## Anonymous login support:
+##   auth_method: anonymous
+##   anonymous_protocol: sasl_anon | login_anon | both
+##   allow_multiple_connections: true | false
+##
+## host_config:
+##   "public.example.org":
+##     auth_method: anonymous
+##     allow_multiple_connections: false
+##     anonymous_protocol: sasl_anon
+##
+## To use both anonymous and internal authentication:
+##
+## host_config:
+##   "public.example.org":
+##     auth_method:
+##       - internal
+##       - anonymous
+
+###   ==============
+###   DATABASE SETUP
+
+## ejabberd by default uses the internal Mnesia database,
+## so you do not necessarily need this section.
+## This section provides configuration examples in case
+## you want to use other database backends.
+## Please consult the ejabberd Guide for details on database creation.
+
+##
+## MySQL server:
+##
+## odbc_type: mysql
+## odbc_server: "server"
+## odbc_database: "database"
+## odbc_username: "username"
+## odbc_password: "password"
+##
+## If you want to specify the port:
+## odbc_port: 1234
+
+##
+## PostgreSQL server:
+##
+## odbc_type: pgsql
+## odbc_server: "server"
+## odbc_database: "database"
+## odbc_username: "username"
+## odbc_password: "password"
+##
+## If you want to specify the port:
+## odbc_port: 1234
+##
+## If you use PostgreSQL, have a large database, and need a
+## faster but inexact replacement for "select count(*) from users"
+##
+## pgsql_users_number_estimate: true
+
+##
+## ODBC compatible or MSSQL server:
+##
+## odbc_type: odbc
+## odbc_server: "DSN=ejabberd;UID=ejabberd;PWD=ejabberd"
+
+##
+## Number of connections to open to the database for each virtual host
+##
+## odbc_pool_size: 10
+
+##
+## Interval to make a dummy SQL request to keep the connections to the
+## database alive. Specify in seconds: for example 28800 means 8 hours
+##
+## odbc_keepalive_interval: undefined
+
+###   ===============
+###   TRAFFIC SHAPERS
+
+shaper:
+  ##
+  ## The "normal" shaper limits traffic speed to 1000 B/s
+  ##
+  normal: 1000
+
+  ##
+  ## The "fast" shaper limits traffic speed to 50000 B/s
+  ##
+  fast: 50000
+
+##
+## This option specifies the maximum number of elements in the queue
+## of the FSM. Refer to the documentation for details.
+##
+max_fsm_queue: 1000
+
+###.   ====================
+###'   ACCESS CONTROL LISTS
+acl:
+  ##
+  ## The 'admin' ACL grants administrative privileges to XMPP accounts.
+  ## You can put here as many accounts as you want.
+  ##
+  ## admin:
+  ##   user:
+  ##     - "aleksey": "localhost"
+  ##     - "ermine": "example.org"
+  ##
+  ## Blocked users
+  ##
+  ## blocked:
+  ##   user:
+  ##     - "baduser": "example.org"
+  ##     - "test"
+
+  ## Local users: don't modify this.
+  ##
+  local:
+    user_regexp: ""
+
+  ##
+  ## More examples of ACLs
+  ##
+  ## jabberorg:
+  ##   server:
+  ##     - "jabber.org"
+  ## aleksey:
+  ##   user:
+  ##     - "aleksey": "jabber.ru"
+  ## test:
+  ##   user_regexp: "^test"
+  ##   user_glob: "test*"
+
+  ##
+  ## Loopback network
+  ##
+  loopback:
+    ip:
+      - "127.0.0.0/8"
+
+  ##
+  ## Bad XMPP servers
+  ##
+  ## bad_servers:
+  ##   server:
+  ##     - "xmpp.zombie.org"
+  ##     - "xmpp.spam.com"
+
+##
+## Define specific ACLs in a virtual host.
+##
+## host_config:
+##   "localhost":
+##     acl:
+##       admin:
+##         user:
+##           - "bob-local": "localhost"
+
+###   ============
+###   ACCESS RULES
+access:
+  ## Maximum number of simultaneous sessions allowed for a single user:
+  max_user_sessions:
+    all: 10
+  ## Maximum number of offline messages that users can have:
+  max_user_offline_messages:
+    admin: 5000
+    all: 100
+  ## This rule allows access only for local users:
+  local:
+    local: allow
+  ## Only non-blocked users can use c2s connections:
+  c2s:
+    blocked: deny
+    all: allow
+  ## For C2S connections, all users except admins use the "normal" shaper
+  c2s_shaper:
+    admin: none
+    all: normal
+  ## All S2S connections use the "fast" shaper
+  s2s_shaper:
+    all: fast
+  ## Only admins can send announcement messages:
+  announce:
+    admin: allow
+  ## Only admins can use the configuration interface:
+  configure:
+    admin: allow
+  ## Admins of this server are also admins of the MUC service:
+  muc_admin:
+    admin: allow
+  ## Only accounts of the local ejabberd server can create rooms:
+  muc_create:
+    local: allow
+  ## All users are allowed to use the MUC service:
+  muc:
+    all: allow
+  ## Only accounts on the local ejabberd server can create Pubsub nodes:
+  pubsub_createnode:
+    local: allow
+  ## In-band registration allows registration of any possible username.
+  ## To disable in-band registration, replace 'allow' with 'deny'.
+  register:
+    all: allow
+  ## Only allow to register from localhost
+  trusted_network:
+    loopback: allow
+  ## Do not establish S2S connections with bad servers
+  ## s2s:
+  ##   bad_servers: deny
+  ##   all: allow
+
+## By default the frequency of account registrations from the same IP
+## is limited to 1 account every 10 minutes. To disable, specify: infinity
+## registration_timeout: 600
+
+##
+## Define specific Access Rules in a virtual host.
+##
+## host_config:
+##   "localhost":
+##     access:
+##       c2s:
+##         admin: allow
+##         all: deny
+##       register:
+##         all: deny
+
+###   ================
+###   DEFAULT LANGUAGE
+
+##
+## language: Default language used for server messages.
+##
+language: "en"
+
+##
+## Set a different default language in a virtual host.
+##
+## host_config:
+##   "localhost":
+##     language: "ru"
+
+###   =======
+###   CAPTCHA
+
+##
+## Full path to a script that generates the image.
+##
+## captcha_cmd: "/lib/ejabberd/priv/bin/captcha.sh"
+
+##
+## Host for the URL and port where ejabberd listens for CAPTCHA requests.
+##
+## captcha_host: "example.org:5280"
+
+##
+## Limit CAPTCHA calls per minute for JID/IP to avoid DoS.
+##
+## captcha_limit: 5
+
+###   =======
+###   MODULES
+
+##
+## Modules enabled in all ejabberd virtual hosts.
+##
+modules:
+  mod_adhoc: {}
+  ## mod_admin_extra: {}
+  mod_announce: # recommends mod_adhoc
+    access: announce
+  mod_blocking: {} # requires mod_privacy
+  mod_caps: {}
+  mod_carboncopy: {}
+  mod_client_state:
+    drop_chat_states: true
+    queue_presence: false
+  mod_configure: {} # requires mod_adhoc
+  mod_disco: {}
+  ## mod_echo: {}
+  mod_irc: {}
+  mod_http_bind: {}
+  ## mod_http_fileserver:
+  ##   docroot: "/var/www"
+  ##   accesslog: "/var/log/ejabberd/access.log"
+  mod_last: {}
+  mod_muc:
+    ## host: "conference.@HOST@"
+    access: muc
+    access_create: muc_create
+    access_persistent: muc_create
+    access_admin: muc_admin
+  ## mod_muc_log: {}
+  mod_offline:
+    access_max_user_messages: max_user_offline_messages
+  mod_ping: {}
+  ## mod_pres_counter:
+  ##   count: 5
+  ##   interval: 60
+  mod_privacy: {}
+  mod_private: {}
+  ## mod_proxy65: {}
+  mod_pubsub:
+    access_createnode: pubsub_createnode
+    ## reduces resource comsumption, but XEP incompliant
+    ignore_pep_from_offline: true
+    ## XEP compliant, but increases resource comsumption
+    ## ignore_pep_from_offline: false
+    last_item_cache: false
+    plugins:
+      - "flat"
+      - "hometree"
+      - "pep" # pep requires mod_caps
+  mod_register:
+    ##
+    ## Protect In-Band account registrations with CAPTCHA.
+    ##
+    ## captcha_protected: true
+
+    ##
+    ## Set the minimum informational entropy for passwords.
+    ##
+    ## password_strength: 32
+
+    ##
+    ## After successful registration, the user receives
+    ## a message with this subject and body.
+    ##
+    welcome_message:
+      subject: "Welcome!"
+      body: |-
+        Hi.
+        Welcome to this XMPP server.
+
+    ##
+    ## When a user registers, send a notification to
+    ## these XMPP accounts.
+    ##
+    ## registration_watchers:
+    ##   - "admin1@example.org"
+
+    ##
+    ## Only clients in the server machine can register accounts
+    ##
+    ip_access: trusted_network
+
+    ##
+    ## Local c2s or remote s2s users cannot register accounts
+    ##
+    ## access_from: deny
+
+    access: register
+  mod_roster: {}
+  mod_shared_roster: {}
+  mod_stats: {}
+  mod_time: {}
+  mod_vcard: {}
+  mod_version: {}
+
+##
+## Enable modules with custom options in a specific virtual host
+##
+## host_config:
+##   "localhost":
+##     modules:
+##       mod_echo:
+##         host: "mirror.localhost"
+
+##
+## Enable modules management via ejabberdctl for installation and
+## uninstallation of public/private contributed modules
+## (enabled by default)
+##
+
+allow_contrib_modules: true
+
+### Local Variables:
+### mode: yaml
+### End:
+### vim: set filetype=yaml tabstop=8
@@ -30,6 +30,7 @@ fi

 AC_PATH_TOOL(ERL, erl, , [${extra_erl_path}$PATH])
 AC_PATH_TOOL(ERLC, erlc, , [${extra_erl_path}$PATH])
+AC_PATH_TOOL(EPMD, epmd, , [${extra_erl_path}$PATH])

 AC_ERLANG_NEED_ERL
 AC_ERLANG_NEED_ERLC
@@ -242,9 +242,7 @@ print_usage() ->
 print_po_header(File) ->
    MsgProps = get_msg_header_props(File),
    {Language, [LastT | AddT]} = prepare_props(MsgProps),
-    application:load(ejabberd),
-    {ok, Version} = application:get_key(ejabberd, vsn),
-    print_po_header(Version, Language, LastT, AddT).
+    print_po_header(Language, LastT, AddT).

 get_msg_header_props(File) ->
    {ok, F} = file:open(File, [read]),
@@ -274,12 +272,11 @@ prepare_props(MsgProps) ->
    Authors = proplists:get_all_values("Author:", MsgProps),
    {Language, Authors}.

-print_po_header(Version, Language, LastTranslator, AdditionalTranslatorsList) ->
+print_po_header(Language, LastTranslator, AdditionalTranslatorsList) ->
    AdditionalTranslatorsString = build_additional_translators(AdditionalTranslatorsList),
    HeaderString =
 	"msgid \"\"\n"
 	"msgstr \"\"\n"
-	"\"Project-Id-Version: " ++ Version ++ "\\n\"\n"
 	++ "\"X-Language: " ++ Language ++ "\\n\"\n"
 	"\"Last-Translator: " ++ LastTranslator ++ "\\n\"\n"
 	++ AdditionalTranslatorsString ++
@@ -157,7 +157,7 @@ extract_lang_srcmsg2po ()
 	echo $MSGS_PATH

 	cd $SRC_DIR
-	$ERL -pa $EXTRACT_DIR -pa $EBIN_DIR -pa $EJA_SRC_DIR -pa /lib/ejabberd/include -noinput -noshell -s extract_translations -s init stop -extra -srcmsg2po . $MSGS_PATH >$PO_PATH.1
+	$ERL -pa $EXTRACT_DIR -pa $EBIN_DIR -pa $EJA_SRC_DIR -pa ../include -noinput -noshell -s extract_translations -s init stop -extra -srcmsg2po . $MSGS_PATH >$PO_PATH.1
 	sed -e 's/ \[\]$/ \"\"/g;' $PO_PATH.1 > $PO_PATH.2
 	msguniq --sort-by-file $PO_PATH.2 --output-file=$PO_PATH
 	
@@ -176,7 +176,7 @@ extract_lang_src2pot ()
 	echo "" >>$MSGS_PATH

 	cd $SRC_DIR
-	$ERL -pa $EXTRACT_DIR -pa $EBIN_DIR -pa $EJA_SRC_DIR -pa /lib/ejabberd/include -noinput -noshell -s extract_translations -s init stop -extra -srcmsg2po . $MSGS_PATH >$POT_PATH.1
+	$ERL -pa $EXTRACT_DIR -pa $EBIN_DIR -pa $EJA_SRC_DIR -pa ../include -noinput -noshell -s extract_translations -s init stop -extra -srcmsg2po . $MSGS_PATH >$POT_PATH.1
 	sed -e 's/ \[\]$/ \"\"/g;' $POT_PATH.1 > $POT_PATH.2

 	#msguniq --sort-by-file $POT_PATH.2 $EJA_MSGS_DIR --output-file=$POT_PATH
@@ -12,6 +12,13 @@ ExecStop=@ctlscriptpath@/ejabberdctl stop
 ExecReload=@ctlscriptpath@/ejabberdctl reload_config
 Type=oneshot
 RemainAfterExit=yes
+# The CAP_DAC_OVERRIDE capability is required for pam authentication to work
+CapabilityBoundingSet=CAP_DAC_OVERRIDE
+PrivateTmp=true
+PrivateDevices=true
+ProtectHome=true
+ProtectSystem=full
+NoNewPrivileges=true

 [Install]
 WantedBy=multi-user.target
@@ -147,6 +147,15 @@ listen:
  ##   access: all
  ##   shaper_rule: fast
  ##   ip: "127.0.0.1"
+  ##   privilege_access: 
+  ##      roster: "both"
+  ##      message: "outgoing"
+  ##      presence: "roster"
+  ##   delegations:
+  ##      "urn:xmpp:mam:1":
+  ##        filtering: ["node"]
+  ##      "http://jabber.org/protocol/pubsub":
+  ##        filtering: []
  ##   hosts:
  ##     "icq.example.org":
  ##       password: "secret"
@@ -408,14 +417,14 @@ acl:
  ##
  ## admin:
  ##   user:
-  ##     - "aleksey": "localhost"
-  ##     - "ermine": "example.org"
+  ##     - "aleksey@localhost"
+  ##     - "ermine@example.org"
  ##
  ## Blocked users
  ##
  ## blocked:
  ##   user:
-  ##     - "baduser": "example.org"
+  ##     - "baduser@example.org"
  ##     - "test"

  ## Local users: don't modify this.
@@ -431,7 +440,7 @@ acl:
  ##     - "jabber.org"
  ## aleksey:
  ##   user:
-  ##     - "aleksey": "jabber.ru"
+  ##     - "aleksey@jabber.ru"
  ## test:
  ##   user_regexp: "^test"
  ##   user_glob: "test*"
@@ -459,61 +468,61 @@ acl:
 ##     acl:
 ##       admin:
 ##         user:
-##           - "bob-local": "localhost"
+##           - "bob-local@localhost"
+
+###.  ============
+###'  SHAPER RULES
+
+shaper_rules:
+  ## Maximum number of simultaneous sessions allowed for a single user:
+  max_user_sessions: 10
+  ## Maximum number of offline messages that users can have:
+  max_user_offline_messages:
+    - 5000: admin
+    - 100
+  ## For C2S connections, all users except admins use the "normal" shaper
+  c2s_shaper:
+    - none: admin
+    - normal
+  ## All S2S connections use the "fast" shaper
+  s2s_shaper: fast

 ###.  ============
 ###'  ACCESS RULES
-access:
-  ## Maximum number of simultaneous sessions allowed for a single user:
-  max_user_sessions: 
-    all: 10
-  ## Maximum number of offline messages that users can have:
-  max_user_offline_messages: 
-    admin: 5000
-    all: 100
+access_rules:
  ## This rule allows access only for local users:
-  local: 
-    local: allow
+  local:
+    - allow: local
  ## Only non-blocked users can use c2s connections:
-  c2s: 
-    blocked: deny
-    all: allow
-  ## For C2S connections, all users except admins use the "normal" shaper
-  c2s_shaper: 
-    admin: none
-    all: normal
-  ## All S2S connections use the "fast" shaper
-  s2s_shaper: 
-    all: fast
+  c2s:
+    - deny: blocked
+    - allow
  ## Only admins can send announcement messages:
-  announce: 
-    admin: allow
+  announce:
+    - allow: admin
  ## Only admins can use the configuration interface:
  configure: 
-    admin: allow
-  ## Admins of this server are also admins of the MUC service:
-  muc_admin: 
-    admin: allow
+    - allow: admin
  ## Only accounts of the local ejabberd server can create rooms:
  muc_create: 
-    local: allow
-  ## All users are allowed to use the MUC service:
-  muc: 
-    all: allow
+    - allow: local
  ## Only accounts on the local ejabberd server can create Pubsub nodes:
  pubsub_createnode: 
-    local: allow
+    - allow: local
  ## In-band registration allows registration of any possible username.
  ## To disable in-band registration, replace 'allow' with 'deny'.
  register: 
-    all: allow
+    - allow
  ## Only allow to register from localhost
  trusted_network: 
-    loopback: allow
+    - allow: loopback
  ## Do not establish S2S connections with bad servers
  ## s2s: 
-  ##   bad_servers: deny
-  ##   all: allow
+  ##   - deny:
+  ##     - ip: "XXX.XXX.XXX.XXX/32"
+  ##   - deny:
+  ##     - ip: "XXX.XXX.XXX.XXX/32"
+  ##   - allow

 ## By default the frequency of account registrations from the same IP
 ## is limited to 1 account every 10 minutes. To disable, specify: infinity
@@ -526,10 +535,10 @@ access:
 ##   "localhost":
 ##     access:
 ##       c2s:
-##         admin: allow
-##         all: deny
+##         - allow: admin
+##         - deny
 ##       register:
-##         all: deny
+##         - deny

 ###.  ================
 ###'  DEFAULT LANGUAGE
@@ -580,6 +589,7 @@ modules:
  mod_carboncopy: {}
  mod_client_state: {}
  mod_configure: {} # requires mod_adhoc
+  ##mod_delegation: {} # for xep0356
  mod_disco: {}
  ## mod_echo: {}
  mod_irc: {}
@@ -590,10 +600,12 @@ modules:
  mod_last: {}
  mod_muc: 
    ## host: "conference.@HOST@"
-    access: muc
+    access:
+      - allow
+    access_admin:
+      - allow: admin
    access_create: muc_create
    access_persistent: muc_create
-    access_admin: muc_admin
  ## mod_muc_log: {}
  ## mod_multicast: {}
  mod_offline: 
@@ -13,7 +13,7 @@ ERLANG_NODE=ejabberd@localhost
 SCRIPT_DIR=`cd ${0%/*} && pwd`
 ERL={{erl}}
 IEX={{bindir}}/iex
-EPMD={{bindir}}/epmd
+EPMD={{epmd}}
 INSTALLUSER={{installuser}}
 ERL_LIBS={{libdir}}

@@ -212,7 +212,7 @@ iexdebug()
         --erl `shell_escape \"$ERLANG_OPTS\"` \
         --erl `shell_escape \"${ARGS[@]}\"` \
         --erl `shell_escape_str \"$@\"`"
-    $EXEC_CMD "ERL_PATH=$\"$ERL\" $CMD"
+    $EXEC_CMD "ERL_PATH=\"$ERL\" $CMD"
 }

 # start interactive server
@@ -441,6 +441,6 @@ case "${ARGS[0]}" in
    'ping'*) ping ${ARGS[1]};;
    'etop') etop;;
    'started') wait_for_status 0 30 2;; # wait 30x2s before timeout
-    'stopped') wait_for_status 3 15 2 && stop_epmd;; # wait 15x2s before timeout
+    'stopped') wait_for_status 3 30 2 && stop_epmd;; # wait 30x2s before timeout
    *) ctl "${ARGS[@]}";;
 esac
@@ -26,6 +26,25 @@
                 {tuple, [rterm()]} | {list, rterm()} |
                 rescode | restuple.

+-type oauth_scope() :: atom().
+
+%% ejabberd_commands OAuth ReST ACL definition:
+%% Two fields exist that are used to control access on a command from ReST API:
+%% 1. Policy
+%% If policy is:
+%%  - restricted: command is not exposed as OAuth Rest API.
+%%  - admin: Command is allowed for user that have Admin Rest command enabled by access rule: commands_admin_access
+%%  - user: Command might be called by any server user.
+%%  - open: Command can be called by anyone.
+%%
+%% Policy is just used to control who can call the command. A specific additional access rules can be performed, as
+%% defined by access option.
+%% Access option can be a list of:
+%% - {Module, accessName, DefaultValue}: Reference and existing module access to limit who can use the command.
+%% - AccessRule name: direct name of the access rule to check in config file.
+%% TODO: Access option could be atom command (not a list). In the case, User performing the command, will be added as first parameter
+%% to command, so that the command can perform additional check.
+
 -record(ejabberd_commands,
 	{name                    :: atom(),
         tags = []               :: [atom()] | '_' | '$2',
@@ -36,19 +55,25 @@
         function                :: atom() | '_',
         args = []               :: [aterm()] | '_' | '$1' | '$2',
         policy = restricted     :: open | restricted | admin | user,
+        %% access is: [accessRuleName] or [{Module, AccessOption, DefaultAccessRuleName}]
+         access = []             :: [{atom(),atom(),atom()}|atom()],
         result = {res, rescode} :: rterm() | '_' | '$2',
         args_desc = none        :: none | [string()] | '_',
         result_desc = none      :: none | string() | '_',
         args_example = none     :: none | [any()] | '_',
         result_example = none   :: any()}).

+%% TODO Fix me: Type is not up to date
 -type ejabberd_commands() :: #ejabberd_commands{name :: atom(),
                                                tags :: [atom()],
                                                desc :: string(),
                                                longdesc :: string(),
+                                                version :: integer(),
                                                module :: atom(),
                                                function :: atom(),
                                                args :: [aterm()],
+                                                policy :: open | restricted | admin | user,
+                                                access :: [{atom(),atom(),atom()}|atom()],
                                                result :: rterm()}.

 %% @type ejabberd_commands() = #ejabberd_commands{
@@ -0,0 +1,26 @@
+%%%----------------------------------------------------------------------
+%%%
+%%% ejabberd, Copyright (C) 2002-2016   ProcessOne
+%%%
+%%% This program is free software; you can redistribute it and/or
+%%% modify it under the terms of the GNU General Public License as
+%%% published by the Free Software Foundation; either version 2 of the
+%%% License, or (at your option) any later version.
+%%%
+%%% This program is distributed in the hope that it will be useful,
+%%% but WITHOUT ANY WARRANTY; without even the implied warranty of
+%%% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+%%% General Public License for more details.
+%%%
+%%% You should have received a copy of the GNU General Public License along
+%%% with this program; if not, write to the Free Software Foundation, Inc.,
+%%% 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+%%%
+%%%----------------------------------------------------------------------
+
+-record(oauth_token, {
+          token = <<"">>           :: binary() | '_',
+          us = {<<"">>, <<"">>}    :: {binary(), binary()} | '_',
+          scope = []               :: [binary()] | '_',
+          expire                   :: integer() | '$1'
+         }).
@@ -0,0 +1,20 @@
+-include("ejabberd.hrl").
+-include("logger.hrl").
+-include("jlib.hrl").
+
+-type filter_attr() :: {binary(), [binary()]}.
+
+-record(state,
+        {socket                    :: ejabberd_socket:socket_state(),
+         sockmod = ejabberd_socket :: ejabberd_socket | ejabberd_frontend_socket,
+         streamid = <<"">>         :: binary(),
+         host_opts = dict:new()    :: ?TDICT,
+         host = <<"">>             :: binary(),
+         access                    :: atom(),
+         check_from = true         :: boolean(),
+         server_hosts = ?MYHOSTS   :: [binary()],
+         privilege_access          :: [attr()],
+         delegations               :: [filter_attr()],
+         last_pres = dict:new()    :: ?TDICT}).
+
+-type(state() :: #state{} ).
@@ -1,12 +1,13 @@
 -ifndef(EJABBERD_SM_HRL).
 -define(EJABBERD_SM_HRL, true).

-record(session, {sid, usr, us, priority, info}).
+-record(session, {sid, usr, us, priority, info = []}).
 -record(session_counter, {vhost, count}).
 -type sid() :: {erlang:timestamp(), pid()}.
 -type ip() :: {inet:ip_address(), inet:port_number()} | undefined.
 -type info() :: [{conn, atom()} | {ip, ip()} | {node, atom()}
-                 | {oor, boolean()} | {auth_module, atom()}].
+                 | {oor, boolean()} | {auth_module, atom()}
+                 | {num_stanzas_in, non_neg_integer()}].
 -type prio() :: undefined | integer().

 -endif.
@@ -53,6 +53,7 @@
    members_by_default                   = true :: boolean(),
    members_only                         = false :: boolean(),
    allow_user_invites                   = false :: boolean(),
+    allow_subscription                   = false :: boolean(),
    password_protected                   = false :: boolean(),
    password                             = <<"">> :: binary(),
    anonymous                            = true :: boolean(),
@@ -76,9 +77,15 @@
    jid :: jid(),
    nick :: binary(),
    role :: role(),
+    %%is_subscriber = false :: boolean(),
+    %%subscriptions = [] :: [binary()],
    last_presence :: xmlel()
 }).

+-record(subscriber, {jid :: jid(),
+		     nick = <<>> :: binary(),
+		     nodes = [] :: [binary()]}).
+
 -record(activity,
 {
    message_time    = 0 :: integer(),
@@ -98,6 +105,8 @@
    jid                     = #jid{} :: jid(),
    config                  = #config{} :: config(),
    users                   = (?DICT):new() :: ?TDICT,
+    subscribers             = (?DICT):new() :: ?TDICT,
+    subscriber_nicks        = (?DICT):new() :: ?TDICT,
    last_voice_request_time = treap:empty() :: treap:treap(),
    robots                  = (?DICT):new() :: ?TDICT,
    nicks                   = (?DICT):new() :: ?TDICT,
@@ -164,3 +164,13 @@
 -define(NS_MIX_NODES_PARTICIPANTS, <<"urn:xmpp:mix:nodes:participants">>).
 -define(NS_MIX_NODES_SUBJECT, <<"urn:xmpp:mix:nodes:subject">>).
 -define(NS_MIX_NODES_CONFIG, <<"urn:xmpp:mix:nodes:config">>).
+-define(NS_PRIVILEGE, <<"urn:xmpp:privilege:1">>).
+-define(NS_DELEGATION, <<"urn:xmpp:delegation:1">>).
+-define(NS_MUCSUB, <<"urn:xmpp:mucsub:0">>).
+-define(NS_MUCSUB_NODES_PRESENCE, <<"urn:xmpp:mucsub:nodes:presence">>).
+-define(NS_MUCSUB_NODES_MESSAGES, <<"urn:xmpp:mucsub:nodes:messages">>).
+-define(NS_MUCSUB_NODES_PARTICIPANTS, <<"urn:xmpp:mucsub:nodes:participants">>).
+-define(NS_MUCSUB_NODES_AFFILIATIONS, <<"urn:xmpp:mucsub:nodes:affiliations">>).
+-define(NS_MUCSUB_NODES_SUBJECT, <<"urn:xmpp:mucsub:nodes:subject">>).
+-define(NS_MUCSUB_NODES_CONFIG, <<"urn:xmpp:mucsub:nodes:config">>).
+-define(NS_MUCSUB_NODES_SYSTEM, <<"urn:xmpp:mucsub:nodes:system">>).
@@ -93,7 +93,12 @@

 -type(subOptions() :: [mod_pubsub:subOption(),...]).

+-type(pubOption() ::
+    {Option::binary(),
+     Values::[binary()]
+}).

+-type(pubOptions() :: [mod_pubsub:pubOption()]).

 -type(affiliation() :: 'none'
                     | 'owner'
@@ -3,7 +3,7 @@ defmodule ExUnit.CTFormatter do

  use GenEvent

-  import ExUnit.Formatter, only: [format_time: 2, format_filters: 2, format_test_failure: 5,
+  import ExUnit.Formatter, only: [format_time: 2, format_test_failure: 5,
                                  format_test_case_failure: 5]

  def init(opts) do
@@ -0,0 +1,119 @@
+defmodule Ejabberd.Config.Attr do
+  @moduledoc """
+  Module used to work with the attributes parsed from
+  an elixir block (do...end).
+
+  Contains functions for extracting attrs from a block
+  and validation.
+  """
+
+  @type attr :: {atom(), any()}
+
+  @attr_supported [
+    active:
+      [type: :boolean, default: true],
+    git:
+      [type: :string, default: ""],
+    name:
+      [type: :string, default: ""],
+    opts:
+      [type: :list, default: []],
+    dependency:
+      [type: :list, default: []]
+  ]
+
+  @doc """
+  Takes a block with annotations and extracts the list
+  of attributes.
+  """
+  @spec extract_attrs_from_block_with_defaults(any()) :: [attr]
+  def extract_attrs_from_block_with_defaults(block) do
+    block
+    |> extract_attrs_from_block
+    |> put_into_list_if_not_already
+    |> insert_default_attrs_if_missing
+  end
+
+  @doc """
+  Takes an attribute or a list of attrs and validate them.
+
+  Returns a {:ok, attr} or {:error, attr, cause} for each of the attributes.
+  """
+  @spec validate([attr]) :: [{:ok, attr}] | [{:error, attr, atom()}]
+  def validate(attrs) when is_list(attrs), do: Enum.map(attrs, &valid_attr?/1)
+  def validate(attr), do: validate([attr]) |> List.first
+
+  @doc """
+  Returns the type of an attribute, given its name.
+  """
+  @spec get_type_for_attr(atom()) :: atom()
+  def get_type_for_attr(attr_name) do
+    @attr_supported
+    |> Keyword.get(attr_name)
+    |> Keyword.get(:type)
+  end
+
+  @doc """
+  Returns the default value for an attribute, given its name.
+  """
+  @spec get_default_for_attr(atom()) :: any()
+  def get_default_for_attr(attr_name) do
+    @attr_supported
+    |> Keyword.get(attr_name)
+    |> Keyword.get(:default)
+  end
+
+  # Private API
+
+  # Given an elixir block (do...end) returns a list with the annotations
+  # or a single annotation.
+  @spec extract_attrs_from_block(any()) :: [attr] | attr
+  defp extract_attrs_from_block({:__block__, [], attrs}), do: Enum.map(attrs, &extract_attrs_from_block/1)
+  defp extract_attrs_from_block({:@, _, [attrs]}), do: extract_attrs_from_block(attrs)
+  defp extract_attrs_from_block({attr_name, _, [value]}), do: {attr_name, value}
+  defp extract_attrs_from_block(nil), do: []
+
+  # In case extract_attrs_from_block returns a single attribute,
+  # then put it into a list. (Ensures attrs are always into a list).
+  @spec put_into_list_if_not_already([attr] | attr) :: [attr]
+  defp put_into_list_if_not_already(attrs) when is_list(attrs), do: attrs
+  defp put_into_list_if_not_already(attr), do: [attr]
+
+  # Given a list of attributes, it inserts the missing attribute with their
+  # default value.
+  @spec insert_default_attrs_if_missing([attr]) :: [attr]
+  defp insert_default_attrs_if_missing(attrs) do
+    Enum.reduce @attr_supported, attrs, fn({attr_name, _}, acc) ->
+      case Keyword.has_key?(acc, attr_name) do
+        true -> acc
+        false -> Keyword.put(acc, attr_name, get_default_for_attr(attr_name))
+      end
+    end
+  end
+
+  # Given an attribute, validates it and return a tuple with
+  # {:ok, attr} or {:error, attr, cause}
+  @spec valid_attr?(attr) :: {:ok, attr} | {:error, attr, atom()}
+  defp valid_attr?({attr_name, param} = attr) do
+    case Keyword.get(@attr_supported, attr_name) do
+      nil -> {:error, attr, :attr_not_supported}
+      [{:type, param_type} | _] -> case is_of_type?(param, param_type) do
+        true -> {:ok, attr}
+        false -> {:error, attr, :type_not_supported}
+      end
+    end
+  end
+
+  # Given an attribute value and a type, it returns a true
+  # if the value its of the type specified, false otherwise.
+
+  # Usefoul for checking if an attr value respects the type
+  # specified for the annotation.
+  @spec is_of_type?(any(), atom()) :: boolean()
+  defp is_of_type?(param, type) when type == :boolean and is_boolean(param), do: true
+  defp is_of_type?(param, type) when type == :string and is_bitstring(param), do: true
+  defp is_of_type?(param, type) when type == :list and is_list(param), do: true
+  defp is_of_type?(param, type) when type == :atom and is_atom(param), do: true
+  defp is_of_type?(_param, type) when type == :any, do: true
+  defp is_of_type?(_, _), do: false
+end
@@ -0,0 +1,145 @@
+defmodule Ejabberd.Config do
+  @moduledoc """
+  Base module for configuration file.
+
+  Imports macros for the config DSL and contains functions
+  for working/starting the configuration parsed.
+  """
+
+  alias Ejabberd.Config.EjabberdModule
+  alias Ejabberd.Config.Attr
+  alias Ejabberd.Config.EjabberdLogger
+
+  defmacro __using__(_opts) do
+    quote do
+      import Ejabberd.Config, only: :macros
+      import Ejabberd.Logger
+
+      @before_compile Ejabberd.Config
+    end
+  end
+
+  # Validate the modules parsed and log validation errors at compile time.
+  # Could be also possible to interrupt the compilation&execution by throwing
+  # an exception if necessary.
+  def __before_compile__(_env) do
+    get_modules_parsed_in_order
+    |> EjabberdModule.validate
+    |> EjabberdLogger.log_errors
+  end
+
+  @doc """
+  Given the path of the config file, it evaluates it.
+  """
+  def init(file_path, force \\ false) do
+    init_already_executed = Ejabberd.Config.Store.get(:module_name) != []
+
+    case force do
+      true ->
+        Ejabberd.Config.Store.stop
+        Ejabberd.Config.Store.start_link
+        do_init(file_path)
+      false ->
+        if not init_already_executed, do: do_init(file_path)
+    end
+  end
+
+  @doc """
+  Returns a list with all the opts, formatted for ejabberd.
+  """
+  def get_ejabberd_opts do
+    get_general_opts
+    |> Dict.put(:modules, get_modules_parsed_in_order())
+    |> Dict.put(:listeners, get_listeners_parsed_in_order())
+    |> Ejabberd.Config.OptsFormatter.format_opts_for_ejabberd
+  end
+
+  @doc """
+  Register the hooks defined inside the elixir config file.
+  """
+  def start_hooks do
+    get_hooks_parsed_in_order()
+    |> Enum.each(&Ejabberd.Config.EjabberdHook.start/1)
+  end
+
+  ###
+  ### MACROS
+  ###
+
+  defmacro listen(module, do: block) do
+    attrs = Attr.extract_attrs_from_block_with_defaults(block)
+
+    quote do
+      Ejabberd.Config.Store.put(:listeners, %EjabberdModule{
+        module: unquote(module),
+        attrs: unquote(attrs)
+      })
+    end
+  end
+
+  defmacro module(module, do: block) do
+    attrs = Attr.extract_attrs_from_block_with_defaults(block)
+
+    quote do
+      Ejabberd.Config.Store.put(:modules, %EjabberdModule{
+        module: unquote(module),
+        attrs: unquote(attrs)
+      })
+    end
+  end
+
+  defmacro hook(hook_name, opts, fun) do
+    quote do
+      Ejabberd.Config.Store.put(:hooks, %Ejabberd.Config.EjabberdHook{
+        hook: unquote(hook_name),
+        opts: unquote(opts),
+        fun: unquote(fun)
+      })
+    end
+  end
+
+  # Private API
+
+  defp do_init(file_path) do
+    # File evaluation
+    Code.eval_file(file_path) |> extract_and_store_module_name()
+
+    # Getting start/0 config
+    Ejabberd.Config.Store.get(:module_name)
+    |> case do
+      nil -> IO.puts "[ ERR ] Configuration module not found."
+      [module] -> call_start_func_and_store_data(module)
+    end
+
+    # Fetching git modules and install them
+    get_modules_parsed_in_order()
+    |> EjabberdModule.fetch_git_repos
+  end
+
+  # Returns the modules from the store
+  defp get_modules_parsed_in_order,
+    do: Ejabberd.Config.Store.get(:modules) |> Enum.reverse
+
+  # Returns the listeners from the store
+  defp get_listeners_parsed_in_order,
+    do: Ejabberd.Config.Store.get(:listeners) |> Enum.reverse
+
+  defp get_hooks_parsed_in_order,
+    do: Ejabberd.Config.Store.get(:hooks) |> Enum.reverse
+
+  # Returns the general config options
+  defp get_general_opts,
+    do: Ejabberd.Config.Store.get(:general) |> List.first
+
+  # Gets the general ejabberd options calling
+  # the start/0 function and stores them.
+  defp call_start_func_and_store_data(module) do
+    opts = apply(module, :start, [])
+    Ejabberd.Config.Store.put(:general, opts)
+  end
+
+  # Stores the configuration module name
+  defp extract_and_store_module_name({{:module, mod, _bytes, _}, _}) do
+    Ejabberd.Config.Store.put(:module_name, mod)
+  end
+end
@@ -0,0 +1,23 @@
+defmodule Ejabberd.Config.EjabberdHook do
+  @moduledoc """
+  Module containing functions for manipulating
+  ejabberd hooks.
+  """
+
+  defstruct hook: nil, opts: [], fun: nil
+
+  alias Ejabberd.Config.EjabberdHook
+
+  @type t :: %EjabberdHook{}
+
+  @doc """
+  Register a hook to ejabberd.
+  """
+  @spec start(EjabberdHook.t) :: none
+  def start(%EjabberdHook{hook: hook, opts: opts, fun: fun}) do
+    host = Keyword.get(opts, :host, :global)
+    priority = Keyword.get(opts, :priority, 50)
+
+    :ejabberd_hooks.add(hook, host, fun, priority)
+  end
+end
@@ -0,0 +1,70 @@
+defmodule Ejabberd.Config.EjabberdModule do
+  @moduledoc """
+  Module representing a module block in the configuration file.
+  It offers functions for validation and for starting the modules.
+
+  Warning: The name is EjabberdModule to not collide with
+  the already existing Elixir.Module.
+  """
+
+  @type t :: %{module: atom, attrs: [Attr.t]}
+
+  defstruct [:module, :attrs]
+
+  alias Ejabberd.Config.EjabberdModule
+  alias Ejabberd.Config.Attr
+  alias Ejabberd.Config.Validation
+
+  @doc """
+  Given a list of modules / single module
+  it runs different validators on them.
+
+  For each module, returns a {:ok, mod} or {:error, mod, errors}
+  """
+  def validate(modules) do
+    Validation.validate(modules)
+  end
+
+  @doc """
+  Given a list of modules, it takes only the ones with
+  a git attribute and tries to fetch the repo,
+  then, it install them through :ext_mod.install/1
+  """
+  @spec fetch_git_repos([EjabberdModule.t]) :: none()
+  def fetch_git_repos(modules) do
+    modules
+    |> Enum.filter(&is_git_module?/1)
+    |> Enum.each(&fetch_and_install_git_module/1)
+  end
+
+  # Private API
+
+  defp is_git_module?(%EjabberdModule{attrs: attrs}) do
+    case Keyword.get(attrs, :git) do
+      "" -> false
+      repo -> String.match?(repo, ~r/((git|ssh|http(s)?)|(git@[\w\.]+))(:(\/\/)?)([\w\.@\:\/\-~]+)(\.git)(\/)?/)
+    end
+  end
+
+  defp fetch_and_install_git_module(%EjabberdModule{attrs: attrs}) do
+    repo = Keyword.get(attrs, :git)
+    mod_name = case Keyword.get(attrs, :name) do
+      "" -> infer_mod_name_from_git_url(repo)
+      name -> name
+    end
+
+    path = "#{:ext_mod.modules_dir()}/sources/ejabberd-contrib\/#{mod_name}"
+    fetch_and_store_repo_source_if_not_exists(path, repo)
+    :ext_mod.install(mod_name) # Have to check if overwrites an already present mod
+  end
+
+  defp fetch_and_store_repo_source_if_not_exists(path, repo) do
+    unless File.exists?(path) do
+      IO.puts "[info] Fetching: #{repo}"
+      :os.cmd('git clone #{repo} #{path}')
+    end
+  end
+
+  defp infer_mod_name_from_git_url(repo),
+    do: String.split(repo, "/") |> List.last |> String.replace(".git", "")
+end
@@ -0,0 +1,32 @@
+defmodule Ejabberd.Config.EjabberdLogger do
+  @moduledoc """
+  Module used to log validation errors given validated modules
+  given validated modules.
+  """
+
+  alias Ejabberd.Config.EjabberdModule
+
+  @doc """
+  Given a list of modules validated, in the form of {:ok, mod} or
+  {:error, mod, errors}, it logs to the user the errors found.
+  """
+  @spec log_errors([EjabberdModule.t]) :: [EjabberdModule.t]
+  def log_errors(modules_validated) when is_list(modules_validated) do
+    Enum.each modules_validated, &do_log_errors/1
+    modules_validated
+  end
+
+  defp do_log_errors({:ok, _mod}), do: nil
+  defp do_log_errors({:error, _mod, errors}), do: Enum.each errors, &do_log_errors/1
+  defp do_log_errors({:attribute, errors}), do: Enum.each errors, &log_attribute_error/1
+  defp do_log_errors({:dependency, errors}), do: Enum.each errors, &log_dependency_error/1
+
+  defp log_attribute_error({{attr_name, val}, :attr_not_supported}), do:
+    IO.puts "[ WARN ] Annotation @#{attr_name} is not supported."
+
+  defp log_attribute_error({{attr_name, val}, :type_not_supported}), do:
+    IO.puts "[ WARN ] Annotation @#{attr_name} with value #{inspect val} is not supported (type mismatch)."
+
+  defp log_dependency_error({module, :not_found}), do:
+    IO.puts "[ WARN ] Module #{inspect module} was not found, but is required as a dependency."
+end
@@ -0,0 +1,46 @@
+defmodule Ejabberd.Config.OptsFormatter do
+  @moduledoc """
+  Module for formatting options parsed into the format
+  ejabberd uses.
+  """
+
+  alias Ejabberd.Config.EjabberdModule
+
+  @doc """
+  Takes a keyword list with keys corresponding to
+  the keys requested by the ejabberd config (ex: modules: mods)
+  and formats them to be correctly evaluated by ejabberd.
+
+  Look at how Config.get_ejabberd_opts/0 is constructed for
+  more informations.
+  """
+  @spec format_opts_for_ejabberd([{atom(), any()}]) :: list()
+  def format_opts_for_ejabberd(opts) do
+    opts
+    |> format_attrs_for_ejabberd
+  end
+
+  defp format_attrs_for_ejabberd(opts) when is_list(opts),
+    do: Enum.map opts, &format_attrs_for_ejabberd/1
+
+  defp format_attrs_for_ejabberd({:listeners, mods}),
+    do: {:listen, format_listeners_for_ejabberd(mods)}
+
+  defp format_attrs_for_ejabberd({:modules, mods}),
+    do: {:modules, format_mods_for_ejabberd(mods)}
+
+  defp format_attrs_for_ejabberd({key, opts}) when is_atom(key),
+    do: {key, opts}
+
+  defp format_mods_for_ejabberd(mods) do
+    Enum.map mods, fn %EjabberdModule{module: mod, attrs: attrs} ->
+      {mod, attrs[:opts]}
+    end
+  end
+
+  defp format_listeners_for_ejabberd(mods) do
+    Enum.map mods, fn %EjabberdModule{module: mod, attrs: attrs} ->
+      Keyword.put(attrs[:opts], :module, mod)
+    end
+  end
+end
@@ -0,0 +1,55 @@
+defmodule Ejabberd.Config.Store do
+  @moduledoc """
+    Module used for storing the modules parsed from
+    the configuration file.
+
+    Example:
+      - Store.put(:modules, mod1)
+      - Store.put(:modules, mod2)
+
+      - Store.get(:modules) :: [mod1, mod2]
+
+    Be carefoul: when retrieving data you get them
+    in the order inserted into the store, which normally
+    is the reversed order of how the modules are specified
+    inside the configuration file. To resolve this just use
+    a Enum.reverse/1.
+  """
+
+  @name __MODULE__
+
+  def start_link do
+    Agent.start_link(fn -> %{} end, name: @name)
+  end
+
+  @doc """
+  Stores a value based on the key. If the key already exists,
+  then it inserts the new element, maintaining all the others.
+  It uses a list for this.
+  """
+  @spec put(atom, any) :: :ok
+  def put(key, val) do
+    Agent.update @name, &Map.update(&1, key, [val], fn coll ->
+      [val | coll]
+    end)
+  end
+
+  @doc """
+  Gets a value based on the key passed.
+  Returns always a list.
+  """
+  @spec get(atom) :: [any]
+  def get(key) do
+    Agent.get @name, &Map.get(&1, key, [])
+  end
+
+  @doc """
+  Stops the store.
+  It uses Agent.stop underneath, so be aware that exit
+  could be called.
+  """
+  @spec stop() :: :ok
+  def stop do
+    Agent.stop @name
+  end
+end
@@ -0,0 +1,40 @@
+defmodule Ejabberd.Config.Validation do
+  @moduledoc """
+  Module used to validate a list of modules.
+  """
+
+  @type mod_validation :: {[EjabberdModule.t], EjabberdModule.t, map}
+  @type mod_validation_result :: {:ok, EjabberdModule.t} | {:error, EjabberdModule.t, map}
+
+  alias Ejabberd.Config.EjabberdModule
+  alias Ejabberd.Config.Attr
+  alias Ejabberd.Config.Validator
+  alias Ejabberd.Config.ValidatorUtility
+
+  @doc """
+  Given a module or a list of modules it runs validators on them
+  and returns {:ok, mod} or {:error, mod, errors}, for each
+  of them.
+  """
+  @spec validate([EjabberdModule.t] | EjabberdModule.t) :: [mod_validation_result]
+  def validate(modules) when is_list(modules), do: Enum.map(modules, &do_validate(modules, &1))
+  def validate(module), do: validate([module])
+
+  # Private API
+
+  @spec do_validate([EjabberdModule.t], EjabberdModule.t) :: mod_validation_result
+  defp do_validate(modules, mod) do
+    {modules, mod, %{}}
+    |> Validator.Attrs.validate
+    |> Validator.Dependencies.validate
+    |> resolve_validation_result
+  end
+
+  @spec resolve_validation_result(mod_validation) :: mod_validation_result
+  defp resolve_validation_result({_modules, mod, errors}) do
+    case errors do
+      err when err == %{} -> {:ok, mod}
+      err -> {:error, mod, err}
+    end
+  end
+end
@@ -0,0 +1,28 @@
+defmodule Ejabberd.Config.Validator.Attrs do
+  @moduledoc """
+  Validator module used to validate attributes.
+  """
+
+  # TODO: Duplicated from validator.ex !!!
+  @type mod_validation :: {[EjabberdModule.t], EjabberdModule.t, map}
+
+  import Ejabberd.Config.ValidatorUtility
+  alias Ejabberd.Config.Attr
+
+  @doc """
+  Given a module (with the form used for validation)
+  it runs Attr.validate/1 on each attribute and
+  returns the validation tuple with the errors updated, if found.
+  """
+  @spec validate(mod_validation) :: mod_validation
+  def validate({modules, mod, errors}) do
+    errors = Enum.reduce mod.attrs, errors, fn(attr, err) ->
+      case Attr.validate(attr) do
+        {:ok, attr} -> err
+        {:error, attr, cause} -> put_error(err, :attribute, {attr, cause})
+      end
+    end
+
+    {modules, mod, errors}
+  end
+end
@@ -0,0 +1,30 @@
+defmodule Ejabberd.Config.Validator.Dependencies do
+  @moduledoc """
+  Validator module used to validate dependencies specified
+  with the @dependency annotation.
+  """
+
+  # TODO: Duplicated from validator.ex !!!
+  @type mod_validation :: {[EjabberdModule.t], EjabberdModule.t, map}
+  import Ejabberd.Config.ValidatorUtility
+
+  @doc """
+  Given a module (with the form used for validation)
+  it checks if the @dependency annotation is respected and
+  returns the validation tuple with the errors updated, if found.
+  """
+  @spec validate(mod_validation) :: mod_validation
+  def validate({modules, mod, errors}) do
+    module_names = extract_module_names(modules)
+    dependencies = mod.attrs[:dependency]
+
+    errors = Enum.reduce dependencies, errors, fn(req_module, err) ->
+      case req_module in module_names do
+        true -> err
+        false -> put_error(err, :dependency, {req_module, :not_found})
+      end
+    end
+
+    {modules, mod, errors}
+  end
+end
@@ -0,0 +1,30 @@
+defmodule Ejabberd.Config.ValidatorUtility do
+  @moduledoc """
+  Module used as a base validator for validation modules.
+  Imports utility functions for working with validation structures.
+  """
+
+  alias Ejabberd.Config.EjabberdModule
+
+  @doc """
+  Inserts an error inside the errors collection, for the given key.
+  If the key doesn't exists then it creates an empty collection
+  and inserts the value passed.
+  """
+  @spec put_error(map, atom, any) :: map
+  def put_error(errors, key, val) do
+    Map.update errors, key, [val], fn coll ->
+      [val | coll]
+    end
+  end
+
+  @doc """
+  Given a list of modules it extracts and returns a list
+  of the module names (which are Elixir.Module).
+  """
+  @spec extract_module_names(EjabberdModule.t) :: [atom]
+  def extract_module_names(modules) when is_list(modules) do
+    modules
+    |> Enum.map(&Map.get(&1, :module))
+  end
+end
@@ -0,0 +1,18 @@
+defmodule Ejabberd.ConfigUtil do
+  @moduledoc """
+  Module containing utility functions for
+  the config file.
+  """
+
+  @doc """
+  Returns true when the config file is based on elixir.
+  """
+  @spec is_elixir_config(list) :: boolean
+  def is_elixir_config(filename) when is_list(filename) do
+    is_elixir_config(to_string(filename))
+  end
+
+  def is_elixir_config(filename) do
+    String.ends_with?(filename, "exs")
+  end
+end
@@ -0,0 +1,19 @@
+defmodule Ejabberd.Module do
+
+  defmacro __using__(opts) do
+    logger_enabled = Keyword.get(opts, :logger, true)
+
+    quote do
+      @behaviour :gen_mod
+      import Ejabberd.Module
+
+      unquote(if logger_enabled do
+        quote do: import Ejabberd.Logger
+      end)
+    end
+  end
+
+  # gen_mod callbacks
+  def depends(_host, _opts), do: []
+  def mod_opt_type(_), do: []
+end
@@ -0,0 +1,94 @@
+defmodule Mix.Tasks.Ejabberd.Deps.Tree do
+  use Mix.Task
+
+  alias Ejabberd.Config.EjabberdModule
+
+  @shortdoc "Lists all ejabberd modules and their dependencies"
+
+  @moduledoc """
+  Lists all ejabberd modules and their dependencies.
+
+  The project must have ejabberd as a dependency.
+  """
+
+  def run(_argv) do
+    # First we need to start manually the store to be available
+    # during the compilation of the config file.
+    Ejabberd.Config.Store.start_link
+    Ejabberd.Config.init(:ejabberd_config.get_ejabberd_config_path())
+
+    Mix.shell.info "ejabberd modules"
+
+    Ejabberd.Config.Store.get(:modules)
+    |> Enum.reverse # Because of how mods are stored inside the store
+    |> format_mods
+    |> Mix.shell.info
+  end
+
+  defp format_mods(mods) when is_list(mods) do
+    deps_tree = build_dependency_tree(mods)
+    mods_used_as_dependency = get_mods_used_as_dependency(deps_tree)
+
+    keep_only_mods_not_used_as_dep(deps_tree, mods_used_as_dependency)
+    |> format_mods_into_string
+  end
+
+  defp build_dependency_tree(mods) do
+    Enum.map mods, fn %EjabberdModule{module: mod, attrs: attrs} ->
+      deps = attrs[:dependency]
+      build_dependency_tree(mods, mod, deps)
+    end
+  end
+
+  defp build_dependency_tree(mods, mod, []), do: %{module: mod, dependency: []}
+  defp build_dependency_tree(mods, mod, deps) when is_list(deps) do
+    dependencies = Enum.map deps, fn dep ->
+      dep_deps = get_dependencies_of_mod(mods, dep)
+      build_dependency_tree(mods, dep, dep_deps)
+    end
+
+    %{module: mod, dependency: dependencies}
+  end
+
+  defp get_mods_used_as_dependency(mods) when is_list(mods) do
+    Enum.reduce mods, [], fn(mod, acc) ->
+      case mod do
+        %{dependency: []} -> acc
+        %{dependency: deps} -> get_mod_names(deps) ++ acc
+      end
+    end
+  end
+
+  defp get_mod_names([]), do: []
+  defp get_mod_names(mods) when is_list(mods), do: Enum.map(mods, &get_mod_names/1) |> List.flatten
+  defp get_mod_names(%{module: mod, dependency: deps}), do: [mod | get_mod_names(deps)]
+
+  defp keep_only_mods_not_used_as_dep(mods, mods_used_as_dep) do
+    Enum.filter mods, fn %{module: mod} ->
+      not mod in mods_used_as_dep
+    end
+  end
+
+  defp get_dependencies_of_mod(deps, mod_name) do
+    Enum.find(deps, &(Map.get(&1, :module) == mod_name))
+    |> Map.get(:attrs)
+    |> Keyword.get(:dependency)
+  end
+
+  defp format_mods_into_string(mods), do: format_mods_into_string(mods, 0)
+  defp format_mods_into_string([], _indentation), do: ""
+  defp format_mods_into_string(mods, indentation) when is_list(mods) do
+    Enum.reduce mods, "", fn(mod, acc) ->
+      acc <> format_mods_into_string(mod, indentation)
+    end
+  end
+
+  defp format_mods_into_string(%{module: mod, dependency: deps}, 0) do
+    "\n├── #{mod}" <> format_mods_into_string(deps,  2)
+  end
+
+  defp format_mods_into_string(%{module: mod, dependency: deps}, indentation) do
+    spaces = Enum.reduce 0..indentation, "", fn(_, acc) -> " " <> acc end
+    "\n│#{spaces}└── #{mod}" <> format_mods_into_string(deps, indentation + 4)
+  end
+end
@@ -1,21 +1,20 @@
 defmodule ModPresenceDemo do
-  import Ejabberd.Logger # this allow using info, error, etc for logging
-  @behaviour :gen_mod
+  use Ejabberd.Module

  def start(host, _opts) do
    info('Starting ejabberd module Presence Demo')
-    Ejabberd.Hooks.add(:set_presence_hook, host, __ENV__.module, :on_presence, 50)
+    Ejabberd.Hooks.add(:set_presence_hook, host, __MODULE__, :on_presence, 50)
    :ok
  end
-  
+
  def stop(host) do
    info('Stopping ejabberd module Presence Demo')
-    Ejabberd.Hooks.delete(:set_presence_hook, host, __ENV__.module, :on_presence, 50)
+    Ejabberd.Hooks.delete(:set_presence_hook, host, __MODULE__, :on_presence, 50)
    :ok
  end
-  
+
  def on_presence(user, _server, _resource, _packet) do
    info('Receive presence for #{user}')
    :none
-  end 
+  end
 end
@@ -3,7 +3,7 @@ defmodule Ejabberd.Mixfile do

  def project do
    [app: :ejabberd,
-     version: "16.04.0",
+     version: "16.08.0",
     description: description,
     elixir: "~> 1.2",
     elixirc_paths: ["lib"],
@@ -11,6 +11,8 @@ defmodule Ejabberd.Mixfile do
     compilers: [:asn1] ++ Mix.compilers,
     erlc_options: erlc_options,
     erlc_paths: ["asn1", "src"],
+     # Elixir tests are starting the part of ejabberd they need
+     aliases: [test: "test --no-start"],
     package: package,
     deps: deps]
  end
@@ -27,7 +29,7 @@ defmodule Ejabberd.Mixfile do
     included_applications: [:lager, :mnesia, :p1_utils, :cache_tab,
                             :fast_tls, :stringprep, :fast_xml,
                             :stun, :fast_yaml, :ezlib, :iconv,
-                             :esip, :jiffy, :p1_oauth2, :p1_xmlrpc, :eredis,
+                             :esip, :jiffy, :p1_oauth2, :eredis,
                             :p1_mysql, :p1_pgsql, :sqlite3]]
  end

@@ -38,7 +40,7 @@ defmodule Ejabberd.Mixfile do
  end

  defp deps do
-    [{:lager, "~> 3.0"},
+    [{:lager, "~> 3.2"},
     {:p1_utils, "~> 1.0"},
     {:cache_tab, "~> 1.0"},
     {:stringprep, "~> 1.0"},
@@ -49,14 +51,19 @@ defmodule Ejabberd.Mixfile do
     {:esip, "~> 1.0"},
     {:jiffy, "~> 0.14.7"},
     {:p1_oauth2, "~> 0.6.1"},
-     {:p1_xmlrpc, "~> 1.15"},
     {:p1_mysql, "~> 1.0"},
-     {:p1_pgsql, "~> 1.0"},
+     {:p1_pgsql, "~> 1.1"},
     {:sqlite3, "~> 1.1"},
     {:ezlib, "~> 1.0"},
     {:iconv, "~> 1.0"},
     {:eredis, "~> 1.0"},
-     {:exrm, "~> 1.0.0-rc7", only: :dev}]
+     {:exrm, "~> 1.0.0", only: :dev},
+     # relx is used by exrm. Lock version as for now, ejabberd doesn not compile fine with
+     # version 3.20:
+     {:relx, "~> 3.21", only: :dev},
+     {:ex_doc, ">= 0.0.0", only: :dev},
+     {:meck, "~> 0.8.4", only: :test},
+     {:moka, github: "processone/moka", tag: "1.0.5c", only: :test}]
  end

  defp package do
@@ -1,26 +1,30 @@
-%{"bbmustache": {:hex, :bbmustache, "1.0.4"},
-  "cache_tab": {:hex, :cache_tab, "1.0.2"},
-  "cf": {:hex, :cf, "0.2.1"},
-  "eredis": {:hex, :eredis, "1.0.8"},
-  "erlware_commons": {:hex, :erlware_commons, "0.19.0"},
-  "esip": {:hex, :esip, "1.0.4"},
-  "exrm": {:hex, :exrm, "1.0.3"},
-  "ezlib": {:hex, :ezlib, "1.0.1"},
-  "fast_tls": {:hex, :fast_tls, "1.0.3"},
-  "fast_xml": {:hex, :fast_xml, "1.1.11"},
-  "fast_yaml": {:hex, :fast_yaml, "1.0.3"},
-  "getopt": {:hex, :getopt, "0.8.2"},
-  "goldrush": {:hex, :goldrush, "0.1.7"},
-  "iconv": {:hex, :iconv, "1.0.0"},
-  "jiffy": {:hex, :jiffy, "0.14.7"},
-  "lager": {:hex, :lager, "3.0.2"},
-  "p1_mysql": {:hex, :p1_mysql, "1.0.1"},
-  "p1_oauth2": {:hex, :p1_oauth2, "0.6.1"},
-  "p1_pgsql": {:hex, :p1_pgsql, "1.1.0"},
-  "p1_utils": {:hex, :p1_utils, "1.0.3"},
-  "p1_xmlrpc": {:hex, :p1_xmlrpc, "1.15.1"},
-  "providers": {:hex, :providers, "1.6.0"},
-  "relx": {:hex, :relx, "3.19.0"},
-  "sqlite3": {:hex, :sqlite3, "1.1.5"},
-  "stringprep": {:hex, :stringprep, "1.0.3"},
-  "stun": {:hex, :stun, "1.0.3"}}
+%{"bbmustache": {:hex, :bbmustache, "1.0.4", "7ba94f971c5afd7b6617918a4bb74705e36cab36eb84b19b6a1b7ee06427aa38", [:rebar], []},
+  "cache_tab": {:hex, :cache_tab, "1.0.4", "3fd2b1ab40c36e7830a4e09e836c6b0fa89191cd4e5fd471873e4eb42f5cd37c", [:rebar3], [{:p1_utils, "1.0.5", [hex: :p1_utils, optional: false]}]},
+  "cf": {:hex, :cf, "0.2.1", "69d0b1349fd4d7d4dc55b7f407d29d7a840bf9a1ef5af529f1ebe0ce153fc2ab", [:rebar3], []},
+  "earmark": {:hex, :earmark, "1.0.1", "2c2cd903bfdc3de3f189bd9a8d4569a075b88a8981ded9a0d95672f6e2b63141", [:mix], []},
+  "eredis": {:hex, :eredis, "1.0.8", "ab4fda1c4ba7fbe6c19c26c249dc13da916d762502c4b4fa2df401a8d51c5364", [:rebar], []},
+  "erlware_commons": {:hex, :erlware_commons, "0.21.0", "a04433071ad7d112edefc75ac77719dd3e6753e697ac09428fc83d7564b80b15", [:rebar3], [{:cf, "0.2.1", [hex: :cf, optional: false]}]},
+  "esip": {:hex, :esip, "1.0.8", "69885a6c07964aabc6c077fe1372aa810a848bd3d9a415b160dabdce9c7a79b5", [:rebar3], [{:fast_tls, "1.0.7", [hex: :fast_tls, optional: false]}, {:p1_utils, "1.0.5", [hex: :p1_utils, optional: false]}, {:stun, "1.0.7", [hex: :stun, optional: false]}]},
+  "ex_doc": {:hex, :ex_doc, "0.13.0", "aa2f8fe4c6136a2f7cfc0a7e06805f82530e91df00e2bff4b4362002b43ada65", [:mix], [{:earmark, "~> 1.0", [hex: :earmark, optional: false]}]},
+  "exrm": {:hex, :exrm, "1.0.8", "5aa8990cdfe300282828b02cefdc339e235f7916388ce99f9a1f926a9271a45d", [:mix], [{:relx, "~> 3.5", [hex: :relx, optional: false]}]},
+  "ezlib": {:hex, :ezlib, "1.0.1", "add8b2770a1a70c174aaea082b4a8668c0c7fdb03ee6cc81c6c68d3a6c3d767d", [:rebar3], []},
+  "fast_tls": {:hex, :fast_tls, "1.0.7", "9b72ecfcdcad195ab072c196fab8334f49d8fea76bf1a51f536d69e7527d902a", [:rebar3], [{:p1_utils, "1.0.5", [hex: :p1_utils, optional: false]}]},
+  "fast_xml": {:hex, :fast_xml, "1.1.15", "6d23eb7f874e1357cf80a48d75a7bd0c8f6318029dc4b70122e9f54911f57f83", [:rebar3], [{:p1_utils, "1.0.5", [hex: :p1_utils, optional: false]}]},
+  "fast_yaml": {:hex, :fast_yaml, "1.0.6", "3fe6feb7935ae8028b337e53e1db29e73ad3bca8041108f6a8f73b7175ece75c", [:rebar3], [{:p1_utils, "1.0.5", [hex: :p1_utils, optional: false]}]},
+  "getopt": {:hex, :getopt, "0.8.2", "b17556db683000ba50370b16c0619df1337e7af7ecbf7d64fbf8d1d6bce3109b", [:rebar], []},
+  "goldrush": {:hex, :goldrush, "0.1.8", "2024ba375ceea47e27ea70e14d2c483b2d8610101b4e852ef7f89163cdb6e649", [:rebar3], []},
+  "iconv": {:hex, :iconv, "1.0.2", "a0792f06ab4b5ea1b5bb49789405739f1281a91c44cf3879cb70e4d777666217", [:rebar3], [{:p1_utils, "1.0.5", [hex: :p1_utils, optional: false]}]},
+  "jiffy": {:hex, :jiffy, "0.14.7", "9f33b893edd6041ceae03bc1e50b412e858cc80b46f3d7535a7a9940a79a1c37", [:rebar, :make], []},
+  "lager": {:hex, :lager, "3.2.1", "eef4e18b39e4195d37606d9088ea05bf1b745986cf8ec84f01d332456fe88d17", [:rebar3], [{:goldrush, "0.1.8", [hex: :goldrush, optional: false]}]},
+  "meck": {:hex, :meck, "0.8.4", "59ca1cd971372aa223138efcf9b29475bde299e1953046a0c727184790ab1520", [:rebar, :make], []},
+  "moka": {:git, "https://github.com/processone/moka.git", "3eed3a6dd7dedb70a6cd18f86c7561a18626eb3b", [tag: "1.0.5c"]},
+  "p1_mysql": {:hex, :p1_mysql, "1.0.1", "d2be1cfc71bb4f1391090b62b74c3f5cb8e7a45b0076b8cb290cd6b2856c581b", [:rebar3], []},
+  "p1_oauth2": {:hex, :p1_oauth2, "0.6.1", "4e021250cc198c538b097393671a41e7cebf463c248980320e038fe0316eb56b", [:rebar3], []},
+  "p1_pgsql": {:hex, :p1_pgsql, "1.1.0", "ca525c42878eac095e5feb19563acc9915c845648f48fdec7ba6266c625d4ac7", [:rebar3], []},
+  "p1_utils": {:hex, :p1_utils, "1.0.5", "3e698354fdc1fea5491d991457b0cb986c0a00a47d224feb841dc3ec82b9f721", [:rebar3], []},
+  "providers": {:hex, :providers, "1.6.0", "db0e2f9043ae60c0155205fcd238d68516331d0e5146155e33d1e79dc452964a", [:rebar3], [{:getopt, "0.8.2", [hex: :getopt, optional: false]}]},
+  "relx": {:hex, :relx, "3.21.0", "91e1ea9f09b4edfda8461901f4b5c5e0226e43ec161e147eeab29f7761df6eb5", [:rebar3], [{:bbmustache, "1.0.4", [hex: :bbmustache, optional: false]}, {:cf, "0.2.1", [hex: :cf, optional: false]}, {:erlware_commons, "0.21.0", [hex: :erlware_commons, optional: false]}, {:getopt, "0.8.2", [hex: :getopt, optional: false]}, {:providers, "1.6.0", [hex: :providers, optional: false]}]},
+  "samerlib": {:git, "https://github.com/processone/samerlib", "fbbba035b1548ac4e681df00d61bf609645333a0", [tag: "0.8.0c"]},
+  "sqlite3": {:hex, :sqlite3, "1.1.5", "794738b6d07b6d36ec6d42492cb9d629bad9cf3761617b8b8d728e765db19840", [:rebar3], []},
+  "stringprep": {:hex, :stringprep, "1.0.6", "1cf1c439eb038aa590da5456e019f86afbfbfeb5a2d37b6e5f873041624c6701", [:rebar3], [{:p1_utils, "1.0.5", [hex: :p1_utils, optional: false]}]},
+  "stun": {:hex, :stun, "1.0.7", "904dc6f26a3c30c54881c4c3003699f2a4968067ee6b3aecdf9895aad02df75e", [:rebar3], [{:fast_tls, "1.0.7", [hex: :fast_tls, optional: false]}, {:p1_utils, "1.0.5", [hex: :p1_utils, optional: false]}]}}
@@ -7,18 +7,17 @@
 %%% Created :  1 May 2013 by Evgeniy Khramtsov <ekhramtsov@process-one.net>
 %%%-------------------------------------------------------------------

-{deps, [{lager, ".*", {git, "https://github.com/basho/lager", {tag, "3.0.2"}}},
-        {p1_utils, ".*", {git, "https://github.com/processone/p1_utils", {tag, "1.0.4"}}},
-        {cache_tab, ".*", {git, "https://github.com/processone/cache_tab", {tag, "1.0.2"}}},
-        {fast_tls, ".*", {git, "https://github.com/processone/fast_tls", {tag, "1.0.3"}}},
-        {stringprep, ".*", {git, "https://github.com/processone/stringprep", {tag, "1.0.3"}}},
-        {fast_xml, ".*", {git, "https://github.com/processone/fast_xml", {tag, "1.1.3"}}},
-        {stun, ".*", {git, "https://github.com/processone/stun", {tag, "1.0.3"}}},
-        {esip, ".*", {git, "https://github.com/processone/esip", {tag, "1.0.4"}}},
-        {fast_yaml, ".*", {git, "https://github.com/processone/fast_yaml", {tag, "1.0.3"}}},
+{deps, [{lager, ".*", {git, "https://github.com/basho/lager", {tag, "3.2.1"}}},
+        {p1_utils, ".*", {git, "https://github.com/processone/p1_utils", {tag, "1.0.5"}}},
+        {cache_tab, ".*", {git, "https://github.com/processone/cache_tab", {tag, "1.0.4"}}},
+        {fast_tls, ".*", {git, "https://github.com/processone/fast_tls", {tag, "1.0.7"}}},
+        {stringprep, ".*", {git, "https://github.com/processone/stringprep", {tag, "1.0.6"}}},
+        {fast_xml, ".*", {git, "https://github.com/processone/fast_xml", {tag, "1.1.15"}}},
+        {stun, ".*", {git, "https://github.com/processone/stun", {tag, "1.0.7"}}},
+        {esip, ".*", {git, "https://github.com/processone/esip", {tag, "1.0.8"}}},
+        {fast_yaml, ".*", {git, "https://github.com/processone/fast_yaml", {tag, "1.0.6"}}},
        {jiffy, ".*", {git, "https://github.com/davisp/jiffy", {tag, "0.14.7"}}},
        {p1_oauth2, ".*", {git, "https://github.com/processone/p1_oauth2", {tag, "0.6.1"}}},
-        {p1_xmlrpc, ".*", {git, "https://github.com/processone/p1_xmlrpc", {tag, "1.15.1"}}},
        {luerl, ".*", {git, "https://github.com/rvirding/luerl", {tag, "v0.2"}}},
        {if_var_true, mysql, {p1_mysql, ".*", {git, "https://github.com/processone/p1_mysql",
                                               {tag, "1.0.1"}}}},
@@ -34,21 +33,21 @@
                                           "527722d12d0433b837cdb92a60900c2cb5df8942"}}},
        %% Forces correct dependency for riakc and allow using newer meck version)
        {if_var_true, riak, {hamcrest, ".*", {git, "https://github.com/hyperthunk/hamcrest-erlang",
-                                              "908a24fda4a46776a5135db60ca071e3d783f9f6"}}},  % for riak_pb-2.1.0.7
+                                              "13f9bfb9b27d216e8e033b0e0a9a29097ed923dd"}}},  % for riak_pb-2.1.0.7
        {if_var_true, riak, {protobuffs, ".*", {git, "https://github.com/basho/erlang_protobuffs",
                                                "6e7fc924506e2dc166a6170e580ce1d95ebbd5bd"}}},  % for riak_pb-2.1.0.7 with correct meck dependency
        %% Elixir support, needed to run tests
        {if_var_true, elixir, {elixir, ".*", {git, "https://github.com/elixir-lang/elixir",
-                                              {tag, "v1.1.1"}}}},
+                                              {tag, {if_version_above, "17", "v1.2.6", "v1.1.1"}}}}},
        %% TODO: When modules are fully migrated to new structure and mix, we will not need anymore rebar_elixir_plugin
        {if_var_true, elixir, {rebar_elixir_plugin, ".*",
                               {git, "https://github.com/processone/rebar_elixir_plugin", "0.1.0"}}},
        {if_var_true, iconv, {iconv, ".*", {git, "https://github.com/processone/iconv",
-                                            {tag, "1.0.0"}}}},
+                                            {tag, "1.0.2"}}}},
        {if_var_true, tools, {meck, "0.8.*", {git, "https://github.com/eproxus/meck",
                                              {tag, "0.8.4"}}}},
        {if_var_true, tools, {moka, ".*", {git, "https://github.com/processone/moka.git",
-                                           {tag, "1.0.5b"}}}},
+                                           {tag, "1.0.5c"}}}},
        {if_var_true, redis, {eredis, ".*", {git, "https://github.com/wooga/eredis",
                                             {tag, "v1.0.8"}}}}]}.

@@ -68,13 +67,14 @@
                  ezlib,
                  iconv]}}.

-{erl_first_files, ["src/ejabberd_config.erl"]}.
+{erl_first_files, ["src/ejabberd_config.erl", "src/gen_mod.erl"]}.

 {erl_opts, [nowarn_deprecated_function,
            {if_var_false, debug, no_debug_info},
            {if_var_true, debug, debug_info},
            {if_var_true, roster_gateway_workaround, {d, 'ROSTER_GATWAY_WORKAROUND'}},
            {if_var_match, db_type, mssql, {d, 'mssql'}},
+            {if_var_true, elixir, {d, 'ELIXIR_ENABLED'}},
            {if_var_true, erlang_deprecated_types, {d, 'ERL_DEPRECATED_TYPES'}},
            {if_var_true, hipe, native},
            {src_dirs, [asn1, src,
@@ -113,11 +113,12 @@
                   {if_var_false, iconv, "(\"iconv\":_/_)"},
                   {if_var_false, odbc, "(\"odbc\":_/_)"},
                   {if_var_false, sqlite, "(\"sqlite3\":_/_)"},
+                   {if_var_false, elixir, "(\"Elixir.Logger.*\":_/_)"},
                   {if_var_false, redis, "(\"eredis\":_/_)"}]}.

 {eunit_compile_opts, [{i, "tools"}]}.

-{cover_enabled, true}.
+{if_version_above, "17", {cover_enabled, true}}.
 {cover_export_enabled, true}.

 {post_hook_configure, [{"fast_tls", []},
@@ -19,7 +19,7 @@ ModCfg0 = fun(F, Cfg, [Key|Tail], Op, Default) ->
                         [{Key, F(F, OldVal, Tail, Op, Default)} | PartCfg]
                 end
         end,
-ModCfg = fun(Cfg, Keys, Op, Default) -> ModCfg0(ModCfg0, Cfg, Keys, Op, Default) end.
+ModCfg = fun(Cfg, Keys, Op, Default) -> ModCfg0(ModCfg0, Cfg, Keys, Op, Default) end,

 Cfg = case file:consult(filename:join(filename:dirname(SCRIPT), "vars.config")) of
          {ok, Terms} ->
@@ -28,15 +28,50 @@ Cfg = case file:consult(filename:join(filename:dirname(SCRIPT), "vars.config"))
              []
      end,

+ProcessSingleVar = fun(F, Var, Tail) ->
+			   case F(F, [Var], []) of
+			       [] -> Tail;
+			       [Val] -> [Val | Tail]
+			   end
+		   end,
+
 ProcessVars = fun(_F, [], Acc) ->
                      lists:reverse(Acc);
+                 (F, [{Type, Ver, Value} | Tail], Acc) when
+                        Type == if_version_above orelse
+                        Type == if_version_below ->
+		      SysVer = erlang:system_info(otp_release),
+		      Include = if Type == if_version_above ->
+					SysVer > Ver;
+				   true ->
+					SysVer < Ver
+				end,
+		      if Include ->
+                              F(F, Tail, ProcessSingleVar(F, Value, Acc));
+			 true ->
+                              F(F, Tail, Acc)
+		      end;
+                 (F, [{Type, Ver, Value, ElseValue} | Tail], Acc) when
+                        Type == if_version_above orelse
+                        Type == if_version_below ->
+		      SysVer = erlang:system_info(otp_release),
+		      Include = if Type == if_version_above ->
+					SysVer > Ver;
+				   true ->
+					SysVer < Ver
+				end,
+		      if Include ->
+                              F(F, Tail, ProcessSingleVar(F, Value, Acc));
+			 true ->
+                              F(F, Tail, ProcessSingleVar(F, ElseValue, Acc))
+		      end;
                 (F, [{Type, Var, Value} | Tail], Acc) when
                        Type == if_var_true orelse
                        Type == if_var_false ->
                      Flag = Type == if_var_true,
                      case proplists:get_bool(Var, Cfg) of
                          V when V == Flag ->
-                              F(F, Tail, [Value | Acc]);
+                              F(F, Tail, ProcessSingleVar(F, Value, Acc));
                          _ ->
                              F(F, Tail, Acc)
                      end;
@@ -45,7 +80,7 @@ ProcessVars = fun(_F, [], Acc) ->
                        Type == if_var_no_match ->
                      case proplists:get_value(Var, Cfg) of
                          V when V == Match ->
-                              F(F, Tail, [Value | Acc]);
+                              F(F, Tail, ProcessSingleVar(F, Value, Acc));
                          _ ->
                              F(F, Tail, Acc)
                      end;
@@ -122,8 +157,8 @@ Conf5 = case lists:keytake(floating_deps, 1, Conf3) of
        end,

 %% When running Travis test, upload test coverage result to coveralls:
-Conf6 = case os:getenv("TRAVIS") of
-            "true" ->
+Conf6 = case {lists:keyfind(cover_enabled, 1, Conf5), os:getenv("TRAVIS")} of
+            {{cover_enabled, true}, "true"} ->
                JobId = os:getenv("TRAVIS_JOB_ID"),
                CfgTemp = ModCfg(Conf5, [deps], fun(V) -> [{coveralls, ".*", {git, "https://github.com/markusn/coveralls-erl.git", "master"}}|V] end, []),
                ModCfg(CfgTemp, [post_hooks], fun(V) -> V ++ [{ct, "echo '\n%%! -pa ebin/ deps/coveralls/ebin\nmain(_)->{ok,F}=file:open(\"erlang.json\",[write]),io:fwrite(F,\"~s\",[coveralls:convert_file(\"logs/all.coverdata\", \""++JobId++"\", \"travis-ci\")]).' > getcover.erl"},
@@ -132,7 +167,7 @@ Conf6 = case os:getenv("TRAVIS") of
                Conf5
        end,

-%io:format("ejabberd configuration:~n  ~p~n", [Conf5]),
+%io:format("ejabberd configuration:~n  ~p~n", [Conf6]),

 Conf6.

@@ -313,3 +313,10 @@ CREATE TABLE sm (
 CREATE UNIQUE INDEX i_sm_sid ON sm(usec, pid);
 CREATE INDEX i_sm_node ON sm(node);
 CREATE INDEX i_sm_username ON sm(username);
+
+CREATE TABLE oauth_token (
+    token text NOT NULL PRIMARY KEY,
+    jid text NOT NULL,
+    scope text NOT NULL,
+    expire bigint NOT NULL
+);
@@ -480,3 +480,13 @@ ON DELETE CASCADE;

 ALTER TABLE [dbo].[pubsub_state] CHECK CONSTRAINT [pubsub_state_ibfk_1];

+CREATE TABLE [dbo].[oauth_token] (
+    [token] [varchar] (250) NOT NULL,
+    [jid] [text] NOT NULL,
+    [scope] [text] NOT NULL,
+    [expire] [bigint] NOT NULL,
+ CONSTRAINT [oauth_token_PRIMARY] PRIMARY KEY CLUSTERED 
+(
+        [token] ASC
+)WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON)
+) TEXTIMAGE_ON [PRIMARY];
@@ -275,7 +275,7 @@ CREATE UNIQUE INDEX i_pubsub_subscription_opt ON pubsub_subscription_opt(subid(3
 CREATE TABLE muc_room (
    name text NOT NULL,
    host text NOT NULL,
-    opts text NOT NULL,
+    opts mediumtext NOT NULL,
    created_at timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP
 ) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;

@@ -328,3 +328,10 @@ CREATE TABLE sm (
 CREATE UNIQUE INDEX i_sid ON sm(usec, pid(75));
 CREATE INDEX i_node ON sm(node(75));
 CREATE INDEX i_username ON sm(username);
+
+CREATE TABLE oauth_token (
+    token varchar(191) NOT NULL PRIMARY KEY,
+    jid text NOT NULL,
+    scope text NOT NULL,
+    expire bigint NOT NULL
+) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
@@ -330,3 +330,12 @@ CREATE TABLE sm (
 CREATE UNIQUE INDEX i_sm_sid ON sm USING btree (usec, pid);
 CREATE INDEX i_sm_node ON sm USING btree (node);
 CREATE INDEX i_sm_username ON sm USING btree (username);
+
+CREATE TABLE oauth_token (
+    token text NOT NULL,
+    jid text NOT NULL,
+    scope text NOT NULL,
+    expire bigint NOT NULL
+);
+
+CREATE UNIQUE INDEX i_oauth_token_token ON oauth_token USING btree (token);
@@ -29,12 +29,14 @@

 -author('alexey@process-one.net').

-export([start/0, to_record/3, add/3, add_list/3,
-	 add_local/3, add_list_local/3, load_from_config/0,
-	 match_rule/3, match_access/4, match_acl/3, transform_options/1,
-	 opt_type/1]).
-
 -export([add_access/3, clear/0]).
+-export([start/0, add/3, add_list/3, add_local/3, add_list_local/3,
+	 load_from_config/0, match_rule/3, any_rules_allowed/3,
+	 transform_options/1, opt_type/1, acl_rule_matches/3,
+	 acl_rule_verify/1, access_matches/3,
+	 transform_access_rules_config/1,
+	 parse_ip_netmask/1,
+	 access_rules_validator/1, shaper_rules_validator/1]).

 -include("ejabberd.hrl").
 -include("logger.hrl").
@@ -92,12 +94,6 @@ start() ->
    load_from_config(),
    ok.

-spec to_record(binary(), atom(), aclspec()) -> acl().
-
-to_record(Host, ACLName, ACLSpec) ->
-    #acl{aclname = {ACLName, Host},
-	 aclspec = normalize_spec(ACLSpec)}.
-
 -spec add(binary(), aclname(), aclspec()) -> ok | {error, any()}.

 add(Host, ACLName, ACLSpec) ->
@@ -188,6 +184,10 @@ load_from_config() ->
                       {acl, Host}, fun(V) -> V end, []),
              AccessRules = ejabberd_config:get_option(
                              {access, Host}, fun(V) -> V end, []),
+              AccessRulesNew = ejabberd_config:get_option(
+				 {access_rules, Host}, fun(V) -> V end, []),
+              ShaperRules = ejabberd_config:get_option(
+				 {shaper_rules, Host}, fun(V) -> V end, []),
              lists:foreach(
                fun({ACLName, SpecList}) ->
                        lists:foreach(
@@ -201,10 +201,21 @@ load_from_config() ->
                                  add(Host, ACLName, {ACLType, ACLSpecs})
                          end, lists:flatten(SpecList))
                end, ACLs),
+              lists:foreach(
+                fun({Access, Rules}) ->
+			NRules = lists:map(fun({ACL, Type}) ->
+					     {Type, [{acl, ACL}]}
+				     end, Rules),
+                        add_access(Host, Access, NRules ++ [{deny, [all]}])
+                end, AccessRules),
              lists:foreach(
                fun({Access, Rules}) ->
                        add_access(Host, Access, Rules)
-                end, AccessRules)
+                end, AccessRulesNew),
+              lists:foreach(
+                fun({Access, Rules}) ->
+                        add_access(Host, Access, Rules)
+                end, ShaperRules)
      end, Hosts).

 %% Delete all previous set ACLs and Access rules
@@ -225,23 +236,33 @@ nameprep(S) ->
 resourceprep(S) ->
    jid:resourceprep(b(S)).

+split_user_server(Str, NormFunUsr, NormFunSrv) ->
+    case binary:split(Str, <<"@">>) of
+	[U, S] ->
+	    {NormFunUsr(U), NormFunSrv(S)};
+	_ ->
+	    NormFunUsr(Str)
+    end.
+
 normalize_spec(Spec) ->
    case Spec of
        all -> all;
        none -> none;
+        {acl, N} -> {acl, N};
        {user, {U, S}} -> {user, {nodeprep(U), nameprep(S)}};
-        {user, U} -> {user, nodeprep(U)};
+        {user, U} -> {user, split_user_server(U, fun nodeprep/1, fun nameprep/1)};
        {shared_group, {G, H}} -> {shared_group, {b(G), nameprep(H)}};
-        {shared_group, G} -> {shared_group, b(G)};
+        {shared_group, G} -> {shared_group, split_user_server(G, fun b/1, fun nameprep/1)};
        {user_regexp, {UR, S}} -> {user_regexp, {b(UR), nameprep(S)}};
-        {user_regexp, UR} -> {user_regexp, b(UR)};
+        {user_regexp, UR} -> {user_regexp, split_user_server(UR, fun b/1, fun nameprep/1)};
        {node_regexp, {UR, SR}} -> {node_regexp, {b(UR), b(SR)}};
        {user_glob, {UR, S}} -> {user_glob, {b(UR), nameprep(S)}};
-        {user_glob, UR} -> {user_glob, b(UR)};
+        {user_glob, UR} -> {user_glob, split_user_server(UR, fun b/1, fun nameprep/1)};
        {node_glob, {UR, SR}} -> {node_glob, {b(UR), b(SR)}};
        {server, S} -> {server, nameprep(S)};
        {resource, R} -> {resource, resourceprep(R)};
        {server_regexp, SR} -> {server_regexp, b(SR)};
+        {resource_regexp, R} -> {resource_regexp, b(R)};
        {server_glob, S} -> {server_glob, b(S)};
        {resource_glob, R} -> {resource_glob, b(R)};
        {ip, {Net, Mask}} -> {ip, {Net, Mask}};
@@ -255,130 +276,215 @@ normalize_spec(Spec) ->
            end
    end.

-spec match_access(global | binary(), access_name(),
-                   jid() | ljid() | inet:ip_address(),
-                   atom()) -> any().
+-spec any_rules_allowed(global | binary(), access_name(),
+                           jid() | ljid() | inet:ip_address()) -> boolean().

-match_access(_Host, all, _JID, _Default) ->
-    allow;
-match_access(_Host, none, _JID, _Default) ->
-    deny;
-match_access(_Host, {user, UserPattern}, JID, Default) ->
-    match_user_spec({user, UserPattern}, JID, Default);
-match_access(Host, AccessRule, JID, _Default) ->
-    match_rule(Host, AccessRule, JID).
+any_rules_allowed(Host, Access, Entity) ->
+    lists:any(fun (Rule) ->
+                      allow == acl:match_rule(Host, Rule, Entity)
+              end,
+              Access).

 -spec match_rule(global | binary(), access_name(),
                 jid() | ljid() | inet:ip_address()) -> any().

-match_rule(_Host, all, _JID) ->
-    allow;
-match_rule(_Host, none, _JID) ->
-    deny;
+match_rule(Host, Access, IP) when tuple_size(IP) == 4;
+    tuple_size(IP) == 8 ->
+    access_matches(Access, #{ip => IP}, Host);
 match_rule(Host, Access, JID) ->
-    GAccess = ets:lookup(access, {Access, global}),
-    LAccess = if Host /= global ->
-                      ets:lookup(access, {Access, Host});
-                 true ->
-                      []
-              end,
-    case GAccess ++ LAccess of
-        [] ->
-            deny;
-        AccessList ->
-            Rules = lists:flatmap(
-                      fun(#access{rules = Rs}) ->
-                              Rs
-                      end, AccessList),
-            match_acls(Rules, JID, Host)
-    end.
+    access_matches(Access, #{usr => jid:tolower(JID)}, Host).

-match_acls([], _, _Host) -> deny;
-match_acls([{ACL, Access} | ACLs], JID, Host) ->
-    case match_acl(ACL, JID, Host) of
-      true -> Access;
-      _ -> match_acls(ACLs, JID, Host)
-    end.
+-spec acl_rule_verify(aclspec()) -> boolean().

-spec match_acl(atom(),
-                jid() | ljid() | inet:ip_address(),
-                binary()) -> boolean().
-
-match_acl(all, _JID, _Host) ->
+acl_rule_verify(all) ->
    true;
-match_acl(none, _JID, _Host) ->
+acl_rule_verify(none) ->
+    true;
+acl_rule_verify({ip, {{A,B,C,D}, Mask}})
+    when is_integer(A), is_integer(B), is_integer(C), is_integer(D),
+    A >= 0, A =< 255, B >= 0, B =< 255, C >= 0, C =< 255, D >= 0, D =< 255,
+    is_integer(Mask), Mask >= 0, Mask =< 32 ->
+    true;
+acl_rule_verify({ip, {{A,B,C,D,E,F,G,H}, Mask}}) when
+    is_integer(A), is_integer(B), is_integer(C), is_integer(D),
+    is_integer(E), is_integer(F), is_integer(G), is_integer(H),
+    A >= 0, A =< 65535, B >= 0, B =< 65535, C >= 0, C =< 65535, D >= 0, D =< 65535,
+    E >= 0, E =< 65535, F >= 0, F =< 65535, G >= 0, G =< 65535, H >= 0, H =< 65535,
+    is_integer(Mask), Mask >= 0, Mask =< 64 ->
+    true;
+acl_rule_verify({user, {U, S}}) when is_binary(U), is_binary(S) ->
+    true;
+acl_rule_verify({user, U}) when is_binary(U) ->
+    true;
+acl_rule_verify({server, S}) when is_binary(S) ->
+    true;
+acl_rule_verify({resource, R}) when is_binary(R) ->
+    true;
+acl_rule_verify({shared_group, {G, H}}) when is_binary(G), is_binary(H) ->
+    true;
+acl_rule_verify({shared_group, G}) when is_binary(G) ->
+    true;
+acl_rule_verify({user_regexp, {UR, S}}) when is_binary(UR), is_binary(S) ->
+    true;
+acl_rule_verify({user_regexp, UR}) when is_binary(UR) ->
+    true;
+acl_rule_verify({server_regexp, SR}) when is_binary(SR) ->
+    true;
+acl_rule_verify({resource_regexp, RR}) when is_binary(RR) ->
+    true;
+acl_rule_verify({node_regexp, {UR, SR}}) when is_binary(UR), is_binary(SR) ->
+    true;
+acl_rule_verify({user_glob, {UR, S}}) when is_binary(UR), is_binary(S) ->
+    true;
+acl_rule_verify({user_glob, UR}) when is_binary(UR) ->
+    true;
+acl_rule_verify({server_glob, SR}) when is_binary(SR) ->
+    true;
+acl_rule_verify({resource_glob, RR}) when is_binary(RR) ->
+    true;
+acl_rule_verify({node_glob, {UR, SR}}) when is_binary(UR), is_binary(SR) ->
+    true;
+acl_rule_verify(_Spec) ->
+    false.
+invalid_syntax(Msg, Data) ->
+    throw({invalid_syntax, iolist_to_binary(io_lib:format(Msg, Data))}).
+
+acl_rules_verify([{acl, Name} | Rest], true) when is_atom(Name) ->
+    acl_rules_verify(Rest, true);
+acl_rules_verify([{acl, Name} = Rule | _Rest], false) when is_atom(Name) ->
+    invalid_syntax(<<"Using acl: rules not allowed: ~p">>, [Rule]);
+acl_rules_verify([Rule | Rest], AllowAcl) ->
+    case acl_rule_verify(Rule) of
+	false ->
+	    invalid_syntax(<<"Invalid rule: ~p">>, [Rule]);
+	true ->
+	    acl_rules_verify(Rest, AllowAcl)
+    end;
+acl_rules_verify([], _AllowAcl) ->
+    true;
+acl_rules_verify(Rules, _AllowAcl) ->
+    invalid_syntax(<<"Not a acl rules list: ~p">>, [Rules]).
+
+
+
+all_acl_rules_matches([], _Data, _Host) ->
    false;
-match_acl(ACL, IP, Host) when tuple_size(IP) == 4;
-                              tuple_size(IP) == 8 ->
-    lists:any(
-      fun(#acl{aclspec = {ip, {Net, Mask}}}) ->
-              is_ip_match(IP, Net, Mask);
-         (_) ->
-              false
-      end, get_aclspecs(ACL, Host));
-match_acl(ACL, JID, Host) ->
-    {User, Server, Resource} = jid:tolower(JID),
-    lists:any(
-      fun(#acl{aclspec = Spec}) ->
-              case Spec of
-                  all -> true;
-                  {user, {U, S}} -> U == User andalso S == Server;
-                  {user, U} ->
-                      U == User andalso
-                          lists:member(Server, ?MYHOSTS);
-                  {server, S} -> S == Server;
-                  {resource, R} -> R == Resource;
-                  {shared_group, {G, H}} ->
-                      Mod = loaded_shared_roster_module(H),
-                      Mod:is_user_in_group({User, Server}, G, H);
-                  {shared_group, G} ->
-                      Mod = loaded_shared_roster_module(Host),
-                      Mod:is_user_in_group({User, Server}, G, Host);
-                  {user_regexp, {UR, S}} ->
-                      S == Server andalso is_regexp_match(User, UR);
-                  {user_regexp, UR} ->
-                      lists:member(Server, ?MYHOSTS)
-                          andalso is_regexp_match(User, UR);
-                  {server_regexp, SR} ->
-                      is_regexp_match(Server, SR);
-                  {resource_regexp, RR} ->
-                      is_regexp_match(Resource, RR);
-                  {node_regexp, {UR, SR}} ->
-                      is_regexp_match(Server, SR) andalso
-                          is_regexp_match(User, UR);
-                  {user_glob, {UR, S}} ->
-                      S == Server andalso is_glob_match(User, UR);
-                  {user_glob, UR} ->
-                      lists:member(Server, ?MYHOSTS)
-                          andalso is_glob_match(User, UR);
-                  {server_glob, SR} -> is_glob_match(Server, SR);
-                  {resource_glob, RR} ->
-                      is_glob_match(Resource, RR);
-                  {node_glob, {UR, SR}} ->
-                      is_glob_match(Server, SR) andalso
-                          is_glob_match(User, UR);
-                  WrongSpec ->
-                      ?ERROR_MSG("Wrong ACL expression: ~p~nCheck your "
-                                 "config file and reload it with the override_a"
-                                 "cls option enabled",
-                                 [WrongSpec]),
-                      false
-              end
-      end,
-      get_aclspecs(ACL, Host)).
+all_acl_rules_matches(Rules, Data, Host) ->
+    all_acl_rules_matches2(Rules, Data, Host).
+
+all_acl_rules_matches2([Rule | Tail], Data, Host) ->
+    case acl_rule_matches(Rule, Data, Host) of
+	true ->
+	    all_acl_rules_matches2(Tail, Data, Host);
+	false ->
+	    false
+    end;
+all_acl_rules_matches2([], _Data, _Host) ->
+    true.
+
+any_acl_rules_matches([], _Data, _Host) ->
+    false;
+any_acl_rules_matches([Rule|Tail], Data, Host) ->
+    case acl_rule_matches(Rule, Data, Host) of
+	true ->
+	    true;
+	false ->
+	    any_acl_rules_matches(Tail, Data, Host)
+    end.
+
+-spec acl_rule_matches(aclspec(), any(), global|binary()) -> boolean().
+
+acl_rule_matches(all, _Data, _Host) ->
+    true;
+acl_rule_matches({acl, all}, _Data, _Host) ->
+    true;
+acl_rule_matches({acl, Name}, Data, Host) ->
+    ACLs = get_aclspecs(Name, Host),
+    RawACLs = lists:map(fun(#acl{aclspec = R}) -> R end, ACLs),
+    any_acl_rules_matches(RawACLs, Data, Host);
+acl_rule_matches({ip, {Net, Mask}}, #{ip := {IP, _Port}}, _Host) ->
+    is_ip_match(IP, Net, Mask);
+acl_rule_matches({ip, {Net, Mask}}, #{ip := IP}, _Host) ->
+    is_ip_match(IP, Net, Mask);
+acl_rule_matches({user, {U, S}}, #{usr := {U, S, _}}, _Host) ->
+    true;
+acl_rule_matches({user, U}, #{usr := {U, S, _}}, _Host) ->
+    lists:member(S, ?MYHOSTS);
+acl_rule_matches({server, S}, #{usr := {_, S, _}}, _Host) ->
+    true;
+acl_rule_matches({resource, R}, #{usr := {_, _, R}}, _Host) ->
+    true;
+acl_rule_matches({shared_group, {G, H}}, #{usr := {U, S, _}}, _Host) ->
+    Mod = loaded_shared_roster_module(H),
+    Mod:is_user_in_group({U, S}, G, H);
+acl_rule_matches({shared_group, G}, #{usr := {U, S, _}}, Host) ->
+    Mod = loaded_shared_roster_module(Host),
+    Mod:is_user_in_group({U, S}, G, Host);
+acl_rule_matches({user_regexp, {UR, S}}, #{usr := {U, S, _}}, _Host) ->
+    is_regexp_match(U, UR);
+acl_rule_matches({user_regexp, UR}, #{usr := {U, S, _}}, _Host) ->
+    lists:member(S, ?MYHOSTS) andalso is_regexp_match(U, UR);
+acl_rule_matches({server_regexp, SR}, #{usr := {_, S, _}}, _Host) ->
+    is_regexp_match(S, SR);
+acl_rule_matches({resource_regexp, RR}, #{usr := {_, _, R}}, _Host) ->
+    is_regexp_match(R, RR);
+acl_rule_matches({node_regexp, {UR, SR}}, #{usr := {U, S, _}}, _Host) ->
+    is_regexp_match(U, UR) andalso is_regexp_match(S, SR);
+acl_rule_matches({user_glob, {UR, S}}, #{usr := {U, S, _}}, _Host) ->
+    is_glob_match(U, UR);
+acl_rule_matches({user_glob, UR}, #{usr := {U, S, _}}, _Host) ->
+    lists:member(S, ?MYHOSTS) andalso is_glob_match(U, UR);
+acl_rule_matches({server_glob, SR}, #{usr := {_, S, _}}, _Host) ->
+    is_glob_match(S, SR);
+acl_rule_matches({resource_glob, RR}, #{usr := {_, _, R}}, _Host) ->
+    is_glob_match(R, RR);
+acl_rule_matches({node_glob, {UR, SR}}, #{usr := {U, S, _}}, _Host) ->
+    is_glob_match(U, UR) andalso is_glob_match(S, SR);
+acl_rule_matches(_ACL, _Data, _Host) ->
+    false.
+
+-spec access_matches(atom()|list(), any(), global|binary()) -> any().
+access_matches(all, _Data, _Host) ->
+    allow;
+access_matches(none, _Data, _Host) ->
+    deny;
+access_matches(Name, Data, Host) when is_atom(Name) ->
+    GAccess = ets:lookup(access, {Name, global}),
+    LAccess =
+	if Host /= global -> ets:lookup(access, {Name, Host});
+	    true -> []
+	end,
+    case GAccess ++ LAccess of
+	[] ->
+	    deny;
+	AccessList ->
+	    Rules = lists:flatmap(
+		fun(#access{rules = Rs}) ->
+		    Rs
+		end, AccessList),
+	    access_rules_matches(Rules, Data, Host)
+    end;
+access_matches(Rules, Data, Host) when is_list(Rules) ->
+    access_rules_matches(Rules, Data, Host).
+
+
+-spec access_rules_matches(list(), any(), global|binary()) -> any().
+
+access_rules_matches(AR, Data, Host) ->
+    access_rules_matches(AR, Data, Host, deny).
+
+access_rules_matches([{Type, Acls} | Rest], Data, Host, Default) ->
+    case all_acl_rules_matches(Acls, Data, Host) of
+	false ->
+	    access_rules_matches(Rest, Data, Host, Default);
+	true ->
+	    Type
+    end;
+access_rules_matches([], _Data, _Host, Default) ->
+    Default.

 get_aclspecs(ACL, Host) ->
-      ets:lookup(acl, {ACL, Host}) ++ ets:lookup(acl, {ACL, global}).
-
-
-match_user_spec(Spec, JID, Default) ->
-    case do_match_user_spec(Spec, jid:tolower(JID)) of
-        true -> Default;
-        false -> deny
-    end.
-
-do_match_user_spec({user, {U, S}}, {User, Server, _Resource}) ->
-    U == User andalso S == Server.
+    ets:lookup(acl, {ACL, Host}) ++ ets:lookup(acl, {ACL, global}).

 is_regexp_match(String, RegExp) ->
    case ejabberd_regexp:run(String, RegExp) of
@@ -450,6 +556,63 @@ parse_ip_netmask(S) ->
      _ -> error
    end.

+transform_access_rules_config(Config) when is_list(Config) ->
+    lists:map(fun transform_access_rules_config2/1, lists:flatten(Config));
+transform_access_rules_config(Config) ->
+    transform_access_rules_config([Config]).
+
+transform_access_rules_config2(Type) when is_integer(Type); is_atom(Type) ->
+    {Type, [all]};
+transform_access_rules_config2({Type, ACL}) when is_atom(ACL) ->
+    {Type, [{acl, ACL}]};
+transform_access_rules_config2({Res, Rules}) when is_list(Rules) ->
+    T = lists:map(fun({Type, Args}) when is_list(Args) ->
+			  normalize_spec({Type, hd(lists:flatten(Args))});
+		     (V) -> normalize_spec(V)
+		  end, lists:flatten(Rules)),
+    {Res, T};
+transform_access_rules_config2({Res, Rule}) ->
+    {Res, [Rule]}.
+
+access_rules_validator(Name) when is_atom(Name) ->
+    Name;
+access_rules_validator(Rules0) ->
+    Rules = transform_access_rules_config(Rules0),
+    access_shaper_rules_validator(Rules, fun(allow) -> true;
+					  (deny) -> true;
+					  (_) -> false
+				       end),
+    throw({replace_with, Rules}).
+
+
+shaper_rules_validator(Name) when is_atom(Name) ->
+    Name;
+shaper_rules_validator(Rules0) ->
+    Rules = transform_access_rules_config(Rules0),
+    access_shaper_rules_validator(Rules, fun(V) when is_atom(V) -> true;
+					  (V2) when is_integer(V2) -> true;
+					  (_) -> false
+				       end),
+    throw({replace_with, Rules}).
+
+access_shaper_rules_validator([{Type, Acls} = Rule | Rest], RuleTypeCheck) ->
+    case RuleTypeCheck(Type) of
+	true ->
+	    case acl_rules_verify(Acls, true) of
+		true ->
+		    access_shaper_rules_validator(Rest, RuleTypeCheck);
+		Err ->
+		    Err
+	    end;
+	false ->
+	    invalid_syntax(<<"Invalid rule type: ~p in rule ~p">>, [Type, Rule])
+    end;
+access_shaper_rules_validator([], _RuleTypeCheck) ->
+    true;
+access_shaper_rules_validator(Value, _RuleTypeCheck) ->
+    invalid_syntax(<<"Not a rule definition: ~p">>, [Value]).
+
+
 transform_options(Opts) ->
    Opts1 = lists:foldl(fun transform_options/2, [], Opts),
    {ACLOpts, Opts2} = lists:mapfoldl(
@@ -464,6 +627,18 @@ transform_options(Opts) ->
                               (O, Acc) ->
                                    {[], [O|Acc]}
                            end, [], Opts2),
+    {NewAccessOpts, Opts4} = lists:mapfoldl(
+                            fun({access_rules, Os}, Acc) ->
+                                    {Os, Acc};
+                               (O, Acc) ->
+                                    {[], [O|Acc]}
+                            end, [], Opts3),
+    {ShaperOpts, Opts5} = lists:mapfoldl(
+                            fun({shaper_rules, Os}, Acc) ->
+                                    {Os, Acc};
+                               (O, Acc) ->
+                                    {[], [O|Acc]}
+                            end, [], Opts4),
    ACLOpts1 = ejabberd_config:collect_options(lists:flatten(ACLOpts)),
    AccessOpts1 = case ejabberd_config:collect_options(
                         lists:flatten(AccessOpts)) of
@@ -477,7 +652,21 @@ transform_options(Opts) ->
                   [] -> [];
                   L2 -> [{acl, L2}]
               end,
-    ACLOpts2 ++ AccessOpts1 ++ Opts3.
+    NewAccessOpts1 = case lists:map(
+			    fun({NAName, Os}) ->
+				    {NAName, transform_access_rules_config(Os)}
+			    end, lists:flatten(NewAccessOpts)) of
+			 [] -> [];
+			 L3 -> [{access_rules, L3}]
+		     end,
+    ShaperOpts1 = case lists:map(
+			    fun({SName, Ss}) ->
+				    {SName, transform_access_rules_config(Ss)}
+			    end, lists:flatten(ShaperOpts)) of
+			 [] -> [];
+			 L4 -> [{shaper_rules, L4}]
+		     end,
+    ACLOpts2 ++ AccessOpts1 ++ NewAccessOpts1 ++ ShaperOpts1 ++ Opts5.

 transform_options({acl, Name, Type}, Opts) ->
    T = case Type of
@@ -498,7 +687,8 @@ transform_options({acl, Name, Type}, Opts) ->
            {server_regexp, SR} -> {server_regexp, [b(SR)]};
            {server_glob, S} -> {server_glob, [b(S)]};
            {ip, S} -> {ip, [b(S)]};
-            {resource_glob, R} -> {resource_glob, [b(R)]}
+            {resource_glob, R} -> {resource_glob, [b(R)]};
+            {resource_regexp, R} -> {resource_regexp, [b(R)]}
        end,
    [{acl, [{Name, [T]}]}|Opts];
 transform_options({access, Name, Rules}, Opts) ->
@@ -508,5 +698,7 @@ transform_options(Opt, Opts) ->
    [Opt|Opts].

 opt_type(access) -> fun (V) -> V end;
+opt_type(access_rules) -> fun (V) -> V end;
+opt_type(shaper_rules) -> fun (V) -> V end;
 opt_type(acl) -> fun (V) -> V end;
-opt_type(_) -> [access, acl].
+opt_type(_) -> [access, acl, access_rules, shaper_rules].
@@ -41,13 +41,7 @@
 %% Parse an ad-hoc request.  Return either an adhoc_request record or
 %% an {error, ErrorType} tuple.
 %%
-spec(parse_request/1 ::
-(
-  IQ :: iq_request())
-    -> adhoc_response()
-    %%
-     | {error, _}
-).
+-spec parse_request(IQ :: iq_request()) -> adhoc_response() | {error, _}.

 parse_request(#iq{type = set, lang = Lang, sub_el = SubEl, xmlns = ?NS_COMMANDS}) ->
    ?DEBUG("entering parse_request...", []),
@@ -88,12 +82,9 @@ find_xdata_el1([_ | Els]) -> find_xdata_el1(Els).
 %% record, filling in values for language, node and session id from
 %% the request.
 %%
-spec(produce_response/2 ::
-(
-  Adhoc_Request  :: adhoc_request(),
-  Adhoc_Response :: adhoc_response())
-    -> Xmlel::xmlel()
-).
+-spec produce_response(Adhoc_Request :: adhoc_request(),
+		       Adhoc_Response :: adhoc_response()) ->
+			      Xmlel::xmlel().

 %% Produce a <command/> node to use as response from an adhoc_response
 %% record.
@@ -104,11 +95,7 @@ produce_response(#adhoc_request{lang = Lang, node = Node, sessionid = SessionID}
    }).

 %%
-spec(produce_response/1 ::
-(
-  Adhoc_Response::adhoc_response())
-    -> Xmlel::xmlel()
-).
+-spec produce_response(Adhoc_Response::adhoc_response()) -> Xmlel::xmlel().

 produce_response(
  #adhoc_response{
@@ -88,13 +88,8 @@ start() ->
    ok.

 %%
-spec(register_mechanism/3 ::
-(
-  Mechanim     :: mechanism(),
-  Module       :: module(),
-  PasswordType :: password_type())
-    -> any()
-).
+-spec register_mechanism(Mechanim :: mechanism(), Module :: module(),
+			 PasswordType :: password_type()) -> any().

 register_mechanism(Mechanism, Module, PasswordType) ->
    case is_disabled(Mechanism) of
@@ -139,11 +134,7 @@ check_credentials(_State, Props) ->
      _LUser -> ok
    end.

-spec(listmech/1 ::
-(
-  Host ::binary())
-    -> Mechanisms::mechanisms()
-).
+-spec listmech(Host ::binary()) -> Mechanisms::mechanisms().

 listmech(Host) ->
    Mechs = ets:select(sasl_mechanism,
@@ -213,12 +204,7 @@ server_step(State, ClientIn) ->
 %% Remove the anonymous mechanism from the list if not enabled for the given
 %% host
 %%
-spec(filter_anonymous/2 ::
-(
-  Host  :: binary(),
-  Mechs :: mechanisms())
-    -> mechanisms()
-).
+-spec filter_anonymous(Host :: binary(), Mechs :: mechanisms()) -> mechanisms().

 filter_anonymous(Host, Mechs) ->
    case ejabberd_auth_anonymous:is_sasl_anonymous_enabled(Host) of
@@ -226,11 +212,7 @@ filter_anonymous(Host, Mechs) ->
      false -> Mechs -- [<<"ANONYMOUS">>]
    end.

-spec(is_disabled/1 ::
-(
-  Mechanism :: mechanism())
-    -> boolean()
-).
+-spec is_disabled(Mechanism :: mechanism()) -> boolean().

 is_disabled(Mechanism) ->
    Disabled = ejabberd_config:get_option(
@@ -53,11 +53,11 @@
                check_password = fun(_, _, _, _, _) -> false end :: check_password_fun(),
                auth_module :: atom(),
                host = <<"">> :: binary(),
-                hostfqdn = <<"">> :: binary()}).
+                hostfqdn = <<"">> :: binary() | [binary()]}).

 start(_Opts) ->
    Fqdn = get_local_fqdn(),
-    ?INFO_MSG("FQDN used to check DIGEST-MD5 SASL authentication: ~s",
+    ?INFO_MSG("FQDN used to check DIGEST-MD5 SASL authentication: ~p",
 	      [Fqdn]),
    cyrsasl:register_mechanism(<<"DIGEST-MD5">>, ?MODULE,
 			       digest).
@@ -183,16 +183,16 @@ is_digesturi_valid(DigestURICase, JabberDomain,
    DigestURI = stringprep:tolower(DigestURICase),
    case catch str:tokens(DigestURI, <<"/">>) of
 	[<<"xmpp">>, Host] ->
-	    IsHostFqdn = is_host_fqdn(binary_to_list(Host), binary_to_list(JabberFQDN)),
+	    IsHostFqdn = is_host_fqdn(Host, JabberFQDN),
 	    (Host == JabberDomain) or IsHostFqdn;
 	[<<"xmpp">>, Host, ServName] ->
-	    IsHostFqdn = is_host_fqdn(binary_to_list(Host), binary_to_list(JabberFQDN)),
+	    IsHostFqdn = is_host_fqdn(Host, JabberFQDN),
 	    (ServName == JabberDomain) and IsHostFqdn;
 	_ ->
 	    false
    end.

-is_host_fqdn(Host, [Letter | _Tail] = Fqdn) when not is_list(Letter) ->
+is_host_fqdn(Host, Fqdn) when is_binary(Fqdn) ->
    Host == Fqdn;
 is_host_fqdn(_Host, []) ->
    false;
@@ -204,6 +204,7 @@ is_host_fqdn(Host, [Fqdn | FqdnTail]) when Host /= Fqdn ->
 get_local_fqdn() ->
    case catch get_local_fqdn2() of
      Str when is_binary(Str) -> Str;
+      List when is_list(List) -> List;
      _ ->
 	  <<"unknown-fqdn, please configure fqdn "
 	    "option in ejabberd.yml!">>
@@ -211,9 +212,11 @@ get_local_fqdn() ->

 get_local_fqdn2() ->
    case ejabberd_config:get_option(
-           fqdn, fun iolist_to_binary/1) of
+           fqdn, fun(X) -> X end) of
        ConfiguredFqdn when is_binary(ConfiguredFqdn) ->
            ConfiguredFqdn;
+        [A | _] = ConfiguredFqdns when is_binary(A) ->
+            ConfiguredFqdns;
        undefined ->
            {ok, Hostname} = inet:gethostname(),
            {ok, {hostent, Fqdn, _, _, _, _}} =
@@ -51,7 +51,7 @@ mech_step(State, ClientIn) ->
                    {ok,
                     [{username, User}, {authzid, AuthzId},
                      {auth_module, ejabberd_oauth}]};
-                false ->
+                _ ->
                    {error, <<"not-authorized">>, User}
            end;
        _ -> {error, <<"bad-protocol">>}
@@ -87,6 +87,7 @@ get_commands_spec() ->
 			args = [], result = {res, rescode}},
     #ejabberd_commands{name = reopen_log, tags = [logs, server],
 			desc = "Reopen the log files",
+			policy = admin,
 			module = ?MODULE, function = reopen_log,
 			args = [], result = {res, rescode}},
     #ejabberd_commands{name = rotate_log, tags = [logs, server],
@@ -129,6 +130,7 @@ get_commands_spec() ->

     #ejabberd_commands{name = register, tags = [accounts],
 			desc = "Register a user",
+			policy = admin,
 			module = ?MODULE, function = register,
 			args = [{user, binary}, {host, binary}, {password, binary}],
 			result = {res, restuple}},
@@ -166,7 +168,7 @@ get_commands_spec() ->
     #ejabberd_commands{name = list_cluster, tags = [cluster],
 			desc = "List nodes that are part of the cluster handled by Node",
 			module = ?MODULE, function = list_cluster,
-			args = [], 
+			args = [],
 			result = {nodes, {list, {node, atom}}}},

     #ejabberd_commands{name = import_file, tags = [mnesia],
@@ -192,10 +194,6 @@ get_commands_spec() ->
 			module = ejabberd_piefxis, function = export_host,
 			args = [{dir, string}, {host, string}], result = {res, rescode}},

-     #ejabberd_commands{name = export_sql, tags = [mnesia, sql],
-                        desc = "Export all tables as SQL queries to a file",
-                        module = ejd2sql, function = export,
-                        args = [{host, string}, {file, string}], result = {res, rescode}},
     #ejabberd_commands{name = delete_mnesia, tags = [mnesia, sql],
                        desc = "Export all tables as SQL queries to a file",
                        module = ejd2sql, function = delete,
@@ -224,11 +222,11 @@ get_commands_spec() ->
 			desc = "Delete offline messages older than DAYS",
 			module = ?MODULE, function = delete_old_messages,
 			args = [{days, integer}], result = {res, rescode}},
-	 
+
     #ejabberd_commands{name = export2sql, tags = [mnesia],
 			desc = "Export virtual host information from Mnesia tables to SQL files",
 			module = ejd2sql, function = export,
-			args = [{host, string}, {directory, string}],
+			args = [{host, string}, {file, string}],
 			result = {res, rescode}},
     #ejabberd_commands{name = set_master, tags = [mnesia],
 			desc = "Set master node of the clustered Mnesia tables",
@@ -382,13 +380,12 @@ register(User, Host, Password) ->
 	{atomic, ok} ->
 	    {ok, io_lib:format("User ~s@~s successfully registered", [User, Host])};
 	{atomic, exists} ->
-	    String = io_lib:format("User ~s@~s already registered at node ~p",
-				   [User, Host, node()]),
-	    {exists, String};
+	    Msg = io_lib:format("User ~s@~s already registered", [User, Host]),
+	    {error, conflict, 10090, Msg};
 	{error, Reason} ->
 	    String = io_lib:format("Can't register user ~s@~s at node ~p: ~p",
 				   [User, Host, node(), Reason]),
-	    {cannot_register, String}
+	    {error, cannot_register, 10001, String}
    end.

 unregister(User, Host) ->
@@ -45,6 +45,7 @@ start(normal, _Args) ->
    write_pid_file(),
    jid:start(),
    start_apps(),
+    start_elixir_application(),
    ejabberd:check_app(ejabberd),
    randoms:start(),
    db_init(),
@@ -55,6 +56,7 @@ start(normal, _Args) ->
    ejabberd_admin:start(),
    gen_mod:start(),
    ext_mod:start(),
+    setup_if_elixir_conf_used(),
    ejabberd_config:start(),
    set_settings_from_config(),
    acl:start(),
@@ -63,6 +65,7 @@ start(normal, _Args) ->
    Sup = ejabberd_sup:start_link(),
    ejabberd_rdbms:start(),
    ejabberd_riak_sup:start(),
+    ejabberd_redis:start(),
    ejabberd_sm:start(),
    cyrsasl:start(),
    % Profiling
@@ -73,6 +76,8 @@ start(normal, _Args) ->
    ejabberd_oauth:start(),
    gen_mod:start_modules(),
    ejabberd_listener:start_listeners(),
+    ejabberd_service:start(),
+    register_elixir_config_hooks(),
    ?INFO_MSG("ejabberd ~s is started in the node ~p", [?VERSION, node()]),
    Sup;
 start(_, _) ->
@@ -83,9 +88,9 @@ start(_, _) ->
 %% before shutting down the processes of the application.
 prep_stop(State) ->
    ejabberd_listener:stop_listeners(),
-    gen_mod:stop_modules(),
    ejabberd_admin:stop(),
    broadcast_c2s_shutdown(),
+    gen_mod:stop_modules(),
    timer:sleep(5000),
    State.

@@ -236,3 +241,26 @@ opt_type(modules) ->
 		      Mods)
    end;
 opt_type(_) -> [cluster_nodes, loglevel, modules, net_ticktime].
+
+setup_if_elixir_conf_used() ->
+  case ejabberd_config:is_using_elixir_config() of
+    true -> 'Elixir.Ejabberd.Config.Store':start_link();
+    false -> ok
+  end.
+
+register_elixir_config_hooks() ->
+  case ejabberd_config:is_using_elixir_config() of
+    true -> 'Elixir.Ejabberd.Config':start_hooks();
+    false -> ok
+  end.
+
+start_elixir_application() ->
+    case ejabberd_config:is_elixir_enabled() of
+	true ->
+	    case application:ensure_started(elixir) of
+		ok -> ok;
+		{error, _Msg} -> ?ERROR_MSG("Elixir application not started.", [])
+	    end;
+	_ ->
+	    ok
+    end.
@@ -78,13 +78,15 @@ store_type() -> external.

 check_password(User, AuthzId, Server, Password) ->
    if AuthzId /= <<>> andalso AuthzId /= User ->
-        false;
-    true ->
-    case get_cache_option(Server) of
-          false -> check_password_extauth(User, AuthzId, Server, Password);
-      {true, CacheTime} ->
-    	  check_password_cache(User, AuthzId, Server, Password, CacheTime)
-        end
+	    false;
+       true ->
+	    case get_cache_option(Server) of
+	      false ->
+		  check_password_extauth(User, AuthzId, Server, Password);
+	      {true, CacheTime} ->
+		  check_password_cache(User, AuthzId, Server, Password,
+				       CacheTime)
+	    end
    end.

 check_password(User, AuthzId, Server, Password, _Digest,
@@ -118,16 +118,15 @@ store_type() -> external.

 check_password(User, AuthzId, Server, Password) ->
    if AuthzId /= <<>> andalso AuthzId /= User ->
-        false;
-    true ->
-    if Password == <<"">> -> false;
+	    false;
       true ->
-	   case catch check_password_ldap(User, Server, Password)
-	       of
-	     {'EXIT', _} -> false;
-	     Result -> Result
-	   end
-        end
+	    if Password == <<"">> -> false;
+	       true ->
+		    case catch check_password_ldap(User, Server, Password) of
+		      {'EXIT', _} -> false;
+		      Result -> Result
+		    end
+	    end
    end.

 check_password(User, AuthzId, Server, Password, _Digest,
@@ -25,6 +25,8 @@

 -module(ejabberd_auth_mnesia).

+-compile([{parse_transform, ejabberd_sql_pt}]).
+
 -behaviour(ejabberd_config).

 -author('alexey@process-one.net').
@@ -43,6 +45,7 @@

 -include("ejabberd.hrl").
 -include("logger.hrl").
+-include("ejabberd_sql_pt.hrl").

 -record(passwd, {us = {<<"">>, <<"">>} :: {binary(), binary()} | '$1',
                 password = <<"">> :: binary() | scram() | '_'}).
@@ -88,51 +91,48 @@ store_type() ->

 check_password(User, AuthzId, Server, Password) ->
    if AuthzId /= <<>> andalso AuthzId /= User ->
-        false;
-    true ->
-        LUser = jid:nodeprep(User),
-        LServer = jid:nameprep(Server),
-    US = {LUser, LServer},
-    case catch mnesia:dirty_read({passwd, US}) of
-      [#passwd{password = Password}]
-	  when is_binary(Password) ->
-	  Password /= <<"">>;
-      [#passwd{password = Scram}]
-	  when is_record(Scram, scram) ->
-	  is_password_scram_valid(Password, Scram);
-      _ -> false
-        end
+	    false;
+       true ->
+	    LUser = jid:nodeprep(User),
+	    LServer = jid:nameprep(Server),
+	    US = {LUser, LServer},
+	    case catch mnesia:dirty_read({passwd, US}) of
+	      [#passwd{password = Password}] when is_binary(Password) ->
+		  Password /= <<"">>;
+	      [#passwd{password = Scram}] when is_record(Scram, scram) ->
+		  is_password_scram_valid(Password, Scram);
+	      _ -> false
+	    end
    end.

 check_password(User, AuthzId, Server, Password, Digest,
 	       DigestGen) ->
    if AuthzId /= <<>> andalso AuthzId /= User ->
-        false;
-    true ->
-        LUser = jid:nodeprep(User),
-        LServer = jid:nameprep(Server),
-    US = {LUser, LServer},
-    case catch mnesia:dirty_read({passwd, US}) of
-      [#passwd{password = Passwd}] when is_binary(Passwd) ->
-	  DigRes = if Digest /= <<"">> ->
-			  Digest == DigestGen(Passwd);
-		      true -> false
-		   end,
-	  if DigRes -> true;
-	     true -> (Passwd == Password) and (Password /= <<"">>)
-	  end;
-      [#passwd{password = Scram}]
-	  when is_record(Scram, scram) ->
-	  Passwd = jlib:decode_base64(Scram#scram.storedkey),
-	  DigRes = if Digest /= <<"">> ->
-			  Digest == DigestGen(Passwd);
-		      true -> false
-		   end,
-	  if DigRes -> true;
-	     true -> (Passwd == Password) and (Password /= <<"">>)
-	  end;
-      _ -> false
-        end
+	    false;
+       true ->
+	    LUser = jid:nodeprep(User),
+	    LServer = jid:nameprep(Server),
+	    US = {LUser, LServer},
+	    case catch mnesia:dirty_read({passwd, US}) of
+	      [#passwd{password = Passwd}] when is_binary(Passwd) ->
+		  DigRes = if Digest /= <<"">> ->
+				   Digest == DigestGen(Passwd);
+			      true -> false
+			   end,
+		  if DigRes -> true;
+		     true -> (Passwd == Password) and (Password /= <<"">>)
+		  end;
+	      [#passwd{password = Scram}] when is_record(Scram, scram) ->
+		  Passwd = jlib:decode_base64(Scram#scram.storedkey),
+		  DigRes = if Digest /= <<"">> ->
+				   Digest == DigestGen(Passwd);
+			      true -> false
+			   end,
+		  if DigRes -> true;
+		     true -> (Passwd == Password) and (Password /= <<"">>)
+		  end;
+	      _ -> false
+	    end
    end.

 %% @spec (User::string(), Server::string(), Password::string()) ->
@@ -473,12 +473,22 @@ is_password_scram_valid(Password, Scram) ->
 export(_Server) ->
    [{passwd,
      fun(Host, #passwd{us = {LUser, LServer}, password = Password})
+            when LServer == Host,
+                 is_binary(Password) ->
+              [?SQL("delete from users where username=%(LUser)s;"),
+               ?SQL("insert into users(username, password) "
+                    "values (%(LUser)s, %(Password)s);")];
+         (Host, #passwd{us = {LUser, LServer}, password = #scram{} = Scram})
            when LServer == Host ->
-              Username = ejabberd_sql:escape(LUser),
-              Pass = ejabberd_sql:escape(Password),
-              [[<<"delete from users where username='">>, Username, <<"';">>],
-               [<<"insert into users(username, password) "
-                  "values ('">>, Username, <<"', '">>, Pass, <<"');">>]];
+              StoredKey = Scram#scram.storedkey,
+              ServerKey = Scram#scram.serverkey,
+              Salt = Scram#scram.salt,
+              IterationCount = Scram#scram.iterationcount,
+              [?SQL("delete from users where username=%(LUser)s;"),
+               ?SQL("insert into users(username, password, serverkey, salt, "
+                    "iterationcount) "
+                    "values (%(LUser)s, %(StoredKey)s, %(ServerKey)s,"
+                    " %(Salt)s, %(IterationCount)d);")];
         (_Host, _R) ->
              []
      end}].
@@ -25,6 +25,8 @@

 -module(ejabberd_auth_riak).

+-compile([{parse_transform, ejabberd_sql_pt}]).
+
 -author('alexey@process-one.net').

 -behaviour(ejabberd_auth).
@@ -42,6 +44,7 @@
 -export([passwd_schema/0]).

 -include("ejabberd.hrl").
+-include("ejabberd_sql_pt.hrl").

 -record(passwd, {us = {<<"">>, <<"">>} :: {binary(), binary()} | '$1',
                 password = <<"">> :: binary() | scram() | '_'}).
@@ -290,12 +293,10 @@ is_password_scram_valid(Password, Scram) ->
 export(_Server) ->
    [{passwd,
      fun(Host, #passwd{us = {LUser, LServer}, password = Password})
-            when LServer == Host ->
-              Username = ejabberd_sql:escape(LUser),
-              Pass = ejabberd_sql:escape(Password),
-              [[<<"delete from users where username='">>, Username, <<"';">>],
-               [<<"insert into users(username, password) "
-                  "values ('">>, Username, <<"', '">>, Pass, <<"');">>]];
+         when LServer == Host ->
+              [?SQL("delete from users where username=%(LUser)s;"),
+               ?SQL("insert into users(username, password) "
+                    "values (%(LUser)s, %(Password)s);")];
         (_Host, _R) ->
              []
      end}].
@@ -25,6 +25,8 @@

 -module(ejabberd_auth_sql).

+-compile([{parse_transform, ejabberd_sql_pt}]).
+
 -behaviour(ejabberd_config).

 -author('alexey@process-one.net').
@@ -43,6 +45,7 @@

 -include("ejabberd.hrl").
 -include("logger.hrl").
+-include("ejabberd_sql_pt.hrl").

 -define(SALT_LENGTH, 16).

@@ -85,7 +88,7 @@ check_password(User, AuthzId, Server, Password) ->
                                       serverkey = ServerKey,
                                       salt = Salt,
                                       iterationcount = IterationCount},
-                            is_password_scram_valid(Password, Scram);
+                            is_password_scram_valid_stored(Password, Scram, LUser, LServer);
                        {selected, []} ->
                            false; %% Account does not exist
                        {error, _Error} ->
@@ -414,6 +417,15 @@ password_to_scram(Password, IterationCount) ->
 	   salt = jlib:encode_base64(Salt),
 	   iterationcount = IterationCount}.

+is_password_scram_valid_stored(Pass, {scram,Pass,<<>>,<<>>,0}, LUser, LServer) ->
+    ?INFO_MSG("Apparently, SQL auth method and scram password formatting are "
+	"enabled, but the password of user '~s' in the 'users' table is not "
+	"scrammed. You may want to execute this command: "
+	"ejabberdctl convert_to_scram ~s", [LUser, LServer]),
+    false;
+is_password_scram_valid_stored(Password, Scram, _, _) ->
+    is_password_scram_valid(Password, Scram).
+
 is_password_scram_valid(Password, Scram) ->
    IterationCount = Scram#scram.iterationcount,
    Salt = jlib:decode_base64(Scram#scram.salt),
@@ -425,19 +437,15 @@ is_password_scram_valid(Password, Scram) ->

 -define(BATCH_SIZE, 1000).

-set_password_scram_t(Username,
+set_password_scram_t(LUser,
                     StoredKey, ServerKey, Salt, IterationCount) ->
-    sql_queries:update_t(<<"users">>,
-                          [<<"username">>,
-                           <<"password">>,
-                           <<"serverkey">>,
-                           <<"salt">>,
-                           <<"iterationcount">>],
-                          [Username, StoredKey,
-                           ServerKey, Salt,
-                           IterationCount],
-                          [<<"username='">>, Username,
-                           <<"'">>]).
+    ?SQL_UPSERT_T(
+       "users",
+       ["!username=%(LUser)s",
+        "password=%(StoredKey)s",
+        "serverkey=%(ServerKey)s",
+        "salt=%(Salt)s",
+        "iterationcount=%(IterationCount)d"]).

 convert_to_scram(Server) ->
    LServer = jid:nameprep(Server),
@@ -447,24 +455,24 @@ convert_to_scram(Server) ->
            {error, {incorrect_server_name, Server}};
        true ->
            F = fun () ->
+                        BatchSize = ?BATCH_SIZE,
                        case ejabberd_sql:sql_query_t(
-                               [<<"select username, password from users where "
-                                 "iterationcount=0 limit ">>,
-                                integer_to_binary(?BATCH_SIZE),
-                                <<";">>]) of
-                            {selected, [<<"username">>, <<"password">>], []} ->
+                               ?SQL("select @(username)s, @(password)s"
+                                    " from users"
+                                    " where iterationcount=0"
+                                    " limit %(BatchSize)d")) of
+                            {selected, []} ->
                                ok;
-                            {selected, [<<"username">>, <<"password">>], Rs} ->
+                            {selected, Rs} ->
                                lists:foreach(
-                                  fun([LUser, Password]) ->
-                                          Username = ejabberd_sql:escape(LUser),
+                                  fun({LUser, Password}) ->
                                          Scram = password_to_scram(Password),
                                          set_password_scram_t(
-                                            Username,
-                                            ejabberd_sql:escape(Scram#scram.storedkey),
-                                            ejabberd_sql:escape(Scram#scram.serverkey),
-                                            ejabberd_sql:escape(Scram#scram.salt),
-                                            integer_to_binary(Scram#scram.iterationcount)
+                                            LUser,
+                                            Scram#scram.storedkey,
+                                            Scram#scram.serverkey,
+                                            Scram#scram.salt,
+                                            Scram#scram.iterationcount
                                           )
                                  end, Rs),
                                continue;
@@ -32,6 +32,7 @@
 -protocol({xep, 78, '2.5'}).
 -protocol({xep, 138, '2.0'}).
 -protocol({xep, 198, '1.3'}).
+-protocol({xep, 356, '7.1'}).

 -update_info({update, 0}).

@@ -48,10 +49,16 @@
 	 send_element/2,
 	 socket_type/0,
 	 get_presence/1,
+	 get_last_presence/1,
 	 get_aux_field/2,
 	 set_aux_field/3,
 	 del_aux_field/2,
 	 get_subscription/2,
+	 get_queued_stanzas/1,
+	 get_csi_state/1,
+	 set_csi_state/2,
+	 get_resume_timeout/1,
+	 set_resume_timeout/2,
 	 send_filtered/5,
 	 broadcast/4,
 	 get_subscribed/1,
@@ -104,7 +111,6 @@
 		ip,
 		aux_fields = [],
 		csi_state = active,
-		csi_queue = [],
 		mgmt_state,
 		mgmt_xmlns,
 		mgmt_queue,
@@ -112,9 +118,12 @@
 		mgmt_pending_since,
 		mgmt_timeout,
 		mgmt_max_timeout,
+		mgmt_ack_timeout,
+		mgmt_ack_timer,
 		mgmt_resend,
 		mgmt_stanzas_in = 0,
 		mgmt_stanzas_out = 0,
+		mgmt_stanzas_req = 0,
 		ask_offline = true,
 		lang = <<"">>}).

@@ -167,27 +176,32 @@
 	(Xmlns == ?NS_STREAM_MGMT_2) or
 	(Xmlns == ?NS_STREAM_MGMT_3)).

-define(MGMT_FAILED(Condition, Xmlns),
+-define(MGMT_FAILED(Condition, Attrs),
 	#xmlel{name = <<"failed">>,
-	       attrs = [{<<"xmlns">>, Xmlns}],
+	       attrs = Attrs,
 	       children = [#xmlel{name = Condition,
 				  attrs = [{<<"xmlns">>, ?NS_STANZAS}],
 				  children = []}]}).

 -define(MGMT_BAD_REQUEST(Xmlns),
-	?MGMT_FAILED(<<"bad-request">>, Xmlns)).
-
-define(MGMT_ITEM_NOT_FOUND(Xmlns),
-	?MGMT_FAILED(<<"item-not-found">>, Xmlns)).
+	?MGMT_FAILED(<<"bad-request">>, [{<<"xmlns">>, Xmlns}])).

 -define(MGMT_SERVICE_UNAVAILABLE(Xmlns),
-	?MGMT_FAILED(<<"service-unavailable">>, Xmlns)).
+	?MGMT_FAILED(<<"service-unavailable">>, [{<<"xmlns">>, Xmlns}])).

 -define(MGMT_UNEXPECTED_REQUEST(Xmlns),
-	?MGMT_FAILED(<<"unexpected-request">>, Xmlns)).
+	?MGMT_FAILED(<<"unexpected-request">>, [{<<"xmlns">>, Xmlns}])).

 -define(MGMT_UNSUPPORTED_VERSION(Xmlns),
-	?MGMT_FAILED(<<"unsupported-version">>, Xmlns)).
+	?MGMT_FAILED(<<"unsupported-version">>, [{<<"xmlns">>, Xmlns}])).
+
+-define(MGMT_ITEM_NOT_FOUND(Xmlns),
+	?MGMT_FAILED(<<"item-not-found">>, [{<<"xmlns">>, Xmlns}])).
+
+-define(MGMT_ITEM_NOT_FOUND_H(Xmlns, NumStanzasIn),
+	?MGMT_FAILED(<<"item-not-found">>,
+		     [{<<"xmlns">>, Xmlns},
+		      {<<"h">>, jlib:integer_to_binary(NumStanzasIn)}])).

 %%%----------------------------------------------------------------------
 %%% API
@@ -208,6 +222,9 @@ socket_type() -> xml_stream.
 get_presence(FsmRef) ->
    (?GEN_FSM):sync_send_all_state_event(FsmRef,
 					 {get_presence}, 1000).
+get_last_presence(FsmRef) ->
+    (?GEN_FSM):sync_send_all_state_event(FsmRef,
+					 {get_last_presence}, 1000).

 get_aux_field(Key, #state{aux_fields = Opts}) ->
    case lists:keysearch(Key, 1, Opts) of
@@ -240,6 +257,27 @@ get_subscription(LFrom, StateData) ->
       true -> none
    end.

+get_queued_stanzas(#state{mgmt_queue = Queue} = StateData) ->
+    lists:map(fun({_N, Time, El}) ->
+		      add_resent_delay_info(StateData, El, Time)
+	      end, queue:to_list(Queue)).
+
+get_csi_state(#state{csi_state = CsiState}) ->
+    CsiState.
+
+set_csi_state(#state{} = StateData, CsiState) ->
+    StateData#state{csi_state = CsiState};
+set_csi_state(FsmRef, CsiState) ->
+    FsmRef ! {set_csi_state, CsiState}.
+
+get_resume_timeout(#state{mgmt_timeout = Timeout}) ->
+    Timeout.
+
+set_resume_timeout(#state{} = StateData, Timeout) ->
+    StateData#state{mgmt_timeout = Timeout};
+set_resume_timeout(FsmRef, Timeout) ->
+    FsmRef ! {set_resume_timeout, Timeout}.
+
 send_filtered(FsmRef, Feature, From, To, Packet) ->
    FsmRef ! {send_filtered, Feature, From, To, Packet}.

@@ -255,14 +293,10 @@ close(FsmRef) -> (?GEN_FSM):send_event(FsmRef, closed).
 %%%----------------------------------------------------------------------

 init([{SockMod, Socket}, Opts]) ->
-    Access = case lists:keysearch(access, 1, Opts) of
-	       {value, {_, A}} -> A;
-	       _ -> all
-	     end,
-    Shaper = case lists:keysearch(shaper, 1, Opts) of
-	       {value, {_, S}} -> S;
-	       _ -> none
-	     end,
+    Access = gen_mod:get_opt(access, Opts,
+			     fun acl:access_rules_validator/1, all),
+    Shaper = gen_mod:get_opt(shaper, Opts,
+			     fun acl:shaper_rules_validator/1, none),
    XMLSocket = case lists:keysearch(xml_socket, 1, Opts) of
 		  {value, {_, XS}} -> XS;
 		  _ -> false
@@ -303,13 +337,18 @@ init([{SockMod, Socket}, Opts]) ->
 		    _ -> 1000
 		  end,
    ResumeTimeout = case proplists:get_value(resume_timeout, Opts) of
-		      Timeout when is_integer(Timeout), Timeout >= 0 -> Timeout;
+		      RTimeo when is_integer(RTimeo), RTimeo >= 0 -> RTimeo;
 		      _ -> 300
 		    end,
    MaxResumeTimeout = case proplists:get_value(max_resume_timeout, Opts) of
 			 Max when is_integer(Max), Max >= ResumeTimeout -> Max;
 			 _ -> ResumeTimeout
 		       end,
+    AckTimeout = case proplists:get_value(ack_timeout, Opts) of
+		   ATimeo when is_integer(ATimeo), ATimeo > 0 -> ATimeo * 1000;
+		   infinity -> undefined;
+		   _ -> 60000
+		 end,
    ResendOnTimeout = case proplists:get_value(resend_on_timeout, Opts) of
 			Resend when is_boolean(Resend) -> Resend;
 			if_offline -> if_offline;
@@ -333,6 +372,7 @@ init([{SockMod, Socket}, Opts]) ->
 		       mgmt_max_queue = MaxAckQueue,
 		       mgmt_timeout = ResumeTimeout,
 		       mgmt_max_timeout = MaxResumeTimeout,
+		       mgmt_ack_timeout = AckTimeout,
 		       mgmt_resend = ResendOnTimeout},
    {ok, wait_for_stream, StateData, ?C2S_OPEN_TIMEOUT}.

@@ -364,11 +404,17 @@ wait_for_stream({xmlstreamstart, _Name, Attrs}, StateData) ->
 		    %% avoid possible DoS/flood attacks
 		    <<"">>
 	    end,
+	    StreamVersion = case fxml:get_attr_s(<<"version">>, Attrs) of
+			      <<"1.0">> ->
+				  <<"1.0">>;
+			      _ ->
+				  <<"">>
+			  end,
 	    IsBlacklistedIP = is_ip_blacklisted(StateData#state.ip, Lang),
 	    case lists:member(Server, ?MYHOSTS) of
 		true when IsBlacklistedIP == false ->
 		    change_shaper(StateData, jid:make(<<"">>, Server, <<"">>)),
-		    case fxml:get_attr_s(<<"version">>, Attrs) of
+		    case StreamVersion of
 			<<"1.0">> ->
 			    send_header(StateData, Server, <<"1.0">>, DefaultLang),
 			    case StateData#state.authenticated of
@@ -534,11 +580,11 @@ wait_for_stream({xmlstreamstart, _Name, Attrs}, StateData) ->
 		    {true, LogReason, ReasonT} = IsBlacklistedIP,
 		    ?INFO_MSG("Connection attempt from blacklisted IP ~s: ~s",
 			[jlib:ip_to_list(IP), LogReason]),
-		    send_header(StateData, Server, <<"">>, DefaultLang),
+		    send_header(StateData, Server, StreamVersion, DefaultLang),
 		    send_element(StateData, ?POLICY_VIOLATION_ERR(Lang, ReasonT)),
 		    {stop, normal, StateData};
 		_ ->
-		    send_header(StateData, ?MYNAME, <<"">>, DefaultLang),
+		    send_header(StateData, ?MYNAME, StreamVersion, DefaultLang),
 		    send_element(StateData, ?HOST_UNKNOWN_ERR),
 		    {stop, normal, StateData}
 	    end;
@@ -620,9 +666,9 @@ wait_for_auth({xmlstreamelement, El}, StateData) ->
 	{auth, _ID, set, {U, P, D, R}} ->
 	    JID = jid:make(U, StateData#state.server, R),
 	    case JID /= error andalso
-		acl:match_rule(StateData#state.server,
-		    StateData#state.access, JID)
-		== allow
+		acl:access_matches(StateData#state.access,
+				   #{usr => jid:split(JID), ip => StateData#state.ip},
+				   StateData#state.server) == allow
 	    of
 		true ->
 		    DGen = fun (PW) ->
@@ -1053,7 +1099,11 @@ wait_for_bind({xmlstreamelement, El}, StateData) ->
                                                      children =
                                                      [{xmlcdata,
                                                        jid:to_string(JID)}]}]}]},
-                                send_element(StateData3, jlib:iq_to_xml(Res)),
+				try
+				    send_element(StateData3, jlib:iq_to_xml(Res))
+				catch exit:normal ->
+					close(self())
+				end,
                                fsm_next_state_pack(
                                  session_established,
                                  StateData3);
@@ -1095,8 +1145,10 @@ open_session(StateData) ->
    R = StateData#state.resource,
    JID = StateData#state.jid,
    Lang = StateData#state.lang,
-    case acl:match_rule(StateData#state.server,
-                        StateData#state.access, JID) of
+    IP = StateData#state.ip,
+    case acl:access_matches(StateData#state.access,
+			    #{usr => jid:split(JID), ip => IP},
+			    StateData#state.server) of
        allow ->
            ?INFO_MSG("(~w) Opened session for ~s",
                      [StateData#state.socket, jid:to_string(JID)]),
@@ -1143,7 +1195,7 @@ session_established({xmlstreamelement,
 		     #xmlel{name = <<"active">>,
 			    attrs = [{<<"xmlns">>, ?NS_CLIENT_STATE}]}},
 		    StateData) ->
-    NewStateData = csi_queue_flush(StateData),
+    NewStateData = csi_flush_queue(StateData),
    fsm_next_state(session_established, NewStateData#state{csi_state = active});
 session_established({xmlstreamelement,
 		     #xmlel{name = <<"inactive">>,
@@ -1277,7 +1329,7 @@ wait_for_resume({xmlstreamelement, _El} = Event, StateData) ->
 wait_for_resume(timeout, StateData) ->
    ?DEBUG("Timed out waiting for resumption of stream for ~s",
 	   [jid:to_string(StateData#state.jid)]),
-    {stop, normal, StateData};
+    {stop, normal, StateData#state{mgmt_state = timeout}};
 wait_for_resume(Event, StateData) ->
    ?DEBUG("Ignoring event while waiting for resumption: ~p", [Event]),
    fsm_next_state(wait_for_resume, StateData).
@@ -1294,6 +1346,15 @@ handle_sync_event({get_presence}, _From, StateName,
    Resource = StateData#state.resource,
    Reply = {User, Resource, Show, Status},
    fsm_reply(Reply, StateName, StateData);
+handle_sync_event({get_last_presence}, _From, StateName,
+		  StateData) ->
+    User = StateData#state.user,
+    Server = StateData#state.server,
+    PresLast = StateData#state.pres_last,
+    Resource = StateData#state.resource,
+    Reply = {User, Server, Resource, PresLast},
+    fsm_reply(Reply, StateName, StateData);
+
 handle_sync_event(get_subscribed, _From, StateName,
 		  StateData) ->
    Subscribed = (?SETS):to_list(StateData#state.pres_f),
@@ -1306,7 +1367,7 @@ handle_sync_event({resume_session, Time}, _From, _StateName,
 			      StateData#state.user,
 			      StateData#state.server,
 			      StateData#state.resource),
-    {stop, normal, {ok, StateData}, StateData#state{mgmt_state = resumed}};
+    {stop, normal, {resume, StateData}, StateData#state{mgmt_state = resumed}};
 handle_sync_event({resume_session, _Time}, _From, StateName,
 		  StateData) ->
    {reply, {error, <<"Previous session not found">>}, StateName, StateData};
@@ -1563,6 +1624,12 @@ handle_info({route, From, To,
 							 {true, Attrs,
 							  StateData};
 						     deny ->
+							 Err =
+							     jlib:make_error_reply(Packet,
+										   ?ERR_SERVICE_UNAVAILABLE),
+							 ejabberd_router:route(To,
+									       From,
+									       Err),
 							 {false, Attrs,
 							  StateData}
 						   end;
@@ -1614,11 +1681,18 @@ handle_info({route, From, To,
                                                   <<"groupchat">> -> ok;
                                                   <<"headline">> -> ok;
                                                   _ ->
-                                                       Err =
-                                                           jlib:make_error_reply(Packet,
-                                                                                 ?ERR_SERVICE_UNAVAILABLE),
-                                                       ejabberd_router:route(To, From,
-                                                                             Err)
+						       case fxml:get_subtag_with_xmlns(Packet,
+										       <<"x">>,
+										       ?NS_MUC_USER)
+							   of
+							 false ->
+							     Err =
+								 jlib:make_error_reply(Packet,
+										       ?ERR_SERVICE_UNAVAILABLE),
+							     ejabberd_router:route(To, From,
+										   Err);
+							 _ -> ok
+						       end
                                               end,
                                               {false, Attrs, StateData}
 				       end;
@@ -1718,8 +1792,24 @@ handle_info({broadcast, Type, From, Packet}, StateName, StateData) ->
 		From, jid:make(USR), Packet)
      end, lists:usort(Recipients)),
    fsm_next_state(StateName, StateData);
+handle_info({set_csi_state, CsiState}, StateName, StateData) ->
+    fsm_next_state(StateName, StateData#state{csi_state = CsiState});
+handle_info({set_resume_timeout, Timeout}, StateName, StateData) ->
+    fsm_next_state(StateName, StateData#state{mgmt_timeout = Timeout});
 handle_info(dont_ask_offline, StateName, StateData) ->
    fsm_next_state(StateName, StateData#state{ask_offline = false});
+handle_info(close, StateName, StateData) ->
+    ?DEBUG("Timeout waiting for stream management acknowledgement of ~s",
+	   [jid:to_string(StateData#state.jid)]),
+    close(self()),
+    fsm_next_state(StateName, StateData#state{mgmt_ack_timer = undefined});
+handle_info({_Ref, {resume, OldStateData}}, StateName, StateData) ->
+    %% This happens if the resume_session/1 request timed out; the new session
+    %% now receives the late response.
+    ?DEBUG("Received old session state for ~s after failed resumption",
+	   [jid:to_string(OldStateData#state.jid)]),
+    handle_unacked_stanzas(OldStateData#state{mgmt_resend = false}),
+    fsm_next_state(StateName, StateData);
 handle_info(Info, StateName, StateData) ->
    ?ERROR_MSG("Unexpected info: ~p", [Info]),
    fsm_next_state(StateName, StateData).
@@ -1756,8 +1846,7 @@ terminate(_Reason, StateName, StateData) ->
 								StateData#state.resource,
 								<<"Replaced by new connection">>),
 		       presence_broadcast(StateData, From,
-					  StateData#state.pres_a, Packet),
-		       handle_unacked_stanzas(StateData);
+					  StateData#state.pres_a, Packet);
 		   _ ->
 		       ?INFO_MSG("(~w) Close session for ~s",
 				 [StateData#state.socket,
@@ -1782,8 +1871,20 @@ terminate(_Reason, StateName, StateData) ->
 			     presence_broadcast(StateData, From,
 						StateData#state.pres_a, Packet)
 		       end,
-		       handle_unacked_stanzas(StateData)
+		       case StateData#state.mgmt_state of
+			 timeout ->
+			     Info = [{num_stanzas_in,
+				      StateData#state.mgmt_stanzas_in}],
+			     ejabberd_sm:set_offline_info(StateData#state.sid,
+							  StateData#state.user,
+							  StateData#state.server,
+							  StateData#state.resource,
+							  Info);
+			 _ ->
+			    ok
+		       end
 		 end,
+		 handle_unacked_stanzas(StateData),
 		 bounce_messages();
 	     true ->
 		 ok
@@ -1798,8 +1899,9 @@ terminate(_Reason, StateName, StateData) ->
 %%%----------------------------------------------------------------------

 change_shaper(StateData, JID) ->
-    Shaper = acl:match_rule(StateData#state.server,
-			    StateData#state.shaper, JID),
+    Shaper = acl:access_matches(StateData#state.shaper,
+				#{usr => jid:split(JID), ip => StateData#state.ip},
+				StateData#state.server),
    (StateData#state.sockmod):change_shaper(StateData#state.socket,
 					    Shaper).

@@ -1825,6 +1927,7 @@ send_text(StateData, Text) ->
 send_element(StateData, El) when StateData#state.mgmt_state == pending ->
    ?DEBUG("Cannot send element while waiting for resumption: ~p", [El]);
 send_element(StateData, El) when StateData#state.xml_socket ->
+    ?DEBUG("Send XML on stream = ~p", [fxml:element_to_binary(El)]),
    (StateData#state.sockmod):send_xml(StateData#state.socket,
 				       {xmlstreamelement, El});
 send_element(StateData, El) ->
@@ -1835,8 +1938,8 @@ send_stanza(StateData, Stanza) when StateData#state.csi_state == inactive ->
 send_stanza(StateData, Stanza) when StateData#state.mgmt_state == pending ->
    mgmt_queue_add(StateData, Stanza);
 send_stanza(StateData, Stanza) when StateData#state.mgmt_state == active ->
-    NewStateData = send_stanza_and_ack_req(StateData, Stanza),
-    mgmt_queue_add(NewStateData, Stanza);
+    NewStateData = mgmt_queue_add(StateData, Stanza),
+    mgmt_send_stanza(NewStateData, Stanza);
 send_stanza(StateData, Stanza) ->
    send_element(StateData, Stanza),
    StateData.
@@ -2420,13 +2523,25 @@ fsm_next_state(session_established, StateData) ->
     ?C2S_HIBERNATE_TIMEOUT};
 fsm_next_state(wait_for_resume, #state{mgmt_timeout = 0} = StateData) ->
    {stop, normal, StateData};
-fsm_next_state(wait_for_resume, #state{mgmt_pending_since = undefined} =
-	       StateData) ->
+fsm_next_state(wait_for_resume, #state{mgmt_pending_since = undefined,
+				       sid = SID, jid = JID, ip = IP,
+				       conn = Conn, auth_module = AuthModule,
+				       server = Host} = StateData) ->
+    case StateData of
+      #state{mgmt_ack_timer = undefined} ->
+	  ok;
+      #state{mgmt_ack_timer = Timer} ->
+	  erlang:cancel_timer(Timer)
+    end,
    ?INFO_MSG("Waiting for resumption of stream for ~s",
-	      [jid:to_string(StateData#state.jid)]),
+	      [jid:to_string(JID)]),
+    Info = [{ip, IP}, {conn, Conn}, {auth_module, AuthModule}],
+    NewStateData = ejabberd_hooks:run_fold(c2s_session_pending, Host, StateData,
+					   [SID, JID, Info]),
    {next_state, wait_for_resume,
-     StateData#state{mgmt_state = pending, mgmt_pending_since = os:timestamp()},
-     StateData#state.mgmt_timeout};
+     NewStateData#state{mgmt_state = pending,
+			mgmt_pending_since = os:timestamp()},
+     NewStateData#state.mgmt_timeout};
 fsm_next_state(wait_for_resume, StateData) ->
    Diff = timer:now_diff(os:timestamp(), StateData#state.mgmt_pending_since),
    Timeout = max(StateData#state.mgmt_timeout - Diff div 1000, 1),
@@ -2584,9 +2699,9 @@ stream_mgmt_enabled(#state{mgmt_state = disabled}) ->
 stream_mgmt_enabled(_StateData) ->
    true.

-dispatch_stream_mgmt(El, StateData)
-    when StateData#state.mgmt_state == active;
-	 StateData#state.mgmt_state == pending ->
+dispatch_stream_mgmt(El, #state{mgmt_state = MgmtState} = StateData)
+    when MgmtState == active;
+	 MgmtState == pending ->
    perform_stream_mgmt(El, StateData);
 dispatch_stream_mgmt(El, StateData) ->
    negotiate_stream_mgmt(El, StateData).
@@ -2698,7 +2813,8 @@ handle_r(StateData) ->
 handle_a(StateData, Attrs) ->
    case catch jlib:binary_to_integer(fxml:get_attr_s(<<"h">>, Attrs)) of
      H when is_integer(H), H >= 0 ->
-	  check_h_attribute(StateData, H);
+	  NewStateData = check_h_attribute(StateData, H),
+	  maybe_renew_ack_request(NewStateData);
      _ ->
 	  ?DEBUG("Ignoring invalid ACK element from ~s",
 		 [jid:to_string(StateData#state.jid)]),
@@ -2715,8 +2831,10 @@ handle_resume(StateData, Attrs) ->
 			of
 		      {{value, PrevID}, H} when is_integer(H), H >= 0 ->
 			  case inherit_session_state(StateData, PrevID) of
-			    {ok, InheritedState} ->
-				{ok, InheritedState, H};
+			    {ok, InheritedState, Info} ->
+				{ok, InheritedState, Info, H};
+			    {error, Err, InH} ->
+				{error, ?MGMT_ITEM_NOT_FOUND_H(Xmlns, InH), Err};
 			    {error, Err} ->
 				{error, ?MGMT_ITEM_NOT_FOUND(Xmlns), Err}
 			  end;
@@ -2733,7 +2851,7 @@ handle_resume(StateData, Attrs) ->
 	       <<"Invalid XMLNS">>}
 	end,
    case R of
-      {ok, ResumedState, NumHandled} ->
+      {ok, ResumedState, ResumedInfo, NumHandled} ->
 	  NewState = check_h_attribute(ResumedState, NumHandled),
 	  AttrXmlns = NewState#state.mgmt_xmlns,
 	  AttrId = make_resume_id(NewState),
@@ -2753,11 +2871,16 @@ handle_resume(StateData, Attrs) ->
 		       #xmlel{name = <<"r">>,
 			      attrs = [{<<"xmlns">>, AttrXmlns}],
 			      children = []}),
-	  FlushedState = csi_queue_flush(NewState),
-	  NewStateData = FlushedState#state{csi_state = active},
+	  NewState1 = csi_flush_queue(NewState),
+	  NewState2 = ejabberd_hooks:run_fold(c2s_session_resumed,
+					      StateData#state.server,
+					      NewState1,
+					      [NewState1#state.sid,
+					       NewState1#state.jid,
+					       ResumedInfo]),
 	  ?INFO_MSG("Resumed session for ~s",
-		    [jid:to_string(NewStateData#state.jid)]),
-	  {ok, NewStateData};
+		    [jid:to_string(NewState2#state.jid)]),
+	  {ok, NewState2};
      {error, El, Msg} ->
 	  send_element(StateData, El),
 	  ?INFO_MSG("Cannot resume session for ~s@~s: ~s",
@@ -2775,7 +2898,9 @@ check_h_attribute(#state{mgmt_stanzas_out = NumStanzasOut} = StateData, H) ->
 	   [jid:to_string(StateData#state.jid), H, NumStanzasOut]),
    mgmt_queue_drop(StateData, H).

-update_num_stanzas_in(#state{mgmt_state = active} = StateData, El) ->
+update_num_stanzas_in(#state{mgmt_state = MgmtState} = StateData, El)
+    when MgmtState == active;
+	 MgmtState == pending ->
    NewNum = case {is_stanza(El), StateData#state.mgmt_stanzas_in} of
 	       {true, 4294967295} ->
 		   0;
@@ -2788,18 +2913,47 @@ update_num_stanzas_in(#state{mgmt_state = active} = StateData, El) ->
 update_num_stanzas_in(StateData, _El) ->
    StateData.

-send_stanza_and_ack_req(StateData, Stanza) ->
-    AckReq = #xmlel{name = <<"r">>,
-		    attrs = [{<<"xmlns">>, StateData#state.mgmt_xmlns}],
-		    children = []},
-    case send_element(StateData, Stanza) == ok andalso
-	 send_element(StateData, AckReq) == ok of
-      true ->
-	  StateData;
-      false ->
+mgmt_send_stanza(StateData, Stanza) ->
+    case send_element(StateData, Stanza) of
+      ok ->
+	  maybe_request_ack(StateData);
+      _ ->
 	  StateData#state{mgmt_state = pending}
    end.

+maybe_request_ack(#state{mgmt_ack_timer = undefined} = StateData) ->
+    request_ack(StateData);
+maybe_request_ack(StateData) ->
+    StateData.
+
+request_ack(#state{mgmt_xmlns = Xmlns,
+		   mgmt_ack_timeout = AckTimeout} = StateData) ->
+    AckReq = #xmlel{name = <<"r">>, attrs = [{<<"xmlns">>, Xmlns}]},
+    case {send_element(StateData, AckReq), AckTimeout} of
+      {ok, undefined} ->
+	  ok;
+      {ok, Timeout} ->
+	  Timer = erlang:send_after(Timeout, self(), close),
+	  StateData#state{mgmt_ack_timer = Timer,
+			  mgmt_stanzas_req = StateData#state.mgmt_stanzas_out};
+      _ ->
+	  StateData#state{mgmt_state = pending}
+    end.
+
+maybe_renew_ack_request(#state{mgmt_ack_timer = undefined} = StateData) ->
+    StateData;
+maybe_renew_ack_request(#state{mgmt_ack_timer = Timer,
+			       mgmt_queue = Queue,
+			       mgmt_stanzas_out = NumStanzasOut,
+			       mgmt_stanzas_req = NumStanzasReq} = StateData) ->
+    erlang:cancel_timer(Timer),
+    case NumStanzasReq < NumStanzasOut andalso not queue:is_empty(Queue) of
+      true ->
+	  request_ack(StateData#state{mgmt_ack_timer = undefined});
+      false ->
+	  StateData#state{mgmt_ack_timer = undefined}
+    end.
+
 mgmt_queue_add(StateData, El) ->
    NewNum = case StateData#state.mgmt_stanzas_out of
 	       4294967295 ->
@@ -2830,16 +2984,17 @@ check_queue_length(#state{mgmt_queue = Queue,
 	  StateData
    end.

-handle_unacked_stanzas(StateData, F)
-    when StateData#state.mgmt_state == active;
-	 StateData#state.mgmt_state == pending ->
+handle_unacked_stanzas(#state{mgmt_state = MgmtState} = StateData, F)
+    when MgmtState == active;
+	 MgmtState == pending;
+	 MgmtState == timeout ->
    Queue = StateData#state.mgmt_queue,
    case queue:len(Queue) of
      0 ->
 	  ok;
      N ->
-	  ?INFO_MSG("~B stanzas were not acknowledged by ~s",
-		    [N, jid:to_string(StateData#state.jid)]),
+	  ?DEBUG("~B stanza(s) were not acknowledged by ~s",
+		 [N, jid:to_string(StateData#state.jid)]),
 	  lists:foreach(
 	    fun({_, Time, #xmlel{attrs = Attrs} = El}) ->
 		    From_s = fxml:get_attr_s(<<"from">>, Attrs),
@@ -2852,9 +3007,10 @@ handle_unacked_stanzas(StateData, F)
 handle_unacked_stanzas(_StateData, _F) ->
    ok.

-handle_unacked_stanzas(StateData)
-    when StateData#state.mgmt_state == active;
-	 StateData#state.mgmt_state == pending ->
+handle_unacked_stanzas(#state{mgmt_state = MgmtState} = StateData)
+    when MgmtState == active;
+	 MgmtState == pending;
+	 MgmtState == timeout ->
    ResendOnTimeout =
 	case StateData#state.mgmt_resend of
 	  Resend when is_boolean(Resend) ->
@@ -2880,7 +3036,7 @@ handle_unacked_stanzas(StateData)
 		    end;
 		false ->
 		    fun(From, To, El, _Time) ->
-			    Txt = <<"User session not found">>,
+			    Txt = <<"User session terminated">>,
 			    Err =
 				jlib:make_error_reply(
 				  El,
@@ -2892,7 +3048,7 @@ handle_unacked_stanzas(StateData)
 		?DEBUG("Dropping presence stanza from ~s",
 		       [jid:to_string(From)]);
 	   (From, To, #xmlel{name = <<"iq">>} = El, _Time) ->
-		Txt = <<"User session not found">>,
+		Txt = <<"User session terminated">>,
 		Err = jlib:make_error_reply(
 			El, ?ERRT_SERVICE_UNAVAILABLE(Lang, Txt)),
 		ejabberd_router:route(To, From, Err);
@@ -2915,6 +3071,9 @@ handle_unacked_stanzas(StateData)
 						   [StateData, From,
 						    StateData#state.jid, El]) of
 			true ->
+			    ?DEBUG("Dropping archived message stanza from ~s",
+				   [fxml:get_attr_s(<<"from">>,
+						    El#xmlel.attrs)]),
 			    ok;
 			false ->
 			    ReRoute(From, To, El, Time)
@@ -2956,11 +3115,21 @@ inherit_session_state(#state{user = U, server = S} = StateData, ResumeID) ->
      {term, {R, Time}} ->
 	  case ejabberd_sm:get_session_pid(U, S, R) of
 	    none ->
-		{error, <<"Previous session PID not found">>};
+		case ejabberd_sm:get_offline_info(Time, U, S, R) of
+		  none ->
+		      {error, <<"Previous session PID not found">>};
+		  Info ->
+		      case proplists:get_value(num_stanzas_in, Info) of
+			undefined ->
+			    {error, <<"Previous session timed out">>};
+			H ->
+			    {error, <<"Previous session timed out">>, H}
+		      end
+		end;
 	    OldPID ->
 		OldSID = {Time, OldPID},
 		case catch resume_session(OldSID) of
-		  {ok, OldStateData} ->
+		  {resume, OldStateData} ->
 		      NewSID = {Time, self()}, % Old time, new PID
 		      Priority = case OldStateData#state.pres_last of
 				   undefined ->
@@ -2984,14 +3153,13 @@ inherit_session_state(#state{user = U, server = S} = StateData, ResumeID) ->
 					   pres_timestamp = OldStateData#state.pres_timestamp,
 					   privacy_list = OldStateData#state.privacy_list,
 					   aux_fields = OldStateData#state.aux_fields,
-					   csi_state = OldStateData#state.csi_state,
-					   csi_queue = OldStateData#state.csi_queue,
 					   mgmt_xmlns = OldStateData#state.mgmt_xmlns,
 					   mgmt_queue = OldStateData#state.mgmt_queue,
 					   mgmt_timeout = OldStateData#state.mgmt_timeout,
 					   mgmt_stanzas_in = OldStateData#state.mgmt_stanzas_in,
 					   mgmt_stanzas_out = OldStateData#state.mgmt_stanzas_out,
-					   mgmt_state = active}};
+					   mgmt_state = active,
+					   csi_state = active}, Info};
 		  {error, Msg} ->
 		      {error, Msg};
 		  _ ->
@@ -3003,7 +3171,7 @@ inherit_session_state(#state{user = U, server = S} = StateData, ResumeID) ->
    end.

 resume_session({Time, PID}) ->
-    (?GEN_FSM):sync_send_all_state_event(PID, {resume_session, Time}, 5000).
+    (?GEN_FSM):sync_send_all_state_event(PID, {resume_session, Time}, 15000).

 make_resume_id(StateData) ->
    {Time, _} = StateData#state.sid,
@@ -3018,65 +3186,27 @@ add_resent_delay_info(#state{server = From}, El, Time) ->
 %%% XEP-0352
 %%%----------------------------------------------------------------------

-csi_filter_stanza(#state{csi_state = CsiState, jid = JID} = StateData,
-		  Stanza) ->
-    Action = ejabberd_hooks:run_fold(csi_filter_stanza,
-				     StateData#state.server,
-				     send, [Stanza]),
-    ?DEBUG("Going to ~p stanza for inactive client ~p",
-	   [Action, jid:to_string(JID)]),
-    case Action of
-      queue -> csi_queue_add(StateData, Stanza);
-      drop -> StateData;
-      send ->
-	  From = fxml:get_tag_attr_s(<<"from">>, Stanza),
-	  StateData1 = csi_queue_send(StateData, From),
-	  StateData2 = send_stanza(StateData1#state{csi_state = active},
-				   Stanza),
-	  StateData2#state{csi_state = CsiState}
-    end.
+csi_filter_stanza(#state{csi_state = CsiState, jid = JID, server = Server} =
+		  StateData, Stanza) ->
+    {StateData1, Stanzas} = ejabberd_hooks:run_fold(csi_filter_stanza, Server,
+						    {StateData, [Stanza]},
+						    [Server, JID, Stanza]),
+    StateData2 = lists:foldl(fun(CurStanza, AccState) ->
+				     send_stanza(AccState, CurStanza)
+			     end, StateData1#state{csi_state = active},
+			     Stanzas),
+    StateData2#state{csi_state = CsiState}.

-csi_queue_add(#state{csi_queue = Queue} = StateData, Stanza) ->
-    case length(StateData#state.csi_queue) >= csi_max_queue(StateData) of
-      true -> csi_queue_add(csi_queue_flush(StateData), Stanza);
-      false ->
-	  From = fxml:get_tag_attr_s(<<"from">>, Stanza),
-	  NewQueue = lists:keystore(From, 1, Queue, {From, p1_time_compat:timestamp(), Stanza}),
-	  StateData#state{csi_queue = NewQueue}
-    end.
-
-csi_queue_send(#state{csi_queue = Queue, csi_state = CsiState, server = Host} =
-	       StateData, From) ->
-    case lists:keytake(From, 1, Queue) of
-      {value, {From, Time, Stanza}, NewQueue} ->
-	  NewStanza = jlib:add_delay_info(Stanza, Host, Time,
-					  <<"Client Inactive">>),
-	  NewStateData = send_stanza(StateData#state{csi_state = active},
-				     NewStanza),
-	  NewStateData#state{csi_queue = NewQueue, csi_state = CsiState};
-      false -> StateData
-    end.
-
-csi_queue_flush(#state{csi_queue = Queue, csi_state = CsiState, jid = JID,
-		       server = Host} = StateData) ->
-    ?DEBUG("Flushing CSI queue for ~s", [jid:to_string(JID)]),
-    NewStateData =
-	lists:foldl(fun({_From, Time, Stanza}, AccState) ->
-			    NewStanza =
-				jlib:add_delay_info(Stanza, Host, Time,
-						    <<"Client Inactive">>),
-			    send_stanza(AccState, NewStanza)
-		    end, StateData#state{csi_state = active}, Queue),
-    NewStateData#state{csi_queue = [], csi_state = CsiState}.
-
-%% Make sure we won't push too many messages to the XEP-0198 queue when the
-%% client becomes 'active' again.  Otherwise, the client might not manage to
-%% acknowledge the message flood in time.  Also, don't let the queue grow to
-%% more than 100 stanzas.
-csi_max_queue(#state{mgmt_max_queue = infinity}) -> 100;
-csi_max_queue(#state{mgmt_max_queue = Max}) when Max > 200 -> 100;
-csi_max_queue(#state{mgmt_max_queue = Max}) when Max < 2 -> 1;
-csi_max_queue(#state{mgmt_max_queue = Max}) -> Max div 2.
+csi_flush_queue(#state{csi_state = CsiState, jid = JID, server = Server} =
+		StateData) ->
+    {StateData1, Stanzas} = ejabberd_hooks:run_fold(csi_flush_queue, Server,
+						    {StateData, []},
+						    [Server, JID]),
+    StateData2 = lists:foldl(fun(CurStanza, AccState) ->
+				     send_stanza(AccState, CurStanza)
+			     end, StateData1#state{csi_state = active},
+			     Stanzas),
+    StateData2#state{csi_state = CsiState}.

 %%%----------------------------------------------------------------------
 %%% JID Set memory footprint reduction code
@@ -218,18 +218,20 @@
 	 get_command_format/1,
 	 get_command_format/2,
 	 get_command_format/3,
-         get_command_policy/1,
+         get_command_policy_and_scope/1,
 	 get_command_definition/1,
 	 get_command_definition/2,
 	 get_tags_commands/0,
 	 get_tags_commands/1,
-         get_commands/0,
+         get_exposed_commands/0,
 	 register_commands/1,
-	 unregister_commands/1,
+   unregister_commands/1,
+   expose_commands/1,
 	 execute_command/2,
 	 execute_command/3,
 	 execute_command/4,
 	 execute_command/5,
+	 execute_command/6,
         opt_type/1,
         get_commands_spec/0
 	]).
@@ -272,12 +274,11 @@ get_commands_spec() ->
                           args_example = ["/home/me/docs/api.html", "mod_admin", "java,json"],
                           result_example = ok}].
 init() ->
-    mnesia:delete_table(ejabberd_commands),
    mnesia:create_table(ejabberd_commands,
-			[{ram_copies, [node()]},
+                        [{ram_copies, [node()]},
                         {local_content, true},
-			 {attributes, record_info(fields, ejabberd_commands)},
-			 {type, bag}]),
+                         {attributes, record_info(fields, ejabberd_commands)},
+                         {type, bag}]),
    mnesia:add_table_copy(ejabberd_commands, node(), ram_copies),
    register_commands(get_commands_spec()).

@@ -286,12 +287,14 @@ init() ->
 %% @doc Register ejabberd commands.
 %% If a command is already registered, a warning is printed and the
 %% old command is preserved.
+%% A registered command is not directly available to be called through
+%% ejabberd ReST API. It need to be exposed to be available through API.
 register_commands(Commands) ->
    lists:foreach(
      fun(Command) ->
-	      % XXX check if command exists
-	      mnesia:dirty_write(Command)
-	      % ?DEBUG("This command is already defined:~n~p", [Command])
+              %% XXX check if command exists
+              mnesia:dirty_write(Command)
+              %% ?DEBUG("This command is already defined:~n~p", [Command])
      end,
      Commands).

@@ -305,6 +308,25 @@ unregister_commands(Commands) ->
      end,
      Commands).

+%% @doc Expose command through ejabberd ReST API.
+%% Pass a list of command names or policy to expose.
+-spec expose_commands([ejabberd_commands()|atom()|open|user|admin|restricted]) -> ok | {error, atom()}.
+
+expose_commands(Commands) ->
+    Names = lists:map(fun(#ejabberd_commands{name = Name}) ->
+                              Name;
+                         (Name) when is_atom(Name) ->
+                              Name
+                      end,
+                      Commands),
+
+    case ejabberd_config:add_local_option(commands, [{add_commands, Names}]) of
+        {aborted, Reason} ->
+            {error, Reason};
+        {atomic, Result} ->
+            Result
+    end.
+
 -spec list_commands() -> [{atom(), [aterm()], string()}].

 %% @doc Get a list of all the available commands, arguments and description.
@@ -318,8 +340,8 @@ list_commands() ->
 list_commands(Version) ->
    Commands = get_commands_definition(Version),
    [{Name, Args, Desc} || #ejabberd_commands{name = Name,
-					      args = Args,
-					      desc = Desc} <- Commands].
+                                              args = Args,
+                                              desc = Desc} <- Commands].


 -spec list_commands_policy(integer()) ->
@@ -330,10 +352,10 @@ list_commands(Version) ->
 list_commands_policy(Version) ->
    Commands = get_commands_definition(Version),
    [{Name, Args, Desc, Policy} ||
-	#ejabberd_commands{name = Name,
-			   args = Args,
-			   desc = Desc,
-			   policy = Policy} <- Commands].
+        #ejabberd_commands{name = Name,
+                           args = Args,
+                           desc = Desc,
+                           policy = Policy} <- Commands].

 -spec get_command_format(atom()) -> {[aterm()], rterm()}.

@@ -352,30 +374,36 @@ get_command_format(Name, Auth)  ->
 				{[aterm()], rterm()}.

 get_command_format(Name, Auth, Version) ->
-    Admin = is_admin(Name, Auth),
+    Admin = is_admin(Name, Auth, #{}),
    #ejabberd_commands{args = Args,
 		       result = Result,
-		       policy = Policy} =
-	get_command_definition(Name, Version),
+                       policy = Policy} =
+        get_command_definition(Name, Version),
    case Policy of
-	user when Admin;
-		  Auth == noauth ->
-	    {[{user, binary}, {server, binary} | Args], Result};
-	_ ->
-	    {Args, Result}
+        user when Admin;
+                  Auth == noauth ->
+            {[{user, binary}, {server, binary} | Args], Result};
+        _ ->
+            {Args, Result}
    end.

-spec get_command_policy(atom()) -> {ok, open|user|admin|restricted} | {error, command_not_found}.
+-spec get_command_policy_and_scope(atom()) -> {ok, open|user|admin|restricted, [oauth_scope()]} | {error, command_not_found}.

 %% @doc return command policy.
-get_command_policy(Name) ->
+get_command_policy_and_scope(Name) ->
    case get_command_definition(Name) of
-        #ejabberd_commands{policy = Policy} ->
-            {ok, Policy};
+        #ejabberd_commands{policy = Policy} = Cmd ->
+            {ok, Policy, cmd_scope(Cmd)};
        command_not_found ->
            {error, command_not_found}
    end.

+%% The oauth scopes for a command are the command name itself,
+%% also might include either 'ejabberd:user' or 'ejabberd:admin'
+cmd_scope(#ejabberd_commands{policy = Policy, name = Name}) ->
+    [erlang:atom_to_binary(Name,utf8)] ++ [<<"ejabberd:user">> || Policy == user] ++ [<<"ejabberd:admin">> || Policy == admin].
+
+
 -spec get_command_definition(atom()) -> ejabberd_commands().

 %% @doc Get the definition record of a command.
@@ -387,16 +415,16 @@ get_command_definition(Name) ->
 %% @doc Get the definition record of a command in a given API version.
 get_command_definition(Name, Version) ->
    case lists:reverse(
-	   lists:sort(
-	     mnesia:dirty_select(
-	       ejabberd_commands,
-	       ets:fun2ms(
-		 fun(#ejabberd_commands{name = N, version = V} = C)
-		       when N == Name, V =< Version ->
-			 {V, C}
-		 end)))) of
-	[{_, Command} | _ ] -> Command;
-	_E -> throw(unknown_command)
+           lists:sort(
+             mnesia:dirty_select(
+               ejabberd_commands,
+               ets:fun2ms(
+                 fun(#ejabberd_commands{name = N, version = V} = C)
+                       when N == Name, V =< Version ->
+                         {V, C}
+                 end)))) of
+        [{_, Command} | _ ] -> Command;
+        _E -> throw({error, unknown_command})
    end.

 -spec get_commands_definition(integer()) -> [ejabberd_commands()].
@@ -404,20 +432,20 @@ get_command_definition(Name, Version) ->
 % @doc Returns all commands for a given API version
 get_commands_definition(Version) ->
    L = lists:reverse(
-	  lists:sort(
-	    mnesia:dirty_select(
-	      ejabberd_commands,
-	      ets:fun2ms(
-		fun(#ejabberd_commands{name = Name, version = V} = C)
-		      when V =< Version ->
-			{Name, V, C}
-		end)))),
+          lists:sort(
+            mnesia:dirty_select(
+              ejabberd_commands,
+              ets:fun2ms(
+                fun(#ejabberd_commands{name = Name, version = V} = C)
+                      when V =< Version ->
+                        {Name, V, C}
+                end)))),
    F = fun({_Name, _V, Command}, []) ->
-		[Command];
-	   ({Name, _V, _Command}, [#ejabberd_commands{name=Name}|_T] = Acc) ->
-		Acc;
-	   ({_Name, _V, Command}, Acc) -> [Command | Acc]
-	end,
+                [Command];
+           ({Name, _V, _Command}, [#ejabberd_commands{name=Name}|_T] = Acc) ->
+                Acc;
+           ({_Name, _V, Command}, Acc) -> [Command | Acc]
+        end,
    lists:foldl(F, [], L).

 %% @spec (Name::atom(), Arguments) -> ResultTerm
@@ -426,7 +454,7 @@ get_commands_definition(Version) ->
 %% @doc Execute a command.
 %% Can return the following exceptions:
 %% command_unknown | account_unprivileged | invalid_account_data |
-%% no_auth_provided
+%% no_auth_provided | access_rules_unauthorized
 execute_command(Name, Arguments) ->
    execute_command(Name, Arguments, ?DEFAULT_VERSION).

@@ -487,38 +515,64 @@ execute_command(AccessCommands, Auth, Name, Arguments) ->
 %%
 %% @doc Execute a command in a given API version
 %% Can return the following exceptions:
-%% command_unknown | account_unprivileged | invalid_account_data | no_auth_provided
+%% command_unknown | account_unprivileged | invalid_account_data | no_auth_provided | access_rules_unauthorized
 execute_command(AccessCommands1, Auth1, Name, Arguments, Version) ->
-    Auth = case is_admin(Name, Auth1) of
+    execute_command(AccessCommands1, Auth1, Name, Arguments, Version, #{}).
+
+execute_command(AccessCommands1, Auth1, Name, Arguments, Version, CallerInfo) ->
+    Auth = case is_admin(Name, Auth1, CallerInfo) of
               true -> admin;
               false -> Auth1
           end,
+    TokenJID = oauth_token_user(Auth1),
    Command = get_command_definition(Name, Version),
-    AccessCommands = get_access_commands(AccessCommands1, Version),
-    case check_access_commands(AccessCommands, Auth, Name, Command, Arguments) of
-	ok -> execute_command2(Auth, Command, Arguments)
+    AccessCommands = get_all_access_commands(AccessCommands1),
+
+    case check_access_commands(AccessCommands, Auth, Name, Command, Arguments, CallerInfo) of
+        ok -> execute_check_policy(Auth, TokenJID, Command, Arguments)
    end.

-execute_command2(
-  _Auth, #ejabberd_commands{policy = open} = Command, Arguments) ->
-    execute_command2(Command, Arguments);
-execute_command2(
-  _Auth, #ejabberd_commands{policy = restricted} = Command, Arguments) ->
-    execute_command2(Command, Arguments);
-execute_command2(
-  _Auth, #ejabberd_commands{policy = admin} = Command, Arguments) ->
-    execute_command2(Command, Arguments);
-execute_command2(
-  admin, #ejabberd_commands{policy = user} = Command, Arguments) ->
-    execute_command2(Command, Arguments);
-execute_command2(
-  noauth, #ejabberd_commands{policy = user} = Command, Arguments) ->
-    execute_command2(Command, Arguments);
-execute_command2(
-  {User, Server, _, _}, #ejabberd_commands{policy = user} = Command, Arguments) ->
-    execute_command2(Command, [User, Server | Arguments]).

-execute_command2(Command, Arguments) ->
+execute_check_policy(
+  _Auth, _JID, #ejabberd_commands{policy = open} = Command, Arguments) ->
+    do_execute_command(Command, Arguments);
+execute_check_policy(
+  noauth, _JID, Command, Arguments) ->
+    do_execute_command(Command, Arguments);
+execute_check_policy(
+  _Auth, _JID, #ejabberd_commands{policy = restricted} = Command, Arguments) ->
+    do_execute_command(Command, Arguments);
+execute_check_policy(
+  _Auth, JID, #ejabberd_commands{policy = admin} = Command, Arguments) ->
+    execute_check_access(JID, Command, Arguments);
+execute_check_policy(
+  admin, JID, #ejabberd_commands{policy = user} = Command, Arguments) ->
+    execute_check_access(JID, Command, Arguments);
+execute_check_policy(
+  {User, Server, _, _}, JID, #ejabberd_commands{policy = user} = Command, Arguments) ->
+    execute_check_access(JID, Command, [User, Server | Arguments]).
+
+execute_check_access(_FromJID, #ejabberd_commands{access = []} = Command, Arguments) ->
+    do_execute_command(Command, Arguments);
+execute_check_access(undefined, _Command, _Arguments) ->
+    throw({error, access_rules_unauthorized});
+execute_check_access(FromJID, #ejabberd_commands{access = AccessRefs} = Command, Arguments) ->
+    %% TODO Review: Do we have smarter / better way to check rule on other Host than global ?
+    Host = global,
+    Rules = lists:map(fun({Mod, AccessName, Default}) ->
+                              gen_mod:get_module_opt(Host, Mod,
+                                                     AccessName, fun(A) -> A end, Default);
+                         (Default) ->
+                              Default
+                      end, AccessRefs),
+    case acl:any_rules_allowed(Host, Rules, FromJID) of
+        true ->
+            do_execute_command(Command, Arguments);
+        false ->
+            throw({error, access_rules_unauthorized})
+    end.
+
+do_execute_command(Command, Arguments) ->
    Module = Command#ejabberd_commands.module,
    Function = Command#ejabberd_commands.function,
    ?DEBUG("Executing command ~p:~p with Args=~p", [Module, Function, Arguments]),
@@ -573,9 +627,9 @@ get_tags_commands(Version) ->
 %% At least one AccessCommand must be satisfied.
 %% It may throw {error, Error} where:
 %% Error = account_unprivileged | invalid_account_data
-check_access_commands([], _Auth, _Method, _Command, _Arguments) ->
+check_access_commands([], _Auth, _Method, _Command, _Arguments, _CallerInfo) ->
    ok;
-check_access_commands(AccessCommands, Auth, Method, Command1, Arguments) ->
+check_access_commands(AccessCommands, Auth, Method, Command1, Arguments, CallerInfo) ->
    Command =
        case {Command1#ejabberd_commands.policy, Auth} of
            {user, {_, _, _, _}} ->
@@ -588,31 +642,31 @@ check_access_commands(AccessCommands, Auth, Method, Command1, Arguments) ->
                Command1
        end,
    AccessCommandsAllowed =
-	lists:filter(
-	  fun({Access, Commands, ArgumentRestrictions}) ->
-		  case check_access(Command, Access, Auth) of
-		      true ->
-			  check_access_command(Commands, Command,
-					       ArgumentRestrictions,
-					       Method, Arguments);
-		      false ->
-			  false
-		  end;
-	      ({Access, Commands}) ->
-		  ArgumentRestrictions = [],
-		  case check_access(Command, Access, Auth) of
-		      true ->
-			  check_access_command(Commands, Command,
-					       ArgumentRestrictions,
-					       Method, Arguments);
-		      false ->
-			  false
-		  end
-	  end,
-	  AccessCommands),
+        lists:filter(
+          fun({Access, Commands, ArgumentRestrictions}) ->
+                  case check_access(Command, Access, Auth, CallerInfo) of
+                      true ->
+                          check_access_command(Commands, Command,
+                                               ArgumentRestrictions,
+                                               Method, Arguments);
+                      false ->
+                          false
+                  end;
+             ({Access, Commands}) ->
+                  ArgumentRestrictions = [],
+                  case check_access(Command, Access, Auth, CallerInfo) of
+                      true ->
+                          check_access_command(Commands, Command,
+                                               ArgumentRestrictions,
+                                               Method, Arguments);
+                      false ->
+                          false
+                  end
+          end,
+          AccessCommands),
    case AccessCommandsAllowed of
-	[] -> throw({error, account_unprivileged});
-	L when is_list(L) -> ok
+        [] -> throw({error, account_unprivileged});
+        L when is_list(L) -> ok
    end.

 -spec check_auth(ejabberd_commands(), noauth) -> noauth_provided;
@@ -623,11 +677,11 @@ check_access_commands(AccessCommands, Auth, Method, Command1, Arguments) ->
 check_auth(_Command, noauth) ->
    no_auth_provided;
 check_auth(Command, {User, Server, {oauth, Token}, _}) ->
-    Scope = erlang:atom_to_binary(Command#ejabberd_commands.name, utf8),
-    case ejabberd_oauth:check_token(User, Server, Scope, Token) of
+    ScopeList = cmd_scope(Command),
+    case ejabberd_oauth:check_token(User, Server, ScopeList, Token) of
        true ->
            {ok, User, Server};
-        false ->
+        _ ->
            throw({error, invalid_account_data})
    end;
 check_auth(_Command, {User, Server, Password, _}) when is_binary(Password) ->
@@ -637,31 +691,38 @@ check_auth(_Command, {User, Server, Password, _}) when is_binary(Password) ->
        _ -> throw({error, invalid_account_data})
    end.

-check_access(Command, ?POLICY_ACCESS, _)
+check_access(Command, ?POLICY_ACCESS, _, _)
  when Command#ejabberd_commands.policy == open ->
    true;
-check_access(_Command, _Access, admin) ->
+check_access(_Command, _Access, admin, _) ->
    true;
-check_access(_Command, _Access, {_User, _Server, _, true}) ->
+check_access(_Command, _Access, {_User, _Server, _, true}, _) ->
    false;
-check_access(Command, Access, Auth)
+check_access(Command, Access, Auth, CallerInfo)
  when Access =/= ?POLICY_ACCESS;
       Command#ejabberd_commands.policy == open;
       Command#ejabberd_commands.policy == user ->
    case check_auth(Command, Auth) of
 	{ok, User, Server} ->
-	    check_access2(Access, User, Server);
+	    check_access2(Access, CallerInfo#{usr => jid:split(jid:make(User, Server, <<>>))}, Server);
+	no_auth_provided ->
+	    case Command#ejabberd_commands.policy of
+		user ->
+		    false;
+		_ ->
+		    check_access2(Access, CallerInfo, global)
+	    end;
 	_ ->
 	    false
    end;
-check_access(_Command, _Access, _Auth) ->
+check_access(_Command, _Access, _Auth, _CallerInfo) ->
    false.

-check_access2(?POLICY_ACCESS, _User, _Server) ->
+check_access2(?POLICY_ACCESS, _CallerInfo, _Server) ->
    true;
-check_access2(Access, User, Server) ->
+check_access2(Access, AccessInfo, Server) ->
    %% Check this user has access permission
-    case acl:match_rule(Server, Access, jid:make(User, Server, <<"">>)) of
+    case acl:access_matches(Access, AccessInfo, Server) of
 	allow -> true;
 	deny -> false
    end.
@@ -669,9 +730,9 @@ check_access2(Access, User, Server) ->
 check_access_command(Commands, Command, ArgumentRestrictions,
 		     Method, Arguments) ->
    case Commands==all orelse lists:member(Method, Commands) of
-	true -> check_access_arguments(Command, ArgumentRestrictions,
-				       Arguments);
-	false -> false
+        true -> check_access_arguments(Command, ArgumentRestrictions,
+                                       Arguments);
+        false -> false
    end.

 check_access_arguments(Command, ArgumentRestrictions, Arguments) ->
@@ -694,19 +755,23 @@ tag_arguments(ArgsDefs, Args) ->
      Args).


+%% Get commands for all version
+get_all_access_commands(AccessCommands) ->
+    get_access_commands(AccessCommands, ?DEFAULT_VERSION).
+
 get_access_commands(undefined, Version) ->
-    Cmds = get_commands(Version),
+    Cmds = get_exposed_commands(Version),
    [{?POLICY_ACCESS, Cmds, []}];
 get_access_commands(AccessCommands, _Version) ->
    AccessCommands.

-get_commands() ->
-    get_commands(?DEFAULT_VERSION).
-get_commands(Version) ->
+get_exposed_commands() ->
+    get_exposed_commands(?DEFAULT_VERSION).
+get_exposed_commands(Version) ->
    Opts0 = ejabberd_config:get_option(
             commands,
             fun(V) when is_list(V) -> V end,
-             []),
+              []),
    Opts = lists:map(fun(V) when is_tuple(V) -> [V]; (V) -> V end, Opts0),
    CommandsList = list_commands_policy(Version),
    OpenCmds = [N || {N, _, _, open} <- CommandsList],
@@ -716,50 +781,58 @@ get_commands(Version) ->
    Cmds =
        lists:foldl(
          fun([{add_commands, L}], Acc) ->
-                  Cmds = case L of
-                             open -> OpenCmds;
-                             restricted -> RestrictedCmds;
-                             admin -> AdminCmds;
-                             user -> UserCmds;
-                             _ when is_list(L) -> L
-                         end,
+                  Cmds = expand_commands(L, OpenCmds, UserCmds, AdminCmds, RestrictedCmds),
                  lists:usort(Cmds ++ Acc);
             ([{remove_commands, L}], Acc) ->
-                  Cmds = case L of
-                             open -> OpenCmds;
-                             restricted -> RestrictedCmds;
-                             admin -> AdminCmds;
-                             user -> UserCmds;
-                             _ when is_list(L) -> L
-                         end,
+                  Cmds = expand_commands(L, OpenCmds, UserCmds, AdminCmds, RestrictedCmds),
                  Acc -- Cmds;
             (_, Acc) -> Acc
-          end, AdminCmds ++ UserCmds, Opts),
+          end, [], Opts),
    Cmds.

-is_admin(_Name, noauth) ->
-    false;
-is_admin(_Name, admin) ->
+%% This is used to allow mixing command policy (like open, user, admin, restricted), with command entry
+expand_commands(L, OpenCmds, UserCmds, AdminCmds, RestrictedCmds) when is_list(L) ->
+    lists:foldl(fun(open, Acc) -> OpenCmds ++ Acc;
+                   (user, Acc) -> UserCmds ++ Acc;
+                   (admin, Acc) -> AdminCmds ++ Acc;
+                   (restricted, Acc) -> RestrictedCmds ++ Acc;
+                   (Command, Acc) when is_atom(Command) ->
+                        [Command|Acc]
+                end, [], L).
+
+oauth_token_user(noauth) ->
+    undefined;
+oauth_token_user(admin) ->
+    undefined;
+oauth_token_user({User, Server, _, _}) ->
+    jid:make(User, Server, <<>>).
+
+is_admin(_Name, admin, _Extra) ->
    true;
-is_admin(_Name, {_User, _Server, _, false}) ->
+is_admin(_Name, {_User, _Server, _, false}, _Extra) ->
    false;
-is_admin(Name, {User, Server, _, true} = Auth) ->
+is_admin(Name, Auth, Extra) ->
+    {ACLInfo, Server} = case Auth of
+			    {U, S, _, _} ->
+				{Extra#{usr=>jid:split(jid:make(U, S, <<>>))}, S};
+			    _ ->
+				{Extra, global}
+	      end,
    AdminAccess = ejabberd_config:get_option(
                    commands_admin_access,
-                    fun(A) when is_atom(A) -> A end,
+		    fun(V) -> V end,
                    none),
-    case acl:match_rule(Server, AdminAccess,
-                        jid:make(User, Server, <<"">>)) of
+    case acl:access_matches(AdminAccess, ACLInfo, Server) of
        allow ->
            case catch check_auth(get_command_definition(Name), Auth) of
                {ok, _, _} -> true;
+		no_auth_provided -> true;
                _ -> false
            end;
        deny -> false
    end.

-opt_type(commands_admin_access) ->
-    fun(A) when is_atom(A) -> A end;
+opt_type(commands_admin_access) -> fun acl:access_rules_validator/1;
 opt_type(commands) ->
    fun(V) when is_list(V) -> V end;
 opt_type(_) -> [commands, commands_admin_access].
@@ -30,13 +30,15 @@
 	 add_global_option/2, add_local_option/2,
 	 get_global_option/2, get_local_option/2,
         get_global_option/3, get_local_option/3,
-         get_option/2, get_option/3, add_option/2,
+         get_option/2, get_option/3, add_option/2, has_option/1,
         get_vh_by_auth_method/1, is_file_readable/1,
         get_version/0, get_myhosts/0, get_mylang/0,
+         get_ejabberd_config_path/0, is_using_elixir_config/0,
         prepare_opt_val/4, convert_table_to_binary/5,
         transform_options/1, collect_options/1, default_db/2,
         convert_to_yaml/1, convert_to_yaml/2, v_db/2,
-         env_binary_to_list/2, opt_type/1, may_hide_data/1]).
+         env_binary_to_list/2, opt_type/1, may_hide_data/1,
+	 is_elixir_enabled/0]).

 -export([start/2]).

@@ -90,7 +92,7 @@ hosts_to_start(State) ->

 %% @private
 %% At the moment, these functions are mainly used to setup unit tests.
-spec(start/2 :: (Hosts :: [binary()], Opts :: [acl:acl() | local_config()]) -> ok).
+-spec start(Hosts :: [binary()], Opts :: [acl:acl() | local_config()]) -> ok.
 start(Hosts, Opts) ->
    mnesia_init(),
    set_opts(set_hosts_in_options(Hosts, #state{opts = Opts})).
@@ -147,7 +149,18 @@ read_file(File) ->
                     {include_modules_configs, true}]).

 read_file(File, Opts) ->
-    Terms1 = get_plain_terms_file(File, Opts),
+    Terms1 = case is_elixir_enabled() of
+		 true ->
+		     case 'Elixir.Ejabberd.ConfigUtil':is_elixir_config(File) of
+			 true ->
+			     'Elixir.Ejabberd.Config':init(File),
+			     'Elixir.Ejabberd.Config':get_ejabberd_opts();
+			 false ->
+			     get_plain_terms_file(File, Opts)
+		     end;
+		 false ->
+		     get_plain_terms_file(File, Opts)
+	     end,
    Terms_macros = case proplists:get_bool(replace_macros, Opts) of
                       true -> replace_macros(Terms1);
                       false -> Terms1
@@ -220,13 +233,11 @@ env_binary_to_list(Application, Parameter) ->
 %% in which the options 'include_config_file' were parsed
 %% and the terms in those files were included.
 %% @spec(iolist()) -> [term()]
-get_plain_terms_file(File) ->
-    get_plain_terms_file(File, [{include_files, true}]).
-
 get_plain_terms_file(File, Opts) when is_binary(File) ->
    get_plain_terms_file(binary_to_list(File), Opts);
 get_plain_terms_file(File1, Opts) ->
    File = get_absolute_path(File1),
+    DontStopOnError = lists:member(dont_halt_on_error, Opts),
    case consult(File) of
 	{ok, Terms} ->
            BinTerms1 = strings_to_binary(Terms),
@@ -246,9 +257,21 @@ get_plain_terms_file(File1, Opts) ->
                false ->
                    BinTerms
            end;
-	{error, Reason} ->
+  {error, enoent, Reason} ->
+      case DontStopOnError of
+          true ->
+              ?WARNING_MSG(Reason, []),
+              [];
+          _ ->
 	    ?ERROR_MSG(Reason, []),
 	    exit_or_halt(Reason)
+      end;
+	{error, Reason} ->
+	    ?ERROR_MSG(Reason, []),
+      case DontStopOnError of
+          true -> [];
+          _ -> exit_or_halt(Reason)
+      end
    end.

 consult(File) ->
@@ -262,17 +285,29 @@ consult(File) ->
                {error, Err} ->
                    Msg1 = "Cannot load " ++ File ++ ": ",
                    Msg2 = fast_yaml:format_error(Err),
+                    case Err of
+                        enoent ->
+                            {error, enoent, Msg1 ++ Msg2};
+                        _ ->
                    {error, Msg1 ++ Msg2}
+                    end
            end;
        _ ->
            case file:consult(File) of
                {ok, Terms} ->
                    {ok, Terms};
+                {error, enoent} ->
+                    {error, enoent};
                {error, {LineNumber, erl_parse, _ParseMessage} = Reason} ->
                    {error, describe_config_problem(File, Reason, LineNumber)};
                {error, Reason} ->
+                    case Reason of
+                        enoent ->
+                            {error, enoent, describe_config_problem(File, Reason)};
+                        _ ->
                    {error, describe_config_problem(File, Reason)}
            end
+            end
    end.

 parserl(<<"> ", Term/binary>>) ->
@@ -296,7 +331,9 @@ get_absolute_path(File) ->
 	    File;
 	relative ->
 	    {ok, Dir} = file:get_cwd(),
-	    filename:absname_join(Dir, File)
+	    filename:absname_join(Dir, File);
+	volumerelative ->
+	    filename:absname(File)
    end.


@@ -473,8 +510,8 @@ include_config_files(Terms) ->
                       include_config_file(File, Opts)
               end, lists:flatten(FileOpts)),

-    M1 = merge_configs(transform_terms(Terms1), #{}),
-    M2 = merge_configs(transform_terms(Terms2), M1),
+    M1 = merge_configs(Terms1, #{}),
+    M2 = merge_configs(Terms2, M1),
    maps_to_lists(M2).

 transform_include_option({include_config_file, File}) when is_list(File) ->
@@ -488,7 +525,7 @@ transform_include_option({include_config_file, Filename, Options}) ->
    {Filename, Options}.

 include_config_file(Filename, Options) ->
-    Included_terms = get_plain_terms_file(Filename),
+    Included_terms = get_plain_terms_file(Filename, [{include_files, true}, dont_halt_on_error]),
    Disallow = proplists:get_value(disallow, Options, []),
    Included_terms2 = delete_disallowed(Disallow, Included_terms),
    Allow_only = proplists:get_value(allow_only, Options, all),
@@ -745,22 +782,32 @@ add_option(Opt, Val) ->
 -spec prepare_opt_val(any(), any(), check_fun(), any()) -> any().

 prepare_opt_val(Opt, Val, F, Default) ->
-    Res = case F of
-              {Mod, Fun} ->
-                  catch Mod:Fun(Val);
-              _ ->
-                  catch F(Val)
-          end,
-    case Res of
-        {'EXIT', _} ->
+    Call = case F of
+	       {Mod, Fun} ->
+		   fun() -> Mod:Fun(Val) end;
+	       _ ->
+		   fun() -> F(Val) end
+	   end,
+    try Call() of
+	Res ->
+	    Res
+    catch {replace_with, NewRes} ->
+	    NewRes;
+	  {invalid_syntax, Error} ->
+	    ?WARNING_MSG("incorrect value '~s' of option '~s', "
+			 "using '~s' as fallback: ~s",
+			 [format_term(Val),
+			  format_term(Opt),
+			  format_term(Default),
+			  Error]),
+	    Default;
+	  _:_ ->
 	    ?WARNING_MSG("incorrect value '~s' of option '~s', "
 			 "using '~s' as fallback",
 			 [format_term(Val),
 			  format_term(Opt),
 			  format_term(Default)]),
-            Default;
-        _ ->
-            Res
+	    Default
    end.

 -type check_fun() :: fun((any()) -> any()) | {module(), atom()}.
@@ -813,6 +860,10 @@ get_option(Opt, F, Default) ->
            end
    end.

+-spec has_option(atom() | {atom(), global | binary()}) -> any().
+has_option(Opt) ->
+    get_option(Opt, fun(_) -> true end, false).
+
 init_module_db_table(Modules) ->
    catch ets:new(module_db, [named_table, public, bag]),
    %% Dirty hack for mod_pubsub
@@ -879,19 +930,26 @@ get_modules_with_options() ->

 validate_opts(#state{opts = Opts} = State) ->
    ModOpts = get_modules_with_options(),
-    NewOpts = lists:filter(
-		fun(#local_config{key = {Opt, _Host}, value = Val}) ->
+    NewOpts = lists:filtermap(
+		fun(#local_config{key = {Opt, _Host}, value = Val} = In) ->
 			case dict:find(Opt, ModOpts) of
 			    {ok, [Mod|_]} ->
 				VFun = Mod:opt_type(Opt),
-				case catch VFun(Val) of
-				    {'EXIT', _} ->
+				try VFun(Val) of
+				    _ ->
+					true
+				catch {replace_with, NewVal} ->
+					{true, In#local_config{value = NewVal}};
+				      {invalid_syntax, Error} ->
+					?ERROR_MSG("ignoring option '~s' with "
+						   "invalid value: ~p: ~s",
+						   [Opt, Val, Error]),
+					false;
+				      _:_ ->
 					?ERROR_MSG("ignoring option '~s' with "
 						   "invalid value: ~p",
 						   [Opt, Val]),
-					false;
-				    _ ->
-					true
+					false
 				end;
 			    _ ->
 				?ERROR_MSG("unknown option '~s' will be likely"
@@ -997,6 +1055,23 @@ replace_modules(Modules) ->
 %% Elixir module naming
 %% ====================

+-ifdef(ELIXIR_ENABLED).
+is_elixir_enabled() ->
+    true.
+-else.
+is_elixir_enabled() ->
+    false.
+-endif.
+
+is_using_elixir_config() ->
+    case is_elixir_enabled() of
+	true ->
+	    Config = get_ejabberd_config_path(),
+	    'Elixir.Ejabberd.ConfigUtil':is_elixir_config(Config);
+       false ->
+	    false
+    end.
+
 %% If module name start with uppercase letter, this is an Elixir module:
 is_elixir_module(Module) ->
    case atom_to_list(Module) of
@@ -212,7 +212,7 @@ process(["help" | Mode], Version) ->
    end;

 process(["--version", Arg | Args], _) ->
-    Version = 
+    Version =
 	try
 	    list_to_integer(Arg)
 	catch _:_ ->
@@ -239,7 +239,7 @@ process2(["--auth", User, Server, Pass | Args], AccessCommands, Version) ->
    process2(Args, AccessCommands, {list_to_binary(User), list_to_binary(Server),
 				    list_to_binary(Pass), true}, Version);
 process2(Args, AccessCommands, Version) ->
-    process2(Args, AccessCommands, admin, Version).
+    process2(Args, AccessCommands, noauth, Version).



@@ -321,7 +321,7 @@ call_command([CmdString | Args], Auth, AccessCommands, Version) ->
 	{ArgsFormat, ResultFormat} ->
 	    case (catch format_args(Args, ArgsFormat)) of
 		ArgsFormatted when is_list(ArgsFormatted) ->
-		    Result = ejabberd_commands:execute_command(AccessCommands, 
+		    Result = ejabberd_commands:execute_command(AccessCommands,
 							       Auth, Command,
 							       ArgsFormatted,
 							       Version),
@@ -374,6 +374,12 @@ format_arg2(Arg, Parse)->
 format_result({error, ErrorAtom}, _) ->
    {io_lib:format("Error: ~p", [ErrorAtom]), make_status(error)};

+%% An error should always be allowed to return extended error to help with API.
+%% Extended error is of the form:
+%%  {error, type :: atom(), code :: int(), Desc :: string()}
+format_result({error, ErrorAtom, Code, _Msg}, _) ->
+    {io_lib:format("Error: ~p", [ErrorAtom]), make_status(Code)};
+
 format_result(Atom, {_Name, atom}) ->
    io_lib:format("~p", [Atom]);

@@ -433,6 +439,8 @@ format_result(404, {_Name, _}) ->

 make_status(ok) -> ?STATUS_SUCCESS;
 make_status(true) -> ?STATUS_SUCCESS;
+make_status(Code) when is_integer(Code), Code > 255 -> ?STATUS_ERROR;
+make_status(Code) when is_integer(Code), Code > 0 -> Code;
 make_status(_Error) -> ?STATUS_ERROR.

 get_list_commands(Version) ->
@@ -145,9 +145,14 @@ init({SockMod, Socket}, Opts) ->
    DefinedHandlers = gen_mod:get_opt(
                        request_handlers, Opts,
                        fun(Hs) ->
+                                Hs1 = lists:map(fun
+                                  ({Mod, Path}) when is_atom(Mod) -> {Path, Mod};
+                                  ({Path, Mod}) -> {Path, Mod}
+                                end, Hs),
+
                                [{str:tokens(
                                    iolist_to_binary(Path), <<"/">>),
-                                  Mod} || {Path, Mod} <- Hs]
+                                  Mod} || {Path, Mod} <- Hs1]
                        end, []),
    RequestHandlers = DefinedHandlers ++ Captcha ++ Register ++
        Admin ++ Bind ++ XMLRPC,
@@ -763,7 +768,8 @@ parse_auth(<<"Basic ", Auth64/binary>>) ->
            undefined;
        Pos ->
            {User, <<$:, Pass/binary>>} = erlang:split_binary(Auth, Pos-1),
-            {User, Pass}
+            PassUtf8 = unicode:characters_to_binary(binary_to_list(Pass), utf8),
+            {User, PassUtf8}
    end;
 parse_auth(<<"Bearer ", SToken/binary>>) ->
    Token = str:strip(SToken),
@@ -338,8 +338,9 @@ handle_session_start(Pid, XmppDomain, Sid, Rid, Attrs,
 init([Sid, Key, IP, HOpts]) ->
    ?DEBUG("started: ~p", [{Sid, Key, IP}]),
    Opts1 = ejabberd_c2s_config:get_c2s_limits(),
-    SOpts = lists:filtermap(fun({stream_managment, _}) -> true;
+    SOpts = lists:filtermap(fun({stream_management, _}) -> true;
                               ({max_ack_queue, _}) -> true;
+                               ({ack_timeout, _}) -> true;
                               ({resume_timeout, _}) -> true;
                               ({max_resume_timeout, _}) -> true;
                               ({resend_on_timeout, _}) -> true;
@@ -112,8 +112,9 @@ socket_handoff(LocalPath, Request, Socket, SockMod, Buf, Opts) ->
 %%% Internal

 init([{#ws{ip = IP, http_opts = HOpts}, _} = WS]) ->
-    SOpts = lists:filtermap(fun({stream_managment, _}) -> true;
+    SOpts = lists:filtermap(fun({stream_management, _}) -> true;
                               ({max_ack_queue, _}) -> true;
+                               ({ack_timeout, _}) -> true;
                               ({resume_timeout, _}) -> true;
                               ({max_resume_timeout, _}) -> true;
                               ({resend_on_timeout, _}) -> true;
@@ -271,7 +271,16 @@ do_route(From, To, Packet) ->
 	   #xmlel{name = Name} = Packet,
 	   case Name of
 	     <<"iq">> -> process_iq(From, To, Packet);
-	     <<"message">> -> ok;
+	     <<"message">> ->
+		 #xmlel{attrs = Attrs} = Packet,
+		 case fxml:get_attr_s(<<"type">>, Attrs) of
+		   <<"headline">> -> ok;
+		   <<"error">> -> ok;
+		   _ ->
+		       Err = jlib:make_error_reply(Packet,
+						   ?ERR_SERVICE_UNAVAILABLE),
+		       ejabberd_router:route(To, From, Err)
+		 end;
 	     <<"presence">> -> ok;
 	     _ -> ok
 	   end;
@@ -47,6 +47,8 @@
         process/2,
         opt_type/1]).

+-export([oauth_issue_token/3, oauth_list_tokens/0, oauth_revoke_token/1, oauth_list_scopes/0]).
+
 -include("jlib.hrl").

 -include("ejabberd.hrl").
@@ -54,27 +56,116 @@

 -include("ejabberd_http.hrl").
 -include("ejabberd_web_admin.hrl").
+-include("ejabberd_oauth.hrl").

-record(oauth_token, {
-          token = {<<"">>, <<"">>} :: {binary(), binary()},
-          us = {<<"">>, <<"">>}    :: {binary(), binary()},
-          scope = []               :: [binary()],
-          expire                   :: integer()
-         }).
+-include("ejabberd_commands.hrl").

-define(EXPIRE, 3600).
+
+%% There are two ways to obtain an oauth token:
+%%   * Using the web form/api results in the token being generated in behalf of the user providing the user/pass
+%%   * Using the command line and oauth_issue_token command, the token is generated in behalf of ejabberd' sysadmin
+%%    (as it has access to ejabberd command line).
+
+-define(EXPIRE, 4294967).

 start() ->
-    init_db(mnesia, ?MYNAME),
+    DBMod = get_db_backend(),
+    DBMod:init(),
+    MaxSize =
+        ejabberd_config:get_option(
+          oauth_cache_size,
+          fun(I) when is_integer(I), I>0 -> I end,
+          1000),
+    LifeTime =
+        ejabberd_config:get_option(
+          oauth_cache_life_time,
+          fun(I) when is_integer(I), I>0 -> I end,
+          timer:hours(1) div 1000),
+    cache_tab:new(oauth_token,
+		  [{max_size, MaxSize}, {life_time, LifeTime}]),
    Expire = expire(),
    application:set_env(oauth2, backend, ejabberd_oauth),
    application:set_env(oauth2, expiry_time, Expire),
    application:start(oauth2),
    ChildSpec = {?MODULE, {?MODULE, start_link, []},
-		 temporary, 1000, worker, [?MODULE]},
+		 transient, 1000, worker, [?MODULE]},
    supervisor:start_child(ejabberd_sup, ChildSpec),
+    ejabberd_commands:register_commands(get_commands_spec()),
    ok.

+
+get_commands_spec() ->
+    [
+     #ejabberd_commands{name = oauth_issue_token, tags = [oauth],
+                        desc = "Issue an oauth token for the given jid",
+                        module = ?MODULE, function = oauth_issue_token,
+                        args = [{jid, string},{ttl, integer}, {scopes, string}],
+                        policy = restricted,
+                        args_example = ["user@server.com", "connected_users_number;muc_online_rooms"],
+                        args_desc = ["Jid for which issue token",
+				     "Time to live of generated token in seconds",
+				     "List of scopes to allow, separated by ';'"],
+                        result = {result, {tuple, [{token, string}, {scopes, string}, {expires_in, string}]}}
+                       },
+     #ejabberd_commands{name = oauth_list_tokens, tags = [oauth],
+                        desc = "List oauth tokens, their user and scope, and how many seconds remain until expirity",
+                        module = ?MODULE, function = oauth_list_tokens,
+                        args = [],
+                        policy = restricted,
+                        result = {tokens, {list, {token, {tuple, [{token, string}, {user, string}, {scope, string}, {expires_in, string}]}}}}
+                       },
+     #ejabberd_commands{name = oauth_list_scopes, tags = [oauth],
+                        desc = "List scopes that can be granted to tokens generated through the command line, together with the commands they allow",
+                        module = ?MODULE, function = oauth_list_scopes,
+                        args = [],
+                        policy = restricted,
+                        result = {scopes, {list, {scope, {tuple, [{scope, string}, {commands, string}]}}}}
+                       },
+     #ejabberd_commands{name = oauth_revoke_token, tags = [oauth],
+                        desc = "Revoke authorization for a token",
+                        module = ?MODULE, function = oauth_revoke_token,
+                        args = [{token, string}],
+                        policy = restricted,
+                        result = {tokens, {list, {token, {tuple, [{token, string}, {user, string}, {scope, string}, {expires_in, string}]}}}},
+                        result_desc = "List of remaining tokens"
+                       }
+    ].
+
+oauth_issue_token(Jid, TTLSeconds, ScopesString) ->
+    Scopes = [list_to_binary(Scope) || Scope <- string:tokens(ScopesString, ";")],
+    case jid:from_string(list_to_binary(Jid)) of
+        #jid{luser =Username, lserver = Server} ->
+            case oauth2:authorize_password({Username, Server},  Scopes, admin_generated) of
+                {ok, {_Ctx,Authorization}} ->
+                    {ok, {_AppCtx2, Response}} = oauth2:issue_token(Authorization, [{expiry_time, TTLSeconds}]),
+                    {ok, AccessToken} = oauth2_response:access_token(Response),
+                    {ok, VerifiedScope} = oauth2_response:scope(Response),
+                    {AccessToken, VerifiedScope, integer_to_list(TTLSeconds) ++ " seconds"};
+                {error, Error} ->
+                    {error, Error}
+            end;
+        error ->
+            {error, "Invalid JID: " ++ Jid}
+    end.
+
+oauth_list_tokens() ->
+    Tokens = mnesia:dirty_match_object(#oauth_token{_ = '_'}),
+    {MegaSecs, Secs, _MiniSecs} = os:timestamp(),
+    TS = 1000000 * MegaSecs + Secs,
+    [{Token, jid:to_string(jid:make(U,S,<<>>)), Scope, integer_to_list(Expires - TS) ++ " seconds"} ||
+        #oauth_token{token=Token, scope=Scope, us= {U,S},expire=Expires} <- Tokens].
+
+
+oauth_revoke_token(Token) ->
+    ok = mnesia:dirty_delete(oauth_token, list_to_binary(Token)),
+    oauth_list_tokens().
+
+oauth_list_scopes() ->
+    [ {Scope, string:join([atom_to_list(Cmd) || Cmd <- Cmds], ",")}   || {Scope, Cmds} <- dict:to_list(get_cmd_scopes())].
+
+
+
+
 start_link() ->
    gen_server:start_link({local, ?MODULE}, ?MODULE, [], []).

@@ -91,15 +182,8 @@ handle_cast(_Msg, State) -> {noreply, State}.
 handle_info(clean, State) ->
    {MegaSecs, Secs, MiniSecs} = os:timestamp(),
    TS = 1000000 * MegaSecs + Secs,
-    F = fun() ->
-		Ts = mnesia:select(
-		       oauth_token,
-		       [{#oauth_token{expire = '$1', _ = '_'},
-			 [{'<', '$1', TS}],
-			 ['$_']}]),
-		lists:foreach(fun mnesia:delete_object/1, Ts)
-        end,
-    mnesia:async_dirty(F),
+    DBMod = get_db_backend(),
+    DBMod:clean(TS),
    erlang:send_after(trunc(expire() * 1000 * (1 + MiniSecs / 1000000)),
                      self(), clean),
    {noreply, State};
@@ -110,35 +194,30 @@ terminate(_Reason, _State) -> ok.
 code_change(_OldVsn, State, _Extra) -> {ok, State}.


-init_db(mnesia, _Host) ->
-    mnesia:create_table(oauth_token,
-                        [{disc_copies, [node()]},
-                         {attributes,
-                          record_info(fields, oauth_token)}]),
-    mnesia:add_table_copy(oauth_token, node(), disc_copies);
-init_db(_, _) ->
-    ok.
-
-
 get_client_identity(Client, Ctx) -> {ok, {Ctx, {client, Client}}}.

 verify_redirection_uri(_, _, Ctx) -> {ok, Ctx}.

-authenticate_user({User, Server}, {password, Password} = Ctx) ->
+authenticate_user({User, Server}, Ctx) ->
    case jid:make(User, Server, <<"">>) of
        #jid{} = JID ->
            Access =
                ejabberd_config:get_option(
                  {oauth_access, JID#jid.lserver},
-                  fun(A) when is_atom(A) -> A end,
+		  fun(A) -> A end,
                  none),
            case acl:match_rule(JID#jid.lserver, Access, JID) of
                allow ->
-                    case ejabberd_auth:check_password(User, <<"">>, Server, Password) of
-                        true ->
-                            {ok, {Ctx, {user, User, Server}}};
-                        false ->
-                            {error, badpass}
+                    case Ctx of
+                        {password, Password} ->
+                            case ejabberd_auth:check_password(User, <<"">>, Server, Password) of
+                                true ->
+                                    {ok, {Ctx, {user, User, Server}}};
+                                false ->
+                                    {error, badpass}
+                            end;
+                        admin_generated ->
+                            {ok, {Ctx, {user, User, Server}}}
                    end;
                deny ->
                    {error, badpass}
@@ -150,8 +229,8 @@ authenticate_user({User, Server}, {password, Password} = Ctx) ->
 authenticate_client(Client, Ctx) -> {ok, {Ctx, {client, Client}}}.

 verify_resowner_scope({user, _User, _Server}, Scope, Ctx) ->
-    Cmds = ejabberd_commands:get_commands(),
-    Cmds1 = [sasl_auth | Cmds],
+    Cmds = ejabberd_commands:get_exposed_commands(),
+    Cmds1 = ['ejabberd:user', 'ejabberd:admin', sasl_auth | Cmds],
    RegisteredScope = [atom_to_binary(C, utf8) || C <- Cmds1],
    case oauth2_priv_set:is_subset(oauth2_priv_set:new(Scope),
                                   oauth2_priv_set:new(RegisteredScope)) of
@@ -164,64 +243,133 @@ verify_resowner_scope(_, _, _) ->
    {error, badscope}.


+get_cmd_scopes() ->
+    ScopeMap = lists:foldl(fun(Cmd, Accum) ->
+                        case ejabberd_commands:get_command_policy_and_scope(Cmd) of
+                            {ok, Policy, Scopes} when Policy =/= restricted ->
+                                lists:foldl(fun(Scope, Accum2) ->
+                                                    dict:append(Scope, Cmd, Accum2)
+                                            end, Accum, Scopes);
+                            _ -> Accum
+                        end end, dict:new(), ejabberd_commands:get_exposed_commands()),
+    ScopeMap.
+
+%% This is callback for oauth tokens generated through the command line.  Only open and admin commands are
+%% made available.
+%verify_client_scope({client, ejabberd_ctl}, Scope, Ctx) ->
+%    RegisteredScope = dict:fetch_keys(get_cmd_scopes()),
+%    case oauth2_priv_set:is_subset(oauth2_priv_set:new(Scope),
+%                                   oauth2_priv_set:new(RegisteredScope)) of
+%        true ->
+%            {ok, {Ctx, Scope}};
+%        false ->
+%            {error, badscope}
+%    end.
+
+
+
+
+-spec seconds_since_epoch(integer()) -> non_neg_integer().
+seconds_since_epoch(Diff) ->
+    {Mega, Secs, _} = os:timestamp(),
+    Mega * 1000000 + Secs + Diff.
+
+
 associate_access_code(_AccessCode, _Context, AppContext) ->
    %put(?ACCESS_CODE_TABLE, AccessCode, Context),
    {ok, AppContext}.

 associate_access_token(AccessToken, Context, AppContext) ->
-    {user, User, Server} =
-        proplists:get_value(<<"resource_owner">>, Context, <<"">>),
+    {user, User, Server} = proplists:get_value(<<"resource_owner">>, Context, <<"">>),
+    Expire = case proplists:get_value(expiry_time, AppContext, undefined) of
+        undefined ->
+            proplists:get_value(<<"expiry_time">>, Context, 0);
+        ExpiresIn ->
+            %% There is no clean way in oauth2 lib to actually override the TTL of the generated token.
+            %% It always pass the global configured value.  Here we use the app context to pass the per-case
+            %% ttl if we want to override it.
+            seconds_since_epoch(ExpiresIn)
+    end,
+    {user, User, Server} = proplists:get_value(<<"resource_owner">>, Context, <<"">>),
    Scope = proplists:get_value(<<"scope">>, Context, []),
-    Expire = proplists:get_value(<<"expiry_time">>, Context, 0),
-    LUser = jid:nodeprep(User),
-    LServer = jid:nameprep(Server),
    R = #oauth_token{
      token = AccessToken,
-      us = {LUser, LServer},
+      us = {jid:nodeprep(User), jid:nodeprep(Server)},
      scope = Scope,
      expire = Expire
     },
-    mnesia:dirty_write(R),
+    store(R),
    {ok, AppContext}.

 associate_refresh_token(_RefreshToken, _Context, AppContext) ->
    %put(?REFRESH_TOKEN_TABLE, RefreshToken, Context),
    {ok, AppContext}.

-
-check_token(User, Server, Scope, Token) ->
+check_token(User, Server, ScopeList, Token) ->
    LUser = jid:nodeprep(User),
    LServer = jid:nameprep(Server),
-    case catch mnesia:dirty_read(oauth_token, Token) of
-        [#oauth_token{us = {LUser, LServer},
-                      scope = TokenScope,
-                      expire = Expire}] ->
+    case lookup(Token) of
+        {ok, #oauth_token{us = {LUser, LServer},
+                          scope = TokenScope,
+                          expire = Expire}} ->
            {MegaSecs, Secs, _} = os:timestamp(),
            TS = 1000000 * MegaSecs + Secs,
-            oauth2_priv_set:is_member(
-              Scope, oauth2_priv_set:new(TokenScope)) andalso
-                Expire > TS;
-        _ ->
-            false
-    end.
-
-check_token(Scope, Token) ->
-    case catch mnesia:dirty_read(oauth_token, Token) of
-        [#oauth_token{us = {LUser, LServer},
-                      scope = TokenScope,
-                      expire = Expire}] ->
-            {MegaSecs, Secs, _} = os:timestamp(),
-            TS = 1000000 * MegaSecs + Secs,
-            case oauth2_priv_set:is_member(
-                   Scope, oauth2_priv_set:new(TokenScope)) andalso
-                Expire > TS of
-                true -> {ok, LUser, LServer};
-                false -> false
+            if
+                Expire > TS ->
+                    TokenScopeSet = oauth2_priv_set:new(TokenScope),
+                    lists:any(fun(Scope) ->
+                                      oauth2_priv_set:is_member(Scope, TokenScopeSet) end,
+                              ScopeList);
+                true ->
+                    {false, expired}
            end;
        _ ->
-            false
+            {false, not_found}
    end.

+check_token(ScopeList, Token) ->
+    case lookup(Token) of
+        {ok, #oauth_token{us = US,
+                          scope = TokenScope,
+                          expire = Expire}} ->
+            {MegaSecs, Secs, _} = os:timestamp(),
+            TS = 1000000 * MegaSecs + Secs,
+            if
+                Expire > TS ->
+                    TokenScopeSet = oauth2_priv_set:new(TokenScope),
+                    case lists:any(fun(Scope) ->
+                                           oauth2_priv_set:is_member(Scope, TokenScopeSet) end,
+                                   ScopeList) of
+                        true -> {ok, user, US};
+                        false -> {false, no_matching_scope}
+                    end;
+                true ->
+                    {false, expired}
+            end;
+        _ ->
+            {false, not_found}
+    end.
+
+
+store(R) ->
+    cache_tab:insert(
+      oauth_token, R#oauth_token.token, R,
+      fun() ->
+              DBMod = get_db_backend(),
+              DBMod:store(R)
+      end).
+
+lookup(Token) ->
+    cache_tab:lookup(
+      oauth_token, Token,
+      fun() ->
+              DBMod = get_db_backend(),
+              case DBMod:lookup(Token) of
+                  #oauth_token{} = R -> {ok, R};
+                  _ -> error
+              end
+      end).
+

 expire() ->
    ejabberd_config:get_option(
@@ -250,12 +398,9 @@ process(_Handlers,
        ?XAE(<<"form">>,
             [{<<"action">>, <<"authorization_token">>},
              {<<"method">>, <<"post">>}],
-             [?LABEL(<<"username">>, [?CT(<<"User">>), ?C(<<": ">>)]),
+             [?LABEL(<<"username">>, [?CT(<<"User (jid)">>), ?C(<<": ">>)]),
              ?INPUTID(<<"text">>, <<"username">>, <<"">>),
              ?BR,
-              ?LABEL(<<"server">>, [?CT(<<"Server">>), ?C(<<": ">>)]),
-              ?INPUTID(<<"text">>, <<"server">>, <<"">>),
-              ?BR,
              ?LABEL(<<"password">>, [?CT(<<"Password">>), ?C(<<": ">>)]),
              ?INPUTID(<<"password">>, <<"password">>, <<"">>),
              ?INPUT(<<"hidden">>, <<"response_type">>, ResponseType),
@@ -264,6 +409,15 @@ process(_Handlers,
              ?INPUT(<<"hidden">>, <<"scope">>, Scope),
              ?INPUT(<<"hidden">>, <<"state">>, State),
              ?BR,
+              ?LABEL(<<"ttl">>, [?CT(<<"Token TTL">>), ?CT(<<": ">>)]),
+              ?XAE(<<"select">>, [{<<"name">>, <<"ttl">>}],
+                   [
+                   ?XAC(<<"option">>, [{<<"value">>, <<"3600">>}],<<"1 Hour">>),
+                   ?XAC(<<"option">>, [{<<"value">>, <<"86400">>}],<<"1 Day">>),
+                   ?XAC(<<"option">>, [{<<"value">>, <<"2592000">>}],<<"1 Month">>),
+                   ?XAC(<<"option">>, [{<<"selected">>, <<"selected">>},{<<"value">>, <<"31536000">>}],<<"1 Year">>),
+                   ?XAC(<<"option">>, [{<<"value">>, <<"315360000">>}],<<"10 Years">>)]),
+              ?BR,
              ?INPUTT(<<"submit">>, <<"">>, <<"Accept">>)
             ]),
    Top =
@@ -307,11 +461,16 @@ process(_Handlers,
    ClientId = proplists:get_value(<<"client_id">>, Q, <<"">>),
    RedirectURI = proplists:get_value(<<"redirect_uri">>, Q, <<"">>),
    SScope = proplists:get_value(<<"scope">>, Q, <<"">>),
-    Username = proplists:get_value(<<"username">>, Q, <<"">>),
-    Server = proplists:get_value(<<"server">>, Q, <<"">>),
+    StringJID = proplists:get_value(<<"username">>, Q, <<"">>),
+    #jid{user = Username, server = Server} = jid:from_string(StringJID),
    Password = proplists:get_value(<<"password">>, Q, <<"">>),
    State = proplists:get_value(<<"state">>, Q, <<"">>),
    Scope = str:tokens(SScope, <<" ">>),
+    TTL = proplists:get_value(<<"ttl">>, Q, <<"">>),
+    ExpiresIn = case TTL of
+                    <<>> -> undefined;
+                    _ -> jlib:binary_to_integer(TTL)
+                end,
    case oauth2:authorize_password({Username, Server},
                                   ClientId,
                                   RedirectURI,
@@ -319,10 +478,18 @@ process(_Handlers,
                                   {password, Password}) of
        {ok, {_AppContext, Authorization}} ->
            {ok, {_AppContext2, Response}} =
-                oauth2:issue_token(Authorization, none),
+                oauth2:issue_token(Authorization, [{expiry_time, ExpiresIn} || ExpiresIn /= undefined ]),
            {ok, AccessToken} = oauth2_response:access_token(Response),
            {ok, Type} = oauth2_response:token_type(Response),
-            {ok, Expires} = oauth2_response:expires_in(Response),
+            %%Ugly: workardound to return the correct expirity time, given than oauth2 lib doesn't really have
+            %%per-case expirity time.
+            Expires = case ExpiresIn of
+                          undefined ->
+                             {ok, Ex} = oauth2_response:expires_in(Response),
+                             Ex;
+                          _ ->
+                            ExpiresIn
+                      end,
            {ok, VerifiedScope} = oauth2_response:scope(Response),
            %oauth2_wrq:redirected_access_token_response(ReqData,
            %                                            RedirectURI,
@@ -351,11 +518,82 @@ process(_Handlers,
                   }],
             ejabberd_web:make_xhtml([?XC(<<"h1">>, <<"302 Found">>)])}
    end;
+process(_Handlers,
+	#request{method = 'POST', q = Q, lang = _Lang,
+		 path = [_, <<"token">>]}) ->
+    case proplists:get_value(<<"grant_type">>, Q, <<"">>) of
+      <<"password">> ->
+        SScope = proplists:get_value(<<"scope">>, Q, <<"">>),
+        StringJID = proplists:get_value(<<"username">>, Q, <<"">>),
+        #jid{user = Username, server = Server} = jid:from_string(StringJID),
+        Password = proplists:get_value(<<"password">>, Q, <<"">>),
+        Scope = str:tokens(SScope, <<" ">>),
+        TTL = proplists:get_value(<<"ttl">>, Q, <<"">>),
+        ExpiresIn = case TTL of
+                        <<>> -> undefined;
+                        _ -> jlib:binary_to_integer(TTL)
+                    end,
+        case oauth2:authorize_password({Username, Server},
+                                       Scope,
+                                       {password, Password}) of
+            {ok, {_AppContext, Authorization}} ->
+                {ok, {_AppContext2, Response}} =
+                    oauth2:issue_token(Authorization, [{expiry_time, ExpiresIn} || ExpiresIn /= undefined ]),
+                {ok, AccessToken} = oauth2_response:access_token(Response),
+                {ok, Type} = oauth2_response:token_type(Response),
+                %%Ugly: workardound to return the correct expirity time, given than oauth2 lib doesn't really have
+                %%per-case expirity time.
+                Expires = case ExpiresIn of
+                              undefined ->
+                                 {ok, Ex} = oauth2_response:expires_in(Response),
+                                 Ex;
+                              _ ->
+                                ExpiresIn
+                          end,
+                {ok, VerifiedScope} = oauth2_response:scope(Response),
+                json_response(200, {[
+                   {<<"access_token">>, AccessToken},
+                   {<<"token_type">>, Type},
+                   {<<"scope">>, str:join(VerifiedScope, <<" ">>)},
+                   {<<"expires_in">>, Expires}]});
+            {error, Error} when is_atom(Error) ->
+                json_error(400, <<"invalid_grant">>, Error)
+        end;
+        _OtherGrantType ->
+            json_error(400, <<"unsupported_grant_type">>, unsupported_grant_type)
+  end;
+
 process(_Handlers, _Request) ->
    ejabberd_web:error(not_found).

+-spec get_db_backend() -> module().
+
+get_db_backend() ->
+    DBType = ejabberd_config:get_option(
+               oauth_db_type,
+               fun(T) -> ejabberd_config:v_db(?MODULE, T) end,
+               mnesia),
+    list_to_atom("ejabberd_oauth_" ++ atom_to_list(DBType)).


+%% Headers as per RFC 6749
+json_response(Code, Body) ->
+    {Code, [{<<"Content-Type">>, <<"application/json;charset=UTF-8">>},
+           {<<"Cache-Control">>, <<"no-store">>},
+           {<<"Pragma">>, <<"no-cache">>}],
+     jiffy:encode(Body)}.
+
+%% OAauth error are defined in:
+%% https://tools.ietf.org/html/draft-ietf-oauth-v2-25#section-5.2
+json_error(Code, Error, Reason) ->
+    Desc = json_error_desc(Reason),
+    Body = {[{<<"error">>, Error},
+             {<<"error_description">>, Desc}]},
+    json_response(Code, Body).
+
+json_error_desc(access_denied)          -> <<"Access denied">>;
+json_error_desc(unsupported_grant_type) -> <<"Unsupported grant type">>;
+json_error_desc(invalid_scope)          -> <<"Invalid scope">>.

 web_head() ->
    [?XA(<<"meta">>, [{<<"http-equiv">>, <<"X-UA-Compatible">>},
@@ -469,7 +707,7 @@ css() ->
            text-decoration: underline;
          }

-      .container > .section { 
+      .container > .section {
          background: #424A55;
      }

@@ -486,5 +724,11 @@ logo() ->
 opt_type(oauth_expire) ->
    fun(I) when is_integer(I), I >= 0 -> I end;
 opt_type(oauth_access) ->
-    fun(A) when is_atom(A) -> A end;
-opt_type(_) -> [oauth_expire, oauth_access].
+    fun acl:access_rules_validator/1;
+opt_type(oauth_db_type) ->
+    fun(T) -> ejabberd_config:v_db(?MODULE, T) end;
+opt_type(oauth_cache_life_time) ->
+    fun (I) when is_integer(I), I > 0 -> I end;
+opt_type(oauth_cache_size) ->
+    fun (I) when is_integer(I), I > 0 -> I end;
+opt_type(_) -> [oauth_expire, oauth_access, oauth_db_type].
@@ -0,0 +1,65 @@
+%%%-------------------------------------------------------------------
+%%% File    : ejabberd_oauth_mnesia.erl
+%%% Author  : Alexey Shchepin <alexey@process-one.net>
+%%% Purpose : OAUTH2 mnesia backend
+%%% Created : 20 Jul 2016 by Alexey Shchepin <alexey@process-one.net>
+%%%
+%%%
+%%% ejabberd, Copyright (C) 2002-2016   ProcessOne
+%%%
+%%% This program is free software; you can redistribute it and/or
+%%% modify it under the terms of the GNU General Public License as
+%%% published by the Free Software Foundation; either version 2 of the
+%%% License, or (at your option) any later version.
+%%%
+%%% This program is distributed in the hope that it will be useful,
+%%% but WITHOUT ANY WARRANTY; without even the implied warranty of
+%%% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+%%% General Public License for more details.
+%%%
+%%% You should have received a copy of the GNU General Public License
+%%% along with this program; if not, write to the Free Software
+%%% Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+%%% 02111-1307 USA
+%%%
+%%%-------------------------------------------------------------------
+
+-module(ejabberd_oauth_mnesia).
+
+-export([init/0,
+         store/1,
+         lookup/1,
+         clean/1]).
+
+-include("ejabberd_oauth.hrl").
+
+init() ->
+    mnesia:create_table(oauth_token,
+                        [{disc_copies, [node()]},
+                         {attributes,
+                          record_info(fields, oauth_token)}]),
+    mnesia:add_table_copy(oauth_token, node(), disc_copies),
+    ok.
+
+store(R) ->
+    mnesia:dirty_write(R).
+
+lookup(Token) ->
+    case catch mnesia:dirty_read(oauth_token, Token) of
+        [R] ->
+            R;
+        _ ->
+            false
+    end.
+
+clean(TS) ->
+    F = fun() ->
+		Ts = mnesia:select(
+		       oauth_token,
+		       [{#oauth_token{expire = '$1', _ = '_'},
+			 [{'<', '$1', TS}],
+			 ['$_']}]),
+		lists:foreach(fun mnesia:delete_object/1, Ts)
+        end,
+    mnesia:async_dirty(F).
+
@@ -0,0 +1,78 @@
+%%%-------------------------------------------------------------------
+%%% File    : ejabberd_oauth_sql.erl
+%%% Author  : Alexey Shchepin <alexey@process-one.net>
+%%% Purpose : OAUTH2 SQL backend
+%%% Created : 27 Jul 2016 by Alexey Shchepin <alexey@process-one.net>
+%%%
+%%%
+%%% ejabberd, Copyright (C) 2002-2016   ProcessOne
+%%%
+%%% This program is free software; you can redistribute it and/or
+%%% modify it under the terms of the GNU General Public License as
+%%% published by the Free Software Foundation; either version 2 of the
+%%% License, or (at your option) any later version.
+%%%
+%%% This program is distributed in the hope that it will be useful,
+%%% but WITHOUT ANY WARRANTY; without even the implied warranty of
+%%% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+%%% General Public License for more details.
+%%%
+%%% You should have received a copy of the GNU General Public License
+%%% along with this program; if not, write to the Free Software
+%%% Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+%%% 02111-1307 USA
+%%%
+%%%-------------------------------------------------------------------
+
+-module(ejabberd_oauth_sql).
+
+-compile([{parse_transform, ejabberd_sql_pt}]).
+
+-export([init/0,
+         store/1,
+         lookup/1,
+         clean/1]).
+
+-include("ejabberd_oauth.hrl").
+-include("ejabberd.hrl").
+-include("ejabberd_sql_pt.hrl").
+-include("jlib.hrl").
+
+init() ->
+    ok.
+
+store(R) ->
+    Token = R#oauth_token.token,
+    {User, Server} = R#oauth_token.us,
+    SJID = jid:to_string({User, Server, <<"">>}),
+    Scope = str:join(R#oauth_token.scope, <<" ">>),
+    Expire = R#oauth_token.expire,
+    ?SQL_UPSERT(
+       ?MYNAME,
+       "oauth_token",
+       ["!token=%(Token)s",
+        "jid=%(SJID)s",
+        "scope=%(Scope)s",
+        "expire=%(Expire)d"]).
+
+lookup(Token) ->
+    case ejabberd_sql:sql_query(
+           ?MYNAME,
+           ?SQL("select @(jid)s, @(scope)s, @(expire)d"
+                " from oauth_token where token=%(Token)s")) of
+        {selected, [{SJID, Scope, Expire}]} ->
+            JID = jid:from_string(SJID),
+            US = {JID#jid.luser, JID#jid.lserver},
+            #oauth_token{token = Token,
+                         us = US,
+                         scope = str:tokens(Scope, <<" ">>),
+                         expire = Expire};
+        _ ->
+            false
+    end.
+
+clean(TS) ->
+    ejabberd_sql:sql_query(
+      ?MYNAME,
+      ?SQL("delete from oauth_token where expire < %(TS)d")).
+
@@ -0,0 +1,179 @@
+%%%-------------------------------------------------------------------
+%%% @author Evgeny Khramtsov <ekhramtsov@process-one.net>
+%%% @copyright (C) 2016, Evgeny Khramtsov
+%%% @doc
+%%%
+%%% @end
+%%% Created :  8 May 2016 by Evgeny Khramtsov <ekhramtsov@process-one.net>
+%%%-------------------------------------------------------------------
+-module(ejabberd_redis).
+
+-behaviour(gen_server).
+-behaviour(ejabberd_config).
+
+%% API
+-export([start/0, start_link/0, q/1, qp/1, opt_type/1]).
+
+%% gen_server callbacks
+-export([init/1, handle_call/3, handle_cast/2, handle_info/2,
+	 terminate/2, code_change/3]).
+
+-define(SERVER, ?MODULE).
+-define(PROCNAME, 'ejabberd_redis_client').
+
+-include("logger.hrl").
+-include("ejabberd.hrl").
+
+-record(state, {}).
+
+%%%===================================================================
+%%% API
+%%%===================================================================
+start_link() ->
+    gen_server:start_link({local, ?MODULE}, ?MODULE, [], []).
+
+start() ->
+    case lists:any(
+	   fun(Host) ->
+		   is_redis_configured(Host)
+	   end, ?MYHOSTS) of
+	true ->
+	    Spec = {?MODULE, {?MODULE, start_link, []},
+		    permanent, 2000, worker, [?MODULE]},
+	    supervisor:start_child(ejabberd_sup, Spec);
+	false ->
+	    ok
+    end.
+
+q(Command) ->
+    try eredis:q(?PROCNAME, Command)
+    catch _:Reason -> {error, Reason}
+    end.
+
+qp(Pipeline) ->
+    try eredis:qp(?PROCNAME, Pipeline)
+    catch _:Reason -> {error, Reason}
+    end.
+
+%%%===================================================================
+%%% gen_server callbacks
+%%%===================================================================
+init([]) ->
+    process_flag(trap_exit, true),
+    connect(),
+    {ok, #state{}}.
+
+handle_call(_Request, _From, State) ->
+    Reply = ok,
+    {reply, Reply, State}.
+
+handle_cast(_Msg, State) ->
+    {noreply, State}.
+
+handle_info(connect, State) ->
+    connect(),
+    {noreply, State};
+handle_info({'DOWN', _MRef, _Type, _Pid, Reason}, State) ->
+    ?INFO_MSG("Redis connection has failed: ~p", [Reason]),
+    connect(),
+    {noreply, State};
+handle_info({'EXIT', _, _}, State) ->
+    {noreply, State};
+handle_info(Info, State) ->
+    ?INFO_MSG("unexpected info = ~p", [Info]),
+    {noreply, State}.
+
+terminate(_Reason, _State) ->
+    ok.
+
+code_change(_OldVsn, State, _Extra) ->
+    {ok, State}.
+
+%%%===================================================================
+%%% Internal functions
+%%%===================================================================
+is_redis_configured(Host) ->
+    ServerConfigured = ejabberd_config:has_option({redis_server, Host}),
+    PortConfigured = ejabberd_config:has_option({redis_port, Host}),
+    DBConfigured = ejabberd_config:has_option({redis_db, Host}),
+    PassConfigured = ejabberd_config:has_option({redis_password, Host}),
+    ReconnTimeoutConfigured = ejabberd_config:has_option(
+				{redis_reconnect_timeout, Host}),
+    ConnTimeoutConfigured = ejabberd_config:has_option(
+			      {redis_connect_timeout, Host}),
+    Modules = ejabberd_config:get_option(
+		{modules, Host},
+		fun(L) when is_list(L) -> L end, []),
+    SMConfigured = ejabberd_config:get_option(
+		     {sm_db_type, Host},
+		     fun(V) -> V end) == redis,
+    ModuleWithRedisDBConfigured =
+	lists:any(
+	  fun({Module, Opts}) ->
+		  gen_mod:db_type(Host, Opts, Module) == redis
+	  end, Modules),
+    ServerConfigured or PortConfigured or DBConfigured or PassConfigured or
+	ReconnTimeoutConfigured or ConnTimeoutConfigured or
+	SMConfigured or ModuleWithRedisDBConfigured.
+
+iolist_to_list(IOList) ->
+    binary_to_list(iolist_to_binary(IOList)).
+
+connect() ->
+    Server = ejabberd_config:get_option(redis_server,
+					fun iolist_to_list/1,
+					"localhost"),
+    Port = ejabberd_config:get_option(redis_port,
+				      fun(P) when is_integer(P),
+						  P>0, P<65536 ->
+					      P
+				      end, 6379),
+    DB = ejabberd_config:get_option(redis_db,
+				    fun(I) when is_integer(I), I >= 0 ->
+					    I
+				    end, 0),
+    Pass = ejabberd_config:get_option(redis_password,
+				      fun iolist_to_list/1,
+				      ""),
+    ReconnTimeout = timer:seconds(
+		      ejabberd_config:get_option(
+			redis_reconnect_timeout,
+			fun(I) when is_integer(I), I>0 -> I end,
+			1)),
+    ConnTimeout = timer:seconds(
+		    ejabberd_config:get_option(
+		      redis_connect_timeout,
+		      fun(I) when is_integer(I), I>0 -> I end,
+		      1)),
+    try case eredis:start_link(Server, Port, DB, Pass,
+			       ReconnTimeout, ConnTimeout) of
+	    {ok, Client} ->
+		?INFO_MSG("Connected to Redis at ~s:~p", [Server, Port]),
+		unlink(Client),
+		erlang:monitor(process, Client),
+		register(?PROCNAME, Client),
+		{ok, Client};
+	    {error, Why} ->
+		erlang:error(Why)
+	end
+    catch _:Reason ->
+	    Timeout = 10,
+	    ?ERROR_MSG("Redis connection at ~s:~p has failed: ~p; "
+		       "reconnecting in ~p seconds",
+		       [Server, Port, Reason, Timeout]),
+	    erlang:send_after(timer:seconds(Timeout), self(), connect)
+    end.
+
+opt_type(redis_connect_timeout) ->
+    fun (I) when is_integer(I), I > 0 -> I end;
+opt_type(redis_db) ->
+    fun (I) when is_integer(I), I >= 0 -> I end;
+opt_type(redis_password) -> fun iolist_to_list/1;
+opt_type(redis_port) ->
+    fun (P) when is_integer(P), P > 0, P < 65536 -> P end;
+opt_type(redis_reconnect_timeout) ->
+    fun (I) when is_integer(I), I > 0 -> I end;
+opt_type(redis_server) -> fun iolist_to_list/1;
+opt_type(_) ->
+    [redis_connect_timeout, redis_db, redis_password,
+     redis_port, redis_reconnect_timeout, redis_server].
@@ -473,28 +473,34 @@ send_element(Pid, El) ->
 %%% ejabberd commands

 get_commands_spec() ->
-    [#ejabberd_commands{name = incoming_s2s_number,
-			tags = [stats, s2s],
-			desc =
-			    "Number of incoming s2s connections on "
-			    "the node",
-                        policy = admin,
-			module = ?MODULE, function = incoming_s2s_number,
-			args = [], result = {s2s_incoming, integer}},
-     #ejabberd_commands{name = outgoing_s2s_number,
-			tags = [stats, s2s],
-			desc =
-			    "Number of outgoing s2s connections on "
-			    "the node",
-                        policy = admin,
-			module = ?MODULE, function = outgoing_s2s_number,
-			args = [], result = {s2s_outgoing, integer}}].
+    [#ejabberd_commands{
+        name = incoming_s2s_number,
+        tags = [stats, s2s],
+        desc = "Number of incoming s2s connections on the node",
+        policy = admin,
+        module = ?MODULE, function = incoming_s2s_number,
+        args = [], result = {s2s_incoming, integer}},
+     #ejabberd_commands{
+        name = outgoing_s2s_number,
+        tags = [stats, s2s],
+        desc = "Number of outgoing s2s connections on the node",
+        policy = admin,
+        module = ?MODULE, function = outgoing_s2s_number,
+        args = [], result = {s2s_outgoing, integer}}].

+%% TODO Move those stats commands to ejabberd stats command ?
 incoming_s2s_number() ->
-    length(supervisor:which_children(ejabberd_s2s_in_sup)).
+    supervisor_count(ejabberd_s2s_in_sup).

 outgoing_s2s_number() ->
-    length(supervisor:which_children(ejabberd_s2s_out_sup)).
+    supervisor_count(ejabberd_s2s_out_sup).
+
+supervisor_count(Supervisor) ->
+    case catch supervisor:which_children(Supervisor) of
+        {'EXIT', _} -> 0;
+        Result ->
+            length(Result)
+    end.

 %%%----------------------------------------------------------------------
 %%% Update Mnesia tables
@@ -539,7 +545,7 @@ allow_host2(MyServer, S2SHost) ->
 allow_host1(MyHost, S2SHost) ->
    Rule = ejabberd_config:get_option(
             s2s_access,
-             fun(A) when is_atom(A) -> A end,
+             fun(A) -> A end,
             all),
    JID = jid:make(<<"">>, S2SHost, <<"">>),
    case acl:match_rule(MyHost, Rule, JID) of
@@ -738,5 +744,5 @@ opt_type(route_subdomains) ->
 	(local) -> local
    end;
 opt_type(s2s_access) ->
-    fun (A) when is_atom(A) -> A end;
+    fun acl:access_rules_validator/1;
 opt_type(_) -> [route_subdomains, s2s_access].
@@ -36,7 +36,7 @@
 -behaviour(?GEN_FSM).

 %% External exports
-export([start/2, start_link/2, send_text/2,
+-export([start/0, start/2, start_link/2, send_text/2,
 	 send_element/2, socket_type/0, transform_listen_option/2]).

 -export([init/1, wait_for_stream/2,
@@ -44,19 +44,10 @@
 	 handle_event/3, handle_sync_event/4, code_change/4,
 	 handle_info/3, terminate/3, print_state/1, opt_type/1]).

-include("ejabberd.hrl").
-include("logger.hrl").
+-include("ejabberd_service.hrl").
+-include("mod_privacy.hrl").

-include("jlib.hrl").
-
-record(state,
-	{socket                    :: ejabberd_socket:socket_state(),
-         sockmod = ejabberd_socket :: ejabberd_socket | ejabberd_frontend_socket,
-         streamid = <<"">>         :: binary(),
-         host_opts = dict:new()    :: ?TDICT,
-         host = <<"">>             :: binary(),
-         access                    :: atom(),
-	 check_from = true         :: boolean()}).
+-export([get_delegated_ns/1]).

 %-define(DBGFSM, true).

@@ -99,6 +90,15 @@
 %%%----------------------------------------------------------------------
 %%% API
 %%%----------------------------------------------------------------------
+
+%% for xep-0355
+%% table contans records like {namespace, fitering attributes, pid(),
+%% host, disco info for general case, bare jid disco info }
+
+start() ->
+  ets:new(delegated_namespaces, [named_table, public]),
+  ets:new(hooks_tmp, [named_table, public]).
+
 start(SockData, Opts) ->
    supervisor:start_child(ejabberd_service_sup,
 			   [SockData, Opts]).
@@ -109,6 +109,9 @@ start_link(SockData, Opts) ->

 socket_type() -> xml_stream.

+get_delegated_ns(FsmRef) ->
+    (?GEN_FSM):sync_send_all_state_event(FsmRef, {get_delegated_ns}).
+
 %%%----------------------------------------------------------------------
 %%% Callback functions from gen_fsm
 %%%----------------------------------------------------------------------
@@ -141,6 +144,21 @@ init([{SockMod, Socket}, Opts]) ->
 				p1_sha:sha(crypto:rand_bytes(20))),
 		       dict:from_list([{global, Pass}])
 	       end,
+    %% privilege access to entities data
+    PrivAccess = case lists:keysearch(privilege_access, 1, Opts) of
+		     {value, {_, PrivAcc}} -> PrivAcc;
+		     _ -> []
+		 end,
+    Delegations = case lists:keyfind(delegations, 1, Opts) of
+		      {delegations, Del} ->
+			  lists:foldl(
+			    fun({Ns, FiltAttr}, D) when Ns /= ?NS_DELEGATION ->
+				    Attr = proplists:get_value(filtering, FiltAttr, []),
+				    D ++ [{Ns, Attr}];
+			       (_Deleg, D) -> D
+			    end, [], Del);
+		      false -> []
+		  end,
    Shaper = case lists:keysearch(shaper_rule, 1, Opts) of
 	       {value, {_, S}} -> S;
 	       _ -> none
@@ -154,8 +172,9 @@ init([{SockMod, Socket}, Opts]) ->
    SockMod:change_shaper(Socket, Shaper),
    {ok, wait_for_stream,
     #state{socket = Socket, sockmod = SockMod,
-	    streamid = new_id(), host_opts = HostOpts,
-	    access = Access, check_from = CheckFrom}}.
+	    streamid = new_id(), host_opts = HostOpts, access = Access,
+	    check_from = CheckFrom, privilege_access = PrivAccess,
+	    delegations = Delegations}}.

 %%----------------------------------------------------------------------
 %% Func: StateName/2
@@ -224,9 +243,34 @@ wait_for_handshake({xmlstreamelement, El}, StateData) ->
 			    fun (H) ->
 				    ejabberd_router:register_route(H, ?MYNAME),
 				    ?INFO_MSG("Route registered for service ~p~n",
-					      [H])
+					      [H]),
+				    ejabberd_hooks:run(component_connected,
+			     		[H])
 			    end, dict:fetch_keys(StateData#state.host_opts)),
-			  {next_state, stream_established, StateData};
+
+			  mod_privilege:advertise_permissions(StateData),
+			  DelegatedNs = mod_delegation:advertise_delegations(StateData),
+
+			  RosterAccess = proplists:get_value(roster,
+							     StateData#state.privilege_access),
+
+			  case proplists:get_value(presence,
+						   StateData#state.privilege_access) of
+				<<"managed_entity">> ->
+				    mod_privilege:initial_presences(StateData),
+				    Fun = mod_privilege:process_presence(self()),
+				    add_hooks(user_send_packet, Fun);
+				<<"roster">> when (RosterAccess == <<"both">>) or
+						  (RosterAccess == <<"get">>) ->
+				    mod_privilege:initial_presences(StateData),
+				    Fun = mod_privilege:process_presence(self()),
+				    add_hooks(user_send_packet, Fun),
+				    Fun2 = mod_privilege:process_roster_presence(self()),
+				    add_hooks(s2s_receive_packet, Fun2);
+				_ -> ok
+			    end,
+			    {next_state, stream_established,
+			     StateData#state{delegations = DelegatedNs}};
 		      _ ->
 			  send_text(StateData, ?INVALID_HANDSHAKE_ERR),
 			  {stop, normal, StateData}
@@ -274,11 +318,12 @@ stream_established({xmlstreamelement, El}, StateData) ->
 	      <<"">> -> error;
 	      _ -> jid:from_string(To)
 	    end,
-    if ((Name == <<"iq">>) or (Name == <<"message">>) or
-	  (Name == <<"presence">>))
-	 and (ToJID /= error)
-	 and (FromJID /= error) ->
-	   ejabberd_router:route(FromJID, ToJID, NewEl);
+    if  (Name == <<"iq">>) and (ToJID /= error) and (FromJID /= error) ->
+	    mod_privilege:process_iq(StateData, FromJID, ToJID, NewEl);
+	(Name == <<"presence">>) and (ToJID /= error) and (FromJID /= error) ->
+	    ejabberd_router:route(FromJID, ToJID, NewEl);
+	(Name == <<"message">>) and (ToJID /= error) and (FromJID /= error) ->
+	    mod_privilege:process_message(StateData, FromJID, ToJID, NewEl);
       true ->
 	   Lang = fxml:get_tag_attr_s(<<"xml:lang">>, El),
 	   Txt = <<"Incorrect stanza name or from/to JID">>,
@@ -328,8 +373,11 @@ handle_event(_Event, StateName, StateData) ->
 %%          {stop, Reason, NewStateData}                          |
 %%          {stop, Reason, Reply, NewStateData}
 %%----------------------------------------------------------------------
-handle_sync_event(_Event, _From, StateName,
-		  StateData) ->
+handle_sync_event({get_delegated_ns}, _From, StateName, StateData) ->
+    Reply =  {StateData#state.host, StateData#state.delegations},
+    {reply, Reply, StateName, StateData};
+
+handle_sync_event(_Event, _From, StateName, StateData) ->
    Reply = ok, {reply, Reply, StateName, StateData}.

 code_change(_OldVsn, StateName, StateData, _Extra) ->
@@ -368,6 +416,36 @@ handle_info({route, From, To, Packet}, StateName,
 	  ejabberd_router:route_error(To, From, Err, Packet)
    end,
    {next_state, StateName, StateData};
+
+handle_info({user_presence, Packet, From},
+	    stream_established, StateData) ->
+    To = jid:from_string(StateData#state.host),
+    PacketNew = jlib:replace_from_to(From, To, Packet),
+    send_element(StateData, PacketNew),
+    {next_state, stream_established, StateData};
+
+handle_info({roster_presence, Packet, From},
+	    stream_established, StateData) ->
+    %% check that current presence stanza is equivalent to last
+    PresenceNew = jlib:remove_attr(<<"to">>, Packet),
+    Dict = StateData#state.last_pres,
+    LastPresence =
+    try dict:fetch(From, Dict)
+    catch _:_ ->
+	      undefined
+    end,
+    case mod_privilege:compare_presences(LastPresence, PresenceNew) of
+	false ->
+	    #xmlel{attrs = Attrs} = PresenceNew,
+	    Presence = PresenceNew#xmlel{attrs = [{<<"to">>, StateData#state.host} | Attrs]},
+	    send_element(StateData, Presence),
+	    DictNew = dict:store(From, PresenceNew, Dict),
+	    StateDataNew = StateData#state{last_pres = DictNew},
+	    {next_state, stream_established, StateDataNew};
+	_ ->
+	    {next_state, stream_established, StateData}
+    end;
+
 handle_info(Info, StateName, StateData) ->
    ?ERROR_MSG("Unexpected info: ~p", [Info]),
    {next_state, StateName, StateData}.
@@ -382,9 +460,30 @@ terminate(Reason, StateName, StateData) ->
    case StateName of
      stream_established ->
 	  lists:foreach(fun (H) ->
-				ejabberd_router:unregister_route(H)
+				ejabberd_router:unregister_route(H),
+				ejabberd_hooks:run(component_disconnected,
+					[StateData#state.host, Reason])
 			end,
-			dict:fetch_keys(StateData#state.host_opts));
+			dict:fetch_keys(StateData#state.host_opts)),
+
+	  lists:foreach(fun({Ns, _FilterAttr}) ->
+				ets:delete(delegated_namespaces, Ns),
+				remove_iq_handlers(Ns)
+			end, StateData#state.delegations),
+
+	  RosterAccess = proplists:get_value(roster, StateData#state.privilege_access),
+	  case proplists:get_value(presence, StateData#state.privilege_access) of
+	      <<"managed_entity">> ->
+		  Fun = mod_privilege:process_presence(self()),
+		  remove_hooks(user_send_packet, Fun);
+	      <<"roster">> when (RosterAccess == <<"both">>) or
+				(RosterAccess == <<"get">>) ->
+		  Fun = mod_privilege:process_presence(self()),
+		  remove_hooks(user_send_packet, Fun),
+		  Fun2 = mod_privilege:process_roster_presence(self()),
+		  remove_hooks(s2s_receive_packet, Fun2);
+	      _ -> ok
+	  end;
      _ -> ok
    end,
    (StateData#state.sockmod):close(StateData#state.socket),
@@ -444,3 +543,19 @@ fsm_limit_opts(Opts) ->
 opt_type(max_fsm_queue) ->
    fun (I) when is_integer(I), I > 0 -> I end;
 opt_type(_) -> [max_fsm_queue].
+
+remove_iq_handlers(Ns) ->
+    lists:foreach(fun(Host) ->
+                      gen_iq_handler:remove_iq_handler(ejabberd_local, Host, Ns),
+                      gen_iq_handler:remove_iq_handler(ejabberd_sm, Host, Ns)
+                  end, ?MYHOSTS).
+
+add_hooks(Hook, Fun) ->
+  lists:foreach(fun(Host) ->
+                    ejabberd_hooks:add(Hook, Host,Fun, 100)
+                end, ?MYHOSTS).
+
+remove_hooks(Hook, Fun) ->
+  lists:foreach(fun(Host) ->
+                    ejabberd_hooks:delete(Hook, Host, Fun, 100)
+                end, ?MYHOSTS).
@@ -47,6 +47,8 @@
 	 set_presence/7,
 	 unset_presence/6,
 	 close_session_unset_presence/5,
+	 set_offline_info/5,
+	 get_offline_info/4,
 	 dirty_get_sessions_list/0,
 	 dirty_get_my_sessions_list/0,
 	 get_vh_session_list/1,
@@ -178,14 +180,14 @@ get_user_resources(User, Server) ->
    LUser = jid:nodeprep(User),
    LServer = jid:nameprep(Server),
    Mod = get_sm_backend(LServer),
-    Ss = Mod:get_sessions(LUser, LServer),
+    Ss = online(Mod:get_sessions(LUser, LServer)),
    [element(3, S#session.usr) || S <- clean_session_list(Ss)].

 -spec get_user_present_resources(binary(), binary()) -> [tuple()].

 get_user_present_resources(LUser, LServer) ->
    Mod = get_sm_backend(LServer),
-    Ss = Mod:get_sessions(LUser, LServer),
+    Ss = online(Mod:get_sessions(LUser, LServer)),
    [{S#session.priority, element(3, S#session.usr)}
     || S <- clean_session_list(Ss), is_integer(S#session.priority)].

@@ -196,7 +198,7 @@ get_user_ip(User, Server, Resource) ->
    LServer = jid:nameprep(Server),
    LResource = jid:resourceprep(Resource),
    Mod = get_sm_backend(LServer),
-    case Mod:get_sessions(LUser, LServer, LResource) of
+    case online(Mod:get_sessions(LUser, LServer, LResource)) of
 	[] ->
 	    undefined;
 	Ss ->
@@ -211,7 +213,7 @@ get_user_info(User, Server, Resource) ->
    LServer = jid:nameprep(Server),
    LResource = jid:resourceprep(Resource),
    Mod = get_sm_backend(LServer),
-    case Mod:get_sessions(LUser, LServer, LResource) of
+    case online(Mod:get_sessions(LUser, LServer, LResource)) of
 	[] ->
 	    offline;
 	Ss ->
@@ -261,17 +263,45 @@ get_session_pid(User, Server, Resource) ->
    LServer = jid:nameprep(Server),
    LResource = jid:resourceprep(Resource),
    Mod = get_sm_backend(LServer),
-    case Mod:get_sessions(LUser, LServer, LResource) of
+    case online(Mod:get_sessions(LUser, LServer, LResource)) of
 	[#session{sid = {_, Pid}}] -> Pid;
 	_ -> none
    end.

+-spec set_offline_info(sid(), binary(), binary(), binary(), info()) -> ok.
+
+set_offline_info(SID, User, Server, Resource, Info) ->
+    LUser = jid:nodeprep(User),
+    LServer = jid:nameprep(Server),
+    LResource = jid:resourceprep(Resource),
+    set_session(SID, LUser, LServer, LResource, undefined, [offline | Info]).
+
+-spec get_offline_info(erlang:timestamp(), binary(), binary(),
+                       binary()) -> none | info().
+
+get_offline_info(Time, User, Server, Resource) ->
+    LUser = jid:nodeprep(User),
+    LServer = jid:nameprep(Server),
+    LResource = jid:resourceprep(Resource),
+    Mod = get_sm_backend(LServer),
+    case Mod:get_sessions(LUser, LServer, LResource) of
+	[#session{sid = {Time, _}, info = Info}] ->
+	    case proplists:get_bool(offline, Info) of
+		true ->
+		    Info;
+		false ->
+		    none
+	    end;
+	_ ->
+	    none
+    end.
+
 -spec dirty_get_sessions_list() -> [ljid()].

 dirty_get_sessions_list() ->
    lists:flatmap(
      fun(Mod) ->
-	      [S#session.usr || S <- Mod:get_sessions()]
+	      [S#session.usr || S <- online(Mod:get_sessions())]
      end, get_sm_backends()).

 -spec dirty_get_my_sessions_list() -> [#session{}].
@@ -279,7 +309,7 @@ dirty_get_sessions_list() ->
 dirty_get_my_sessions_list() ->
    lists:flatmap(
      fun(Mod) ->
-	      [S || S <- Mod:get_sessions(),
+	      [S || S <- online(Mod:get_sessions()),
 		    node(element(2, S#session.sid)) == node()]
      end, get_sm_backends()).

@@ -288,14 +318,14 @@ dirty_get_my_sessions_list() ->
 get_vh_session_list(Server) ->
    LServer = jid:nameprep(Server),
    Mod = get_sm_backend(LServer),
-    [S#session.usr || S <- Mod:get_sessions(LServer)].
+    [S#session.usr || S <- online(Mod:get_sessions(LServer))].

 -spec get_all_pids() -> [pid()].

 get_all_pids() ->
    lists:flatmap(
      fun(Mod) ->
-	      [element(2, S#session.sid) || S <- Mod:get_sessions()]
+	      [element(2, S#session.sid) || S <- online(Mod:get_sessions())]
      end, get_sm_backends()).

 -spec get_vh_session_number(binary()) -> non_neg_integer().
@@ -303,7 +333,7 @@ get_all_pids() ->
 get_vh_session_number(Server) ->
    LServer = jid:nameprep(Server),
    Mod = get_sm_backend(LServer),
-    length(Mod:get_sessions(LServer)).
+    length(online(Mod:get_sessions(LServer))).

 register_iq_handler(Host, XMLNS, Module, Fun) ->
    ejabberd_sm ! {register_iq_handler, Host, XMLNS, Module, Fun}.
@@ -395,6 +425,16 @@ set_session(SID, User, Server, Resource, Priority, Info) ->
    Mod:set_session(#session{sid = SID, usr = USR, us = US,
 			     priority = Priority, info = Info}).

+-spec online([#session{}]) -> [#session{}].
+
+online(Sessions) ->
+    lists:filter(fun is_online/1, Sessions).
+
+-spec is_online(#session{}) -> boolean().
+
+is_online(#session{info = Info}) ->
+    not proplists:get_bool(offline, Info).
+
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

 do_route(From, To, {broadcast, _} = Packet) ->
@@ -409,7 +449,7 @@ do_route(From, To, {broadcast, _} = Packet) ->
        _ ->
            {U, S, R} = jid:tolower(To),
 	    Mod = get_sm_backend(S),
-	    case Mod:get_sessions(U, S, R) of
+	    case online(Mod:get_sessions(U, S, R)) of
                [] ->
                    ?DEBUG("packet dropped~n", []);
                Ss ->
@@ -511,23 +551,23 @@ do_route(From, To, #xmlel{} = Packet) ->
 	    _ -> ok
 	  end;
      _ ->
-	  Mod = get_sm_backend(LServer),
-	  case Mod:get_sessions(LUser, LServer, LResource) of
+	Mod = get_sm_backend(LServer),
+	case online(Mod:get_sessions(LUser, LServer, LResource)) of
 	    [] ->
 		case Name of
 		  <<"message">> ->
 		      case fxml:get_attr_s(<<"type">>, Attrs) of
 			<<"chat">> -> route_message(From, To, Packet, chat);
-			<<"normal">> -> route_message(From, To, Packet, normal);
-			<<"">> -> route_message(From, To, Packet, normal);
 			<<"headline">> -> ok;
 			<<"error">> -> ok;
-			_ ->
+			<<"groupchat">> ->
 			    ErrTxt = <<"User session not found">>,
 			    Err = jlib:make_error_reply(
 				    Packet,
 				    ?ERRT_SERVICE_UNAVAILABLE(Lang, ErrTxt)),
-			    ejabberd_router:route(To, From, Err)
+			    ejabberd_router:route(To, From, Err);
+			_ ->
+			    route_message(From, To, Packet, normal)
 		      end;
 		  <<"iq">> ->
 		      case fxml:get_attr_s(<<"type">>, Attrs) of
@@ -584,8 +624,8 @@ route_message(From, To, Packet, Type) ->
 					  (P >= 0) and (Type == headline) ->
 				LResource = jid:resourceprep(R),
 				Mod = get_sm_backend(LServer),
-				case Mod:get_sessions(LUser, LServer,
-						      LResource) of
+				case online(Mod:get_sessions(LUser, LServer,
+							     LResource)) of
 				  [] ->
 				      ok; % Race condition
 				  Ss ->
@@ -602,15 +642,12 @@ route_message(From, To, Packet, Type) ->
 	  case Type of
 	    headline -> ok;
 	    _ ->
-		case ejabberd_auth:is_user_exists(LUser, LServer) of
+		case ejabberd_auth:is_user_exists(LUser, LServer) andalso
+		    is_privacy_allow(From, To, Packet) of
 		  true ->
-		      case is_privacy_allow(From, To, Packet) of
-			true ->
-			    ejabberd_hooks:run(offline_message_hook, LServer,
-					       [From, To, Packet]);
-			false -> ok
-		      end;
-		  _ ->
+		      ejabberd_hooks:run(offline_message_hook, LServer,
+					 [From, To, Packet]);
+		  false ->
 		      Err = jlib:make_error_reply(Packet,
 						  ?ERR_SERVICE_UNAVAILABLE),
 		      ejabberd_router:route(To, From, Err)
@@ -645,9 +682,15 @@ check_for_sessions_to_replace(User, Server, Resource) ->
    check_max_sessions(LUser, LServer).

 check_existing_resources(LUser, LServer, LResource) ->
-    SIDs = get_resource_sessions(LUser, LServer, LResource),
-    if SIDs == [] -> ok;
+    Mod = get_sm_backend(LServer),
+    Ss = Mod:get_sessions(LUser, LServer, LResource),
+    {OnlineSs, OfflineSs} = lists:partition(fun is_online/1, Ss),
+    lists:foreach(fun(#session{sid = S}) ->
+			  Mod:delete_session(LUser, LServer, LResource, S)
+		  end, OfflineSs),
+    if OnlineSs == [] -> ok;
       true ->
+	   SIDs = [SID || #session{sid = SID} <- OnlineSs],
 	   MaxSID = lists:max(SIDs),
 	   lists:foreach(fun ({_, Pid} = S) when S /= MaxSID ->
 				 Pid ! replaced;
@@ -666,11 +709,11 @@ get_resource_sessions(User, Server, Resource) ->
    LServer = jid:nameprep(Server),
    LResource = jid:resourceprep(Resource),
    Mod = get_sm_backend(LServer),
-    [S#session.sid || S <- Mod:get_sessions(LUser, LServer, LResource)].
+    [S#session.sid || S <- online(Mod:get_sessions(LUser, LServer, LResource))].

 check_max_sessions(LUser, LServer) ->
    Mod = get_sm_backend(LServer),
-    SIDs = [S#session.sid || S <- Mod:get_sessions(LUser, LServer)],
+    SIDs = [S#session.sid || S <- online(Mod:get_sessions(LUser, LServer))],
    MaxSessions = get_max_user_sessions(LUser, LServer),
    if length(SIDs) =< MaxSessions -> ok;
       true -> {_, Pid} = lists:min(SIDs), Pid ! replaced
@@ -724,7 +767,7 @@ process_iq(From, To, Packet) ->

 force_update_presence({LUser, LServer}) ->
    Mod = get_sm_backend(LServer),
-    Ss = Mod:get_sessions(LUser, LServer),
+    Ss = online(Mod:get_sessions(LUser, LServer)),
    lists:foreach(fun (#session{sid = {_, Pid}}) ->
 			  Pid ! {force_update_presence, LUser, LServer}
 		  end,
@@ -21,48 +21,12 @@
 -include("logger.hrl").
 -include("jlib.hrl").

-define(PROCNAME, 'ejabberd_redis_client').
-
 %%%===================================================================
 %%% API
 %%%===================================================================
 -spec init() -> ok | {error, any()}.
 init() ->
-    Server = ejabberd_config:get_option(redis_server,
-					fun iolist_to_list/1,
-					"localhost"),
-    Port = ejabberd_config:get_option(redis_port,
-				      fun(P) when is_integer(P),
-						  P>0, P<65536 ->
-					      P
-				      end, 6379),
-    DB = ejabberd_config:get_option(redis_db,
-				    fun(I) when is_integer(I), I >= 0 ->
-					    I
-				    end, 0),
-    Pass = ejabberd_config:get_option(redis_password,
-				      fun iolist_to_list/1,
-				      ""),
-    ReconnTimeout = timer:seconds(
-		      ejabberd_config:get_option(
-			redis_reconnect_timeout,
-			fun(I) when is_integer(I), I>0 -> I end,
-			1)),
-    ConnTimeout = timer:seconds(
-		    ejabberd_config:get_option(
-		      redis_connect_timeout,
-		      fun(I) when is_integer(I), I>0 -> I end,
-		      1)),
-    case eredis:start_link(Server, Port, DB, Pass,
-			   ReconnTimeout, ConnTimeout) of
-	{ok, Client} ->
-	    register(?PROCNAME, Client),
-	    clean_table(),
-	    ok;
-	{error, _} = Err ->
-	    ?ERROR_MSG("failed to start redis client: ~p", [Err]),
-	    Err
-    end.
+    clean_table().

 -spec set_session(#session{}) -> ok.
 set_session(Session) ->
@@ -71,8 +35,8 @@ set_session(Session) ->
    SIDKey = sid_to_key(Session#session.sid),
    ServKey = server_to_key(element(2, Session#session.us)),
    USSIDKey = us_sid_to_key(Session#session.us, Session#session.sid),
-    case eredis:qp(?PROCNAME, [["HSET", USKey, SIDKey, T],
-			       ["HSET", ServKey, USSIDKey, T]]) of
+    case ejabberd_redis:qp([["HSET", USKey, SIDKey, T],
+			    ["HSET", ServKey, USSIDKey, T]]) of
 	[{ok, _}, {ok, _}] ->
 	    ok;
 	Err ->
@@ -83,7 +47,7 @@ set_session(Session) ->
 			    {ok, #session{}} | {error, notfound}.
 delete_session(LUser, LServer, _LResource, SID) ->
    USKey = us_to_key({LUser, LServer}),
-    case eredis:q(?PROCNAME, ["HGETALL", USKey]) of
+    case ejabberd_redis:q(["HGETALL", USKey]) of
 	{ok, Vals} ->
 	    Ss = decode_session_list(Vals),
 	    case lists:keyfind(SID, #session.sid, Ss) of
@@ -93,8 +57,8 @@ delete_session(LUser, LServer, _LResource, SID) ->
 		    SIDKey = sid_to_key(SID),
 		    ServKey = server_to_key(element(2, Session#session.us)),
 		    USSIDKey = us_sid_to_key(Session#session.us, SID),
-		    eredis:qp(?PROCNAME, [["HDEL", USKey, SIDKey],
-					  ["HDEL", ServKey, USSIDKey]]),
+		    ejabberd_redis:qp([["HDEL", USKey, SIDKey],
+				       ["HDEL", ServKey, USSIDKey]]),
 		    {ok, Session}
 	    end;
 	Err ->
@@ -112,7 +76,7 @@ get_sessions() ->
 -spec get_sessions(binary()) -> [#session{}].
 get_sessions(LServer) ->
    ServKey = server_to_key(LServer),
-    case eredis:q(?PROCNAME, ["HGETALL", ServKey]) of
+    case ejabberd_redis:q(["HGETALL", ServKey]) of
 	{ok, Vals} ->
 	    decode_session_list(Vals);
 	Err ->
@@ -123,7 +87,7 @@ get_sessions(LServer) ->
 -spec get_sessions(binary(), binary()) -> [#session{}].
 get_sessions(LUser, LServer) ->
    USKey = us_to_key({LUser, LServer}),
-    case eredis:q(?PROCNAME, ["HGETALL", USKey]) of
+    case ejabberd_redis:q(["HGETALL", USKey]) of
 	{ok, Vals} when is_list(Vals) ->
 	    decode_session_list(Vals);
 	Err ->
@@ -135,7 +99,7 @@ get_sessions(LUser, LServer) ->
    [#session{}].
 get_sessions(LUser, LServer, LResource) ->
    USKey = us_to_key({LUser, LServer}),
-    case eredis:q(?PROCNAME, ["HGETALL", USKey]) of
+    case ejabberd_redis:q(["HGETALL", USKey]) of
 	{ok, Vals} when is_list(Vals) ->
 	    [S || S <- decode_session_list(Vals),
 		  element(3, S#session.usr) == LResource];
@@ -172,7 +136,7 @@ clean_table() ->
    lists:foreach(
      fun(LServer) ->
 	      ServKey = server_to_key(LServer),
-	      case eredis:q(?PROCNAME, ["HKEYS", ServKey]) of
+	      case ejabberd_redis:q(["HKEYS", ServKey]) of
 		  {ok, []} ->
 		      ok;
 		  {ok, Vals} ->
@@ -181,7 +145,10 @@ clean_table() ->
 					{_, SID} = binary_to_term(USSIDKey),
 					node(element(2, SID)) == node()
 				end, Vals),
-		      Q1 = ["HDEL", ServKey | Vals1],
+				Q1 = case Vals1 of
+					[] -> [];
+					_ -> ["HDEL", ServKey | Vals1]
+				end,
 		      Q2 = lists:map(
 			     fun(USSIDKey) ->
 				     {US, SID} = binary_to_term(USSIDKey),
@@ -189,7 +156,7 @@ clean_table() ->
 				     SIDKey = sid_to_key(SID),
 				     ["HDEL", USKey, SIDKey]
 			     end, Vals1),
-		      Res = eredis:qp(?PROCNAME, [Q1|Q2]),
+		      Res = ejabberd_redis:qp(lists:delete([], [Q1|Q2])),
 		      case lists:filter(
 			     fun({ok, _}) -> false;
 				(_) -> true
@@ -8,6 +8,8 @@
 %%%-------------------------------------------------------------------
 -module(ejabberd_sm_sql).

+-compile([{parse_transform, ejabberd_sql_pt}]).
+
 -behaviour(ejabberd_sm).

 %% API
@@ -23,18 +25,19 @@
 -include("ejabberd_sm.hrl").
 -include("logger.hrl").
 -include("jlib.hrl").
+-include("ejabberd_sql_pt.hrl").

 %%%===================================================================
 %%% API
 %%%===================================================================
 -spec init() -> ok | {error, any()}.
 init() ->
-    Node = ejabberd_sql:escape(jlib:atom_to_binary(node())),
+    Node = jlib:atom_to_binary(node()),
    ?INFO_MSG("Cleaning SQL SM table...", []),
    lists:foldl(
      fun(Host, ok) ->
 	      case ejabberd_sql:sql_query(
-		     Host, [<<"delete from sm where node='">>, Node, <<"'">>]) of
+		     Host, ?SQL("delete from sm where node=%(Node)s")) of
 		  {updated, _} ->
 		      ok;
 		  Err ->
@@ -47,20 +50,19 @@ init() ->

 set_session(#session{sid = {Now, Pid}, usr = {U, LServer, R},
 		     priority = Priority, info = Info}) ->
-    Username = ejabberd_sql:escape(U),
-    Resource = ejabberd_sql:escape(R),
-    InfoS = ejabberd_sql:encode_term(Info),
+    InfoS = jlib:term_to_expr(Info),
    PrioS = enc_priority(Priority),
    TS = now_to_timestamp(Now),
    PidS = list_to_binary(erlang:pid_to_list(Pid)),
-    Node = ejabberd_sql:escape(jlib:atom_to_binary(node(Pid))),
-    case sql_queries:update(
-	   LServer,
-	   <<"sm">>,
-	   [<<"usec">>, <<"pid">>, <<"node">>, <<"username">>,
-	    <<"resource">>, <<"priority">>, <<"info">>],
-	   [TS, PidS, Node, Username, Resource, PrioS, InfoS],
-	   [<<"usec='">>, TS, <<"' and pid='">>, PidS, <<"'">>]) of
+    Node = jlib:atom_to_binary(node(Pid)),
+    case ?SQL_UPSERT(LServer, "sm",
+                     ["!usec=%(TS)d",
+                      "!pid=%(PidS)s",
+                      "node=%(Node)s",
+                      "username=%(U)s",
+                      "resource=%(R)s",
+                      "priority=%(PrioS)s",
+                      "info=%(InfoS)s"]) of
 	ok ->
 	    ok;
 	Err ->
@@ -72,14 +74,16 @@ delete_session(_LUser, LServer, _LResource, {Now, Pid}) ->
    PidS = list_to_binary(erlang:pid_to_list(Pid)),
    case ejabberd_sql:sql_query(
 	   LServer,
-	   [<<"select usec, pid, username, resource, priority, info ">>,
-	    <<"from sm where usec='">>, TS, <<"' and pid='">>,PidS, <<"'">>]) of
-	{selected, _, [Row]} ->
-	    ejabberd_sql:sql_query(
-	      LServer, [<<"delete from sm where usec='">>,
-			TS, <<"' and pid='">>, PidS, <<"'">>]),
+	   ?SQL("select @(usec)d, @(pid)s, @(username)s,"
+                " @(resource)s, @(priority)s, @(info)s "
+                "from sm where usec=%(TS)d and pid=%(PidS)s")) of
+	{selected, [Row]} ->
+            ejabberd_sql:sql_query(
+              LServer,
+              ?SQL("delete from sm"
+                   " where usec=%(TS)d and pid=%(PidS)s")),
 	    {ok, row_to_session(LServer, Row)};
-	{selected, _, []} ->
+	{selected, []} ->
 	    {error, notfound};
 	Err ->
 	    ?ERROR_MSG("failed to delete from 'sm' table: ~p", [Err]),
@@ -94,9 +98,10 @@ get_sessions() ->

 get_sessions(LServer) ->
    case ejabberd_sql:sql_query(
-	   LServer, [<<"select usec, pid, username, ">>,
-		     <<"resource, priority, info from sm">>]) of
-	{selected, _, Rows} ->
+	   LServer,
+           ?SQL("select @(usec)d, @(pid)s, @(username)s,"
+                " @(resource)s, @(priority)s, @(info)s from sm")) of
+	{selected, Rows} ->
 	    [row_to_session(LServer, Row) || Row <- Rows];
 	Err ->
 	    ?ERROR_MSG("failed to select from 'sm' table: ~p", [Err]),
@@ -104,12 +109,12 @@ get_sessions(LServer) ->
    end.

 get_sessions(LUser, LServer) ->
-    Username = ejabberd_sql:escape(LUser),
    case ejabberd_sql:sql_query(
-	   LServer, [<<"select usec, pid, username, ">>,
-		     <<"resource, priority, info from sm where ">>,
-		     <<"username='">>, Username, <<"'">>]) of
-	{selected, _, Rows} ->
+	   LServer,
+           ?SQL("select @(usec)d, @(pid)s, @(username)s,"
+                " @(resource)s, @(priority)s, @(info)s from sm"
+                " where username=%(LUser)s")) of
+	{selected, Rows} ->
 	    [row_to_session(LServer, Row) || Row <- Rows];
 	Err ->
 	    ?ERROR_MSG("failed to select from 'sm' table: ~p", [Err]),
@@ -117,14 +122,12 @@ get_sessions(LUser, LServer) ->
    end.

 get_sessions(LUser, LServer, LResource) ->
-    Username = ejabberd_sql:escape(LUser),
-    Resource = ejabberd_sql:escape(LResource),
    case ejabberd_sql:sql_query(
-	   LServer, [<<"select usec, pid, username, ">>,
-		     <<"resource, priority, info from sm where ">>,
-		     <<"username='">>, Username, <<"' and resource='">>,
-		     Resource, <<"'">>]) of
-	{selected, _, Rows} ->
+	   LServer,
+           ?SQL("select @(usec)d, @(pid)s, @(username)s,"
+                " @(resource)s, @(priority)s, @(info)s from sm"
+                " where username=%(LUser)s and resource=%(LResource)s")) of
+	{selected, Rows} ->
 	    [row_to_session(LServer, Row) || Row <- Rows];
 	Err ->
 	    ?ERROR_MSG("failed to select from 'sm' table: ~p", [Err]),
@@ -135,10 +138,9 @@ get_sessions(LUser, LServer, LResource) ->
 %%% Internal functions
 %%%===================================================================
 now_to_timestamp({MSec, Sec, USec}) ->
-    jlib:integer_to_binary((MSec * 1000000 + Sec) * 1000000 + USec).
+    (MSec * 1000000 + Sec) * 1000000 + USec.

-timestamp_to_now(TS) ->
-    I = jlib:binary_to_integer(TS),
+timestamp_to_now(I) ->
    Head = I div 1000000,
    USec = I rem 1000000,
    MSec = Head div 1000000,
@@ -158,7 +160,7 @@ enc_priority(undefined) ->
 enc_priority(Int) when is_integer(Int) ->
    jlib:integer_to_binary(Int).

-row_to_session(LServer, [USec, PidS, User, Resource, PrioS, InfoS]) ->
+row_to_session(LServer, {USec, PidS, User, Resource, PrioS, InfoS}) ->
    Now = timestamp_to_now(USec),
    Pid = erlang:list_to_pid(binary_to_list(PidS)),
    Priority = dec_priority(PrioS),
@@ -1,7 +1,7 @@
 %%%----------------------------------------------------------------------
-%%% File    : ejabberd_odbc.erl
+%%% File    : ejabberd_sql.erl
 %%% Author  : Alexey Shchepin <alexey@process-one.net>
-%%% Purpose : Serve ODBC connection
+%%% Purpose : Serve SQL connection
 %%% Created :  8 Dec 2004 by Alexey Shchepin <alexey@process-one.net>
 %%%
 %%%
@@ -39,9 +39,12 @@
 	 sql_query_t/1,
 	 sql_transaction/2,
 	 sql_bloc/2,
+         sql_query_to_iolist/1,
 	 escape/1,
+         standard_escape/1,
 	 escape_like/1,
 	 escape_like_arg/1,
+	 escape_like_arg_circumflex/1,
 	 to_bool/1,
 	 sqlite_db/1,
 	 sqlite_file/1,
@@ -199,6 +202,7 @@ escape_like(S) when is_binary(S) ->
    << <<(escape_like(C))/binary>> || <<C>> <= S >>;
 escape_like($%) -> <<"\\%">>;
 escape_like($_) -> <<"\\_">>;
+escape_like($\\) -> <<"\\\\\\\\">>;
 escape_like(C) when is_integer(C), C >= 0, C =< 255 -> sql_queries:escape(C).

 escape_like_arg(S) when is_binary(S) ->
@@ -208,6 +212,15 @@ escape_like_arg($_) -> <<"\\_">>;
 escape_like_arg($\\) -> <<"\\\\">>;
 escape_like_arg(C) when is_integer(C), C >= 0, C =< 255 -> <<C>>.

+escape_like_arg_circumflex(S) when is_binary(S) ->
+    << <<(escape_like_arg_circumflex(C))/binary>> || <<C>> <= S >>;
+escape_like_arg_circumflex($%) -> <<"^%">>;
+escape_like_arg_circumflex($_) -> <<"^_">>;
+escape_like_arg_circumflex($^) -> <<"^^">>;
+escape_like_arg_circumflex($[) -> <<"^[">>;     % For MSSQL
+escape_like_arg_circumflex($]) -> <<"^]">>;
+escape_like_arg_circumflex(C) when is_integer(C), C >= 0, C =< 255 -> <<C>>.
+
 to_bool(<<"t">>) -> true;
 to_bool(<<"true">>) -> true;
 to_bool(<<"1">>) -> true;
@@ -507,7 +520,7 @@ sql_query_internal(#sql_query{} = Query) ->
                odbc ->
                    generic_sql_query(Query);
 		mssql ->
-		    generic_sql_query(Query);
+		    mssql_sql_query(Query);
                pgsql ->
                    Key = {?PREPARE_KEY, Query#sql_query.hash},
                    case get(Key) of
@@ -533,7 +546,7 @@ sql_query_internal(#sql_query{} = Query) ->
                mysql ->
                    generic_sql_query(Query);
                sqlite ->
-                    generic_sql_query(Query)
+                    sqlite_sql_query(Query)
            end
        catch
            Class:Reason ->
@@ -622,6 +635,32 @@ generic_escape() ->
                          end
               }.

+sqlite_sql_query(SQLQuery) ->
+    sql_query_format_res(
+      sql_query_internal(sqlite_sql_query_format(SQLQuery)),
+      SQLQuery).
+
+sqlite_sql_query_format(SQLQuery) ->
+    Args = (SQLQuery#sql_query.args)(sqlite_escape()),
+    (SQLQuery#sql_query.format_query)(Args).
+
+sqlite_escape() ->
+    #sql_escape{string = fun(X) -> <<"'", (standard_escape(X))/binary, "'">> end,
+                integer = fun(X) -> integer_to_binary(X) end,
+                boolean = fun(true) -> <<"1">>;
+                             (false) -> <<"0">>
+                          end
+               }.
+
+standard_escape(S) ->
+    << <<(case Char of
+              $' -> << "''" >>;
+              _ -> << Char >>
+          end)/binary>> || <<Char>> <= S >>.
+
+mssql_sql_query(SQLQuery) ->
+    sqlite_sql_query(SQLQuery).
+
 pgsql_prepare(SQLQuery, State) ->
    Escape = #sql_escape{_ = fun(X) -> X end},
    N = length((SQLQuery#sql_query.args)(Escape)),
@@ -668,6 +707,9 @@ sql_query_format_res({selected, _, Rows}, SQLQuery) ->
 sql_query_format_res(Res, _SQLQuery) ->
    Res.

+sql_query_to_iolist(SQLQuery) ->
+    generic_sql_query_format(SQLQuery).
+
 %% Generate the OTP callback return tuple depending on the driver result.
 abort_on_driver_error({error, <<"query timed out">>} =
 			  Reply,
@@ -748,7 +790,7 @@ pgsql_connect(Server, Port, DB, Username, Password) ->
                        {port, Port},
                        {as_binary, true}]) of
        {ok, Ref} ->
-            pgsql:squery(Ref, [<<"alter database ">>, DB, <<" set ">>,
+            pgsql:squery(Ref, [<<"alter database \"">>, DB, <<"\" set ">>,
                               <<"standard_conforming_strings='off';">>]),
            pgsql:squery(Ref, [<<"set standard_conforming_strings to 'off';">>]),
            {ok, Ref};
@@ -305,20 +305,24 @@ parse_upsert(Fields) ->
                                 "a constant string"})
                  end
          end, {[], 0}, Fields),
-    %io:format("asd ~p~n", [{Fields, Fs}]),
+    %io:format("upsert ~p~n", [{Fields, Fs}]),
    Fs.

+%% key | {Update}
 parse_upsert_field([$! | S], ParamPos, Loc) ->
    {Name, ParseState} = parse_upsert_field1(S, [], ParamPos, Loc),
-    {Name, true, ParseState};
+    {Name, key, ParseState};
+parse_upsert_field([$- | S], ParamPos, Loc) ->
+    {Name, ParseState} = parse_upsert_field1(S, [], ParamPos, Loc),
+    {Name, {false}, ParseState};
 parse_upsert_field(S, ParamPos, Loc) ->
    {Name, ParseState} = parse_upsert_field1(S, [], ParamPos, Loc),
-    {Name, false, ParseState}.
+    {Name, {true}, ParseState}.

 parse_upsert_field1([], _Acc, _ParamPos, Loc) ->
    throw({error, Loc,
           "?SQL_UPSERT fields must have the "
-           "following form: \"[!]name=value\""});
+           "following form: \"[!-]name=value\""});
 parse_upsert_field1([$= | S], Acc, ParamPos, Loc) ->
    {lists:reverse(Acc), parse(S, ParamPos, Loc)};
 parse_upsert_field1([C | S], Acc, ParamPos, Loc) ->
@@ -376,9 +380,9 @@ make_sql_upsert_generic(Table, ParseRes) ->
 make_sql_upsert_update(Table, ParseRes) ->
    WPairs =
        lists:flatmap(
-          fun({_Field, false, _ST}) ->
+          fun({_Field, {_}, _ST}) ->
                  [];
-             ({Field, true, ST}) ->
+             ({Field, key, ST}) ->
                  [ST#state{
                     'query' = [{str, Field}, {str, "="}] ++ ST#state.'query'
                    }]
@@ -386,9 +390,11 @@ make_sql_upsert_update(Table, ParseRes) ->
    Where = join_states(WPairs, " AND "),
    SPairs =
        lists:flatmap(
-          fun({_Field, true, _ST}) ->
+          fun({_Field, key, _ST}) ->
                  [];
-             ({Field, false, ST}) ->
+             ({_Field, {false}, _ST}) ->
+                  [];
+             ({Field, {true}, ST}) ->
                  [ST#state{
                     'query' = [{str, Field}, {str, "="}] ++ ST#state.'query'
                    }]
@@ -462,7 +468,7 @@ check_upsert(ParseRes, Pos) ->
    Set =
        lists:filter(
          fun({_Field, Match, _ST}) ->
-                  not Match
+                  Match /= key
          end, ParseRes),
    case Set of
        [] ->
@@ -74,20 +74,27 @@ get_acl_rule([<<"vhosts">>], _) ->
 %% The pages of a vhost are only accesible if the user is admin of that vhost:
 get_acl_rule([<<"server">>, VHost | _RPath], Method)
    when Method =:= 'GET' orelse Method =:= 'HEAD' ->
-    {VHost, [configure, webadmin_view]};
+    AC = gen_mod:get_module_opt(VHost, ejabberd_web_admin,
+				access, fun(A) -> A end, configure),
+    ACR = gen_mod:get_module_opt(VHost, ejabberd_web_admin,
+				 access_readonly, fun(A) -> A end, webadmin_view),
+    {VHost, [AC, ACR]};
 get_acl_rule([<<"server">>, VHost | _RPath], 'POST') ->
-    {VHost, [configure]};
+    AC = gen_mod:get_module_opt(VHost, ejabberd_web_admin,
+				access, fun(A) -> A end, configure),
+    {VHost, [AC]};
 %% Default rule: only global admins can access any other random page
 get_acl_rule(_RPath, Method)
    when Method =:= 'GET' orelse Method =:= 'HEAD' ->
-    {global, [configure, webadmin_view]};
-get_acl_rule(_RPath, 'POST') -> {global, [configure]}.
-
-is_acl_match(Host, Rules, Jid) ->
-    lists:any(fun (Rule) ->
-		      allow == acl:match_rule(Host, Rule, Jid)
-	      end,
-	      Rules).
+    AC = gen_mod:get_module_opt(global, ejabberd_web_admin,
+				access, fun(A) -> A end, configure),
+    ACR = gen_mod:get_module_opt(global, ejabberd_web_admin,
+				 access_readonly, fun(A) -> A end, webadmin_view),
+    {global, [AC, ACR]};
+get_acl_rule(_RPath, 'POST') ->
+    AC = gen_mod:get_module_opt(global, ejabberd_web_admin,
+				access, fun(A) -> A end, configure),
+    {global, [AC]}.

 %%%==================================
 %%%% Menu Items Access
@@ -138,7 +145,7 @@ is_allowed_path([<<"admin">> | Path], JID) ->
    is_allowed_path(Path, JID);
 is_allowed_path(Path, JID) ->
    {HostOfRule, AccessRule} = get_acl_rule(Path, 'GET'),
-    is_acl_match(HostOfRule, AccessRule, JID).
+    acl:any_rules_allowed(HostOfRule, AccessRule, JID).

 %% @spec(Path) -> URL
 %% where Path = [string()]
@@ -266,8 +273,8 @@ get_auth_account(HostOfRule, AccessRule, User, Server,
 		 Pass) ->
    case ejabberd_auth:check_password(User, <<"">>, Server, Pass) of
      true ->
-	  case is_acl_match(HostOfRule, AccessRule,
-			    jid:make(User, Server, <<"">>))
+	  case acl:any_rules_allowed(HostOfRule, AccessRule,
+                               jid:make(User, Server, <<"">>))
 	      of
 	    false -> {unauthorized, <<"unprivileged-account">>};
 	    true -> {ok, {User, Server}}
@@ -1333,7 +1340,7 @@ parse_access_rule(Text) ->
 list_vhosts(Lang, JID) ->
    Hosts = (?MYHOSTS),
    HostsAllowed = lists:filter(fun (Host) ->
-					is_acl_match(Host,
+					acl:any_rules_allowed(Host,
 						     [configure, webadmin_view],
 						     JID)
 				end,
@@ -2965,7 +2972,8 @@ make_menu_item(item, 3, URI, Name, Lang) ->
 %%%==================================


-opt_type(access) -> fun (V) -> V end;
-opt_type(_) -> [access].
+opt_type(access) -> fun acl:access_rules_validator/1;
+opt_type(access_readonly) -> fun acl:access_rules_validator/1;
+opt_type(_) -> [access, access_readonly].

 %%% vim: set foldmethod=marker foldmarker=%%%%,%%%=:
@@ -373,6 +373,10 @@ try_do_command(AccessCommands, Auth, Command, AttrL,
 			       "The call provided additional unused "
 				 "arguments:~n~p",
 			       [ExitAtL]);
+      exit:{invalid_arg_type, Arg, Type} ->
+	  build_fault_response(-122,
+			       "Parameter '~p' can't be coerced to type '~p'",
+			       [Arg, Type]);
      Why ->
 	  build_fault_response(-118,
 			       "A problem '~p' occurred executing the "
@@ -472,7 +476,7 @@ format_arg(undefined, binary) -> <<>>;
 format_arg(undefined, string) -> "";
 format_arg(Arg, Format) ->
    ?ERROR_MSG("don't know how to format Arg ~p for format ~p", [Arg, Format]),
-    error.
+    exit({invalid_arg_type, Arg, Format}).

 process_unicode_codepoints(Str) ->
    iolist_to_binary(lists:map(fun(X) when X > 255 -> unicode:characters_to_binary([X]);
@@ -28,6 +28,7 @@
 -author('alexey@process-one.net').

 -include("logger.hrl").
+-include("ejabberd_sql_pt.hrl").

 -export([export/2, export/3, import_file/2, import/2,
 	 import/3, delete/1]).
@@ -76,7 +77,12 @@ export(Server, Output, Module) ->
    IO = prepare_output(Output),
    lists:foreach(
      fun({Table, ConvertFun}) ->
-              export(LServer, Table, IO, ConvertFun)
+              case export(LServer, Table, IO, ConvertFun) of
+                  {atomic, ok} -> ok;
+                  {aborted, Reason} ->
+                      ?ERROR_MSG("Failed export for module ~p: ~p",
+                                 [Module, Reason])
+              end
      end, Module:export(Server)),
    close_output(Output, IO).

@@ -150,7 +156,8 @@ export(LServer, Table, IO, ConvertFun) ->
                              case ConvertFun(LServer, R) of
                                  [] ->
                                      Acc;
-                                  SQL ->
+                                  SQL1 ->
+                                      SQL = format_queries(SQL1),
                                      if N < (?MAX_RECORDS_PER_TRANSACTION) - 1 ->
                                              {N + 1, [SQL | SQLs]};
                                         true ->
@@ -179,7 +186,7 @@ delete(LServer, Table, ConvertFun) ->
                mnesia:write_lock_table(Table),
                {_N, SQLs} =
                    mnesia:foldl(
-                      fun(R, {N, SQLs} = Acc) ->
+                      fun(R, Acc) ->
                              case ConvertFun(LServer, R) of
                                  [] ->
                                      Acc;
@@ -313,3 +320,11 @@ flatten1([H|T], Acc) ->
    flatten1(T, [[H, $\n]|Acc]);
 flatten1([], Acc) ->
    Acc.
+
+format_queries(SQLs) ->
+    lists:map(
+      fun(#sql_query{} = SQL) ->
+              ejabberd_sql:sql_query_to_iolist(SQL);
+         (SQL) ->
+              SQL
+      end, SQLs).
@@ -271,7 +271,7 @@ geturl(Url, Hdrs, UsrOpts) ->
        [U, Pass] -> [{proxy_user, U}, {proxy_password, Pass}];
        _ -> []
    end,
-    case httpc:request(get, {Url, Hdrs}, Host++User++UsrOpts, []) of
+    case httpc:request(get, {Url, Hdrs}, Host++User++UsrOpts++[{version, "HTTP/1.0"}], []) of
        {ok, {{_, 200, _}, Headers, Response}} ->
            {ok, Headers, Response};
        {ok, {{_, Code, _}, _Headers, Response}} ->
@@ -484,17 +484,28 @@ compile_deps(_Module, _Spec, DestDir) ->
    filelib:ensure_dir(filename:join(Ebin, ".")),
    Result = lists:foldl(fun(Dep, Acc) ->
                Inc = filename:join(Dep, "include"),
+                Lib = filename:join(Dep, "lib"),
                Src = filename:join(Dep, "src"),
                Options = [{outdir, Ebin}, {i, Inc}],
                [file:copy(App, Ebin) || App <- filelib:wildcard(Src++"/*.app")],
-                Acc++[case compile:file(File, Options) of
+
+                %% Compile erlang files
+                Acc1 = Acc ++ [case compile:file(File, Options) of
                        {ok, _} -> ok;
                        {ok, _, _} -> ok;
                        {ok, _, _, _} -> ok;
                        error -> {error, {compilation_failed, File}};
                        Error -> Error
                    end
-                     || File <- filelib:wildcard(Src++"/*.erl")]
+                     || File <- filelib:wildcard(Src++"/*.erl")],
+
+                %% Compile elixir files
+                Acc1 ++ [case compile_elixir_file(Ebin, File) of
+                  {ok, _} -> ok;
+                  {error, File} -> {error, {compilation_failed, File}}
+                end
+                 || File <- filelib:wildcard(Lib ++ "/*.ex")]
+
        end, [], filelib:wildcard("deps/*")),
    case lists:dropwhile(
            fun(ok) -> true;
@@ -515,6 +526,8 @@ compile(_Module, _Spec, DestDir) ->
               verbose, report_errors, report_warnings]
              ++ ExtLib,
    [file:copy(App, Ebin) || App <- filelib:wildcard("src/*.app")],
+
+    %% Compile erlang files
    Result = [case compile:file(File, Options) of
            {ok, _} -> ok;
            {ok, _, _} -> ok;
@@ -523,14 +536,32 @@ compile(_Module, _Spec, DestDir) ->
            Error -> Error
        end
        || File <- filelib:wildcard("src/*.erl")],
+
+    %% Compile elixir files
+    Result1 = Result ++ [case compile_elixir_file(Ebin, File) of
+      {ok, _} -> ok;
+      {error, File} -> {error, {compilation_failed, File}}
+    end
+    || File <- filelib:wildcard("lib/*.ex")],
+
    case lists:dropwhile(
            fun(ok) -> true;
                (_) -> false
-            end, Result) of
+            end, Result1) of
        [] -> ok;
        [Error|_] -> Error
    end.

+compile_elixir_file(Dest, File) when is_list(Dest) and is_list(File) ->
+  compile_elixir_file(list_to_binary(Dest), list_to_binary(File));
+
+compile_elixir_file(Dest, File) ->
+  try 'Elixir.Kernel.ParallelCompiler':files_to_path([File], Dest, []) of
+    [Module] -> {ok, Module}
+  catch
+    _ -> {error, File}
+  end.
+
 install(Module, Spec, DestDir) ->
    Errors = lists:dropwhile(fun({_, {ok, _}}) -> true;
                                (_) -> false
@@ -52,6 +52,8 @@

 -callback start(binary(), opts()) -> any().
 -callback stop(binary()) -> any().
+-callback mod_opt_type(atom()) -> fun((term()) -> term()) | [atom()].
+-callback depends(binary(), opts()) -> [{module(), hard | soft}].

 -export_type([opts/0]).
 -export_type([db_type/0]).
@@ -76,18 +78,56 @@ start_modules() ->

 get_modules_options(Host) ->
    ejabberd_config:get_option(
-	{modules, Host},
-	fun(Mods) ->
-	    lists:map(
+      {modules, Host},
+      fun(Mods) ->
+	      lists:map(
 		fun({M, A}) when is_atom(M), is_list(A) ->
-		    {M, A}
+			{M, A}
 		end, Mods)
-	end, []).
+      end, []).
+
+sort_modules(Host, ModOpts) ->
+    G = digraph:new([acyclic]),
+    lists:foreach(
+      fun({Mod, Opts}) ->
+	      digraph:add_vertex(G, Mod, Opts),
+	      Deps = try Mod:depends(Host, Opts) catch _:undef -> [] end,
+	      lists:foreach(
+		fun({DepMod, Type}) ->
+			case lists:keyfind(DepMod, 1, ModOpts) of
+			    false when Type == hard ->
+				ErrTxt = io_lib:format(
+					   "failed to load module '~s' "
+					   "because it depends on module '~s' "
+					   "which is not found in the config",
+					   [Mod, DepMod]),
+				?ERROR_MSG(ErrTxt, []),
+				digraph:del_vertex(G, Mod),
+				maybe_halt_ejabberd(ErrTxt);
+			    false when Type == soft ->
+				?WARNING_MSG("module '~s' is recommended for "
+					     "module '~s' but is not found in "
+					     "the config",
+					     [DepMod, Mod]);
+			    {DepMod, DepOpts} ->
+				digraph:add_vertex(G, DepMod, DepOpts),
+				case digraph:add_edge(G, DepMod, Mod) of
+				    {error, {bad_edge, Path}} ->
+					?WARNING_MSG("cyclic dependency detected "
+						     "between modules: ~p",
+						     [Path]);
+				    _ ->
+					ok
+				end
+			end
+		end, Deps)
+      end, ModOpts),
+    [digraph:vertex(G, V) || V <- digraph_utils:topsort(G)].

 -spec start_modules(binary()) -> any().

 start_modules(Host) ->
-    Modules = get_modules_options(Host),
+    Modules = sort_modules(Host, get_modules_options(Host)),
    lists:foreach(
 	fun({Module, Opts}) ->
 	    start_module(Host, Module, Opts)
@@ -120,16 +160,20 @@ start_module(Host, Module, Opts0) ->
 			    [Module, Host, Opts, Class, Reason,
 			     erlang:get_stacktrace()]),
 	  ?CRITICAL_MSG(ErrorText, []),
-	  case is_app_running(ejabberd) of
-	    true ->
-		erlang:raise(Class, Reason, erlang:get_stacktrace());
-	    false ->
-		?CRITICAL_MSG("ejabberd initialization was aborted "
-			      "because a module start failed.",
-			      []),
-		timer:sleep(3000),
-		erlang:halt(string:substr(lists:flatten(ErrorText), 1, 199))
-	  end
+          maybe_halt_ejabberd(ErrorText),
+	  erlang:raise(Class, Reason, erlang:get_stacktrace())
+    end.
+
+maybe_halt_ejabberd(ErrorText) ->
+    case is_app_running(ejabberd) of
+	false ->
+	    ?CRITICAL_MSG("ejabberd initialization was aborted "
+			  "because a module start failed.",
+			  []),
+	    timer:sleep(3000),
+	    erlang:halt(string:substr(lists:flatten(ErrorText), 1, 199));
+	true ->
+	    ok
    end.

 is_app_running(AppName) ->
@@ -265,18 +309,25 @@ get_opt_host(Host, Opts, Default) ->
    ejabberd_regexp:greplace(Val, <<"@HOST@">>, Host).

 validate_opts(Module, Opts) ->
-    lists:filter(
+    lists:filtermap(
      fun({Opt, Val}) ->
 	      case catch Module:mod_opt_type(Opt) of
 		  VFun when is_function(VFun) ->
-		      case catch VFun(Val) of
-			  {'EXIT', _} ->
+		      try VFun(Val) of
+			  _ ->
+			      true
+		      catch {replace_with, NewVal} ->
+			      {true, {Opt, NewVal}};
+			    {invalid_syntax, Error} ->
+			      ?ERROR_MSG("ignoring invalid value '~p' for "
+					 "option '~s' of module '~s': ~s",
+					 [Val, Opt, Module, Error]),
+			      false;
+			    _:_ ->
 			      ?ERROR_MSG("ignoring invalid value '~p' for "
 					 "option '~s' of module '~s'",
 					 [Val, Opt, Module]),
-			      false;
-			  _ ->
-			      true
+			      false
 		      end;
 		  L when is_list(L) ->
 		      SOpts = str:join([[$', atom_to_list(A), $'] || A <- L], <<", ">>),
@@ -301,7 +352,7 @@ validate_opts(Module, Opts) ->
 db_type(Opts, Module) when is_list(Opts) ->
    db_type(global, Opts, Module);
 db_type(Host, Module) when is_atom(Module) ->
-    case Module:mod_opt_type(db_type) of
+    case catch Module:mod_opt_type(db_type) of
 	F when is_function(F) ->
 	    case get_module_opt(Host, Module, db_type, F) of
 		undefined -> ejabberd_config:default_db(Host, Module);
@@ -314,7 +365,7 @@ db_type(Host, Module) when is_atom(Module) ->
 -spec db_type(binary(), opts(), module()) -> db_type().

 db_type(Host, Opts, Module) ->
-    case Module:mod_opt_type(db_type) of
+    case catch Module:mod_opt_type(db_type) of
 	F when is_function(F) ->
 	    case get_opt(db_type, Opts, F) of
 		undefined -> ejabberd_config:default_db(Host, Module);
@@ -35,6 +35,7 @@
 -type(pubsubState() :: mod_pubsub:pubsubState()).
 -type(pubsubItem() :: mod_pubsub:pubsubItem()).
 -type(subOptions() :: mod_pubsub:subOptions()).
+-type(pubOptions() :: mod_pubsub:pubOptions()).
 -type(affiliation() :: mod_pubsub:affiliation()).
 -type(subscription() :: mod_pubsub:subscription()).
 -type(subId() :: mod_pubsub:subId()).
@@ -109,7 +110,8 @@
 	PublishModel :: publishModel(),
 	Max_Items :: non_neg_integer(),
 	ItemId :: <<>> | itemId(),
-	Payload :: payload()) ->
+	Payload :: payload(),
+	Options :: pubOptions()) ->
    {result, {default, broadcast, [itemId()]}} |
    {error, xmlel()}.

@@ -50,11 +50,35 @@
 -spec start() -> ok.

 start() ->
+    {ok, Owner} = ets_owner(),
    SplitPattern = binary:compile_pattern([<<"@">>, <<"/">>]),
-    catch ets:new(jlib, [named_table, protected, set, {keypos, 1}]),
+    %% Table is public to allow ETS insert to fix / update the table even if table already exist
+    %% with another owner.
+    catch ets:new(jlib, [named_table, public, set, {keypos, 1}, {heir, Owner, undefined}]),
    ets:insert(jlib, {string_to_jid_pattern, SplitPattern}),
    ok.

+ets_owner() ->
+    case whereis(jlib_ets) of
+        undefined ->
+            Pid = spawn(fun() -> ets_keepalive() end),
+            case catch register(jlib_ets, Pid) of
+                true ->
+                    {ok, Pid};
+                Error -> Error
+            end;
+        Pid ->
+            {ok,Pid}
+    end.
+
+%% Process used to keep jlib ETS table alive in case the original owner dies.
+%% The table need to be public, otherwise subsequent inserts would fail.
+ets_keepalive() ->
+    receive
+        _ ->
+            ets_keepalive()
+    end.
+
 -spec make(binary(), binary(), binary()) -> jid() | error.

 make(User, Server, Resource) ->
@@ -87,7 +111,7 @@ split(#jid{user = U, server = S, resource = R}) ->
 split(_) ->
    error.

-spec from_string([binary()|string()]) -> jid() | error.
+-spec from_string(binary() | string()) -> jid() | error.
 from_string(S) when is_list(S) ->
    %% We do not accept list because we want to enforce good practice of
    %% using binaries for string. However, we do not let it crash to avoid
@@ -43,7 +43,7 @@
 	 get_iq_namespace/1, iq_query_info/1,
 	 iq_query_or_response_info/1, is_iq_request_type/1,
 	 iq_to_xml/1, parse_xdata_submit/1,
-	 is_standalone_chat_state/1,
+	 unwrap_carbon/1, is_standalone_chat_state/1,
 	 add_delay_info/3, add_delay_info/4,
 	 timestamp_to_legacy/1, timestamp_to_iso_basic/1, timestamp_to_iso/2,
 	 now_to_utc_string/1, now_to_local_string/1,
@@ -54,7 +54,8 @@
 	 binary_to_integer/1, binary_to_integer/2,
 	 integer_to_binary/1, integer_to_binary/2,
 	 atom_to_binary/1, binary_to_atom/1, tuple_to_binary/1,
-	 l2i/1, i2l/1, i2l/2, queue_drop_while/2]).
+	 l2i/1, i2l/1, i2l/2, queue_drop_while/2,
+	 expr_to_term/1, term_to_expr/1]).

 %% The following functions are deprecated and will be removed soon
 %% Use corresponding functions from jid.erl instead
@@ -306,21 +307,16 @@ get_iq_namespace(#xmlel{name = <<"iq">>, children = Els}) ->
 get_iq_namespace(_) -> <<"">>.

 %%
-spec(iq_query_info/1 ::
-(
-  Xmlel :: xmlel())
-    -> iq_request() | 'reply' | 'invalid' | 'not_iq'
-).
+-spec iq_query_info(Xmlel :: xmlel()) ->
+			   iq_request() | 'reply' | 'invalid' | 'not_iq'.

 %% @spec (xmlelement()) -> iq() | reply | invalid | not_iq
 iq_query_info(El) -> iq_info_internal(El, request).

 %%
-spec(iq_query_or_response_info/1 ::
-(
-  Xmlel :: xmlel())
-    -> iq_request() | iq_reply() | 'reply' | 'invalid' | 'not_iq'
-).
+-spec iq_query_or_response_info(Xmlel :: xmlel()) ->
+				       iq_request() | iq_reply() |
+				       'reply' | 'invalid' | 'not_iq'.

 iq_query_or_response_info(El) ->
    iq_info_internal(El, any).
@@ -372,31 +368,27 @@ iq_type_to_string(get) -> <<"get">>;
 iq_type_to_string(result) -> <<"result">>;
 iq_type_to_string(error) -> <<"error">>.

-spec(iq_to_xml/1 ::
-(
-  IQ :: iq())
-    -> xmlel()
-).
+-spec iq_to_xml(IQ :: iq()) -> xmlel().

 iq_to_xml(#iq{id = ID, type = Type, sub_el = SubEl}) ->
+    Children = 
+        if
+	    is_list(SubEl) -> SubEl;
+	    true -> [SubEl]
+        end,
    if ID /= <<"">> ->
 	   #xmlel{name = <<"iq">>,
 		  attrs =
 		      [{<<"id">>, ID}, {<<"type">>, iq_type_to_string(Type)}],
-		  children = SubEl};
+		  children = Children};
       true ->
 	   #xmlel{name = <<"iq">>,
 		  attrs = [{<<"type">>, iq_type_to_string(Type)}],
-		  children = SubEl}
+		  children = Children}
    end.

-spec(parse_xdata_submit/1 ::
-(
-  El :: xmlel())
-    -> [{Var::binary(), Values::[binary()]}]
-    %%
-     | 'invalid'
-).
+-spec parse_xdata_submit(El :: xmlel()) ->
+				[{Var::binary(), Values::[binary()]}] | 'invalid'.

 parse_xdata_submit(#xmlel{attrs = Attrs, children = Els}) ->
    case fxml:get_attr_s(<<"type">>, Attrs) of
@@ -408,12 +400,9 @@ parse_xdata_submit(#xmlel{attrs = Attrs, children = Els}) ->
            invalid
    end.

-spec(parse_xdata_fields/2 ::
-(
-  Xmlels :: [xmlel() | cdata()],
-  Res    :: [{Var::binary(), Values :: [binary()]}])
-    -> [{Var::binary(), Values::[binary()]}]
-).
+-spec parse_xdata_fields(Xmlels :: [xmlel() | cdata()],
+			 Res :: [{Var::binary(), Values :: [binary()]}]) ->
+				[{Var::binary(), Values::[binary()]}].

 parse_xdata_fields([], Res) -> Res;
 parse_xdata_fields([#xmlel{name = <<"field">>, attrs = Attrs, children = SubEls}
@@ -428,12 +417,8 @@ parse_xdata_fields([#xmlel{name = <<"field">>, attrs = Attrs, children = SubEls}
 parse_xdata_fields([_ | Els], Res) ->
    parse_xdata_fields(Els, Res).

-spec(parse_xdata_values/2 ::
-(
-  Xmlels :: [xmlel() | cdata()],
-  Res    :: [binary()])
-    -> [binary()]
-).
+-spec parse_xdata_values(Xmlels :: [xmlel() | cdata()],
+			 Res :: [binary()]) -> [binary()].

 parse_xdata_values([], Res) -> Res;
 parse_xdata_values([#xmlel{name = <<"value">>, children = SubEls} | Els], Res) ->
@@ -528,14 +513,64 @@ rsm_encode_count(Count, Arr) ->
 	    children = [{xmlcdata, i2l(Count)}]}
     | Arr].

+-spec unwrap_carbon(xmlel()) -> xmlel().
+
+unwrap_carbon(#xmlel{name = <<"message">>} = Stanza) ->
+    case unwrap_carbon(Stanza, <<"sent">>) of
+      #xmlel{} = Payload ->
+	  Payload;
+      false ->
+	  case unwrap_carbon(Stanza, <<"received">>) of
+	    #xmlel{} = Payload ->
+		Payload;
+	    false ->
+		Stanza
+	  end
+    end;
+unwrap_carbon(Stanza) -> Stanza.
+
+-spec unwrap_carbon(xmlel(), binary()) -> xmlel() | false.
+
+unwrap_carbon(Stanza, Direction) ->
+    case fxml:get_subtag(Stanza, Direction) of
+      #xmlel{name = Direction, attrs = Attrs} = El ->
+	  case fxml:get_attr_s(<<"xmlns">>, Attrs) of
+	    NS when NS == ?NS_CARBONS_2;
+		    NS == ?NS_CARBONS_1 ->
+		case fxml:get_subtag_with_xmlns(El, <<"forwarded">>,
+						?NS_FORWARD) of
+		  #xmlel{children = Els} ->
+		      case fxml:remove_cdata(Els) of
+			[#xmlel{} = Payload] ->
+			    Payload;
+			_ ->
+			    false
+		      end;
+		  false ->
+		      false
+		end;
+	    _NS ->
+		false
+	  end;
+      false ->
+	  false
+    end.
+
 -spec is_standalone_chat_state(xmlel()) -> boolean().

-is_standalone_chat_state(#xmlel{name = <<"message">>, children = Els}) ->
-    Stripped = [El || #xmlel{name = Name, attrs = Attrs} = El <- Els,
-		      fxml:get_attr_s(<<"xmlns">>, Attrs) /= ?NS_CHATSTATES,
-		      Name /= <<"thread">>],
-    Stripped == [];
-is_standalone_chat_state(_El) -> false.
+is_standalone_chat_state(Stanza) ->
+    case unwrap_carbon(Stanza) of
+      #xmlel{name = <<"message">>, children = Els} ->
+	  IgnoreNS = [?NS_CHATSTATES, ?NS_DELAY],
+	  Stripped = [El || #xmlel{name = Name, attrs = Attrs} = El <- Els,
+			    not lists:member(fxml:get_attr_s(<<"xmlns">>,
+							     Attrs),
+					     IgnoreNS),
+			    Name /= <<"thread">>],
+	  Stripped == [];
+      #xmlel{} ->
+	  false
+    end.

 -spec add_delay_info(xmlel(), jid() | ljid() | binary(), erlang:timestamp())
 		     -> xmlel().
@@ -547,33 +582,8 @@ add_delay_info(El, From, Time) ->
 		     binary()) -> xmlel().

 add_delay_info(El, From, Time, Desc) ->
-    case fxml:get_subtag_with_xmlns(El, <<"delay">>, ?NS_DELAY) of
-      false ->
-	  %% Add new tag
-	  DelayTag = create_delay_tag(Time, From, Desc),
-	  fxml:append_subtags(El, [DelayTag]);
-      DelayTag ->
-	  %% Update existing tag
-	  NewDelayTag =
-	      case {fxml:get_tag_cdata(DelayTag), Desc} of
-		{<<"">>, <<"">>} ->
-		    DelayTag;
-		{OldDesc, <<"">>} ->
-		    DelayTag#xmlel{children = [{xmlcdata, OldDesc}]};
-		{<<"">>, NewDesc} ->
-		    DelayTag#xmlel{children = [{xmlcdata, NewDesc}]};
-		{OldDesc, NewDesc} ->
-		    case binary:match(OldDesc, NewDesc) of
-		      nomatch ->
-			  FinalDesc = <<OldDesc/binary, ", ", NewDesc/binary>>,
-			  DelayTag#xmlel{children = [{xmlcdata, FinalDesc}]};
-		      _ ->
-			  DelayTag#xmlel{children = [{xmlcdata, OldDesc}]}
-		    end
-	      end,
-	  NewEl = fxml:remove_subtags(El, <<"delay">>, {<<"xmlns">>, ?NS_DELAY}),
-	  fxml:append_subtags(NewEl, [NewDelayTag])
-    end.
+    DelayTag = create_delay_tag(Time, From, Desc),
+    fxml:append_subtags(El, [DelayTag]).

 -spec create_delay_tag(erlang:timestamp(), jid() | ljid() | binary(), binary())
 		       -> xmlel() | error.
@@ -890,6 +900,14 @@ tuple_to_binary(T) ->
 atom_to_binary(A) ->
    erlang:atom_to_binary(A, utf8).

+expr_to_term(Expr) ->
+    Str = binary_to_list(<<Expr/binary, ".">>),
+    {ok, Tokens, _} = erl_scan:string(Str),
+    {ok, Term} = erl_parse:parse_term(Tokens),
+    Term.
+
+term_to_expr(Term) ->
+    list_to_binary(io_lib:print(Term)).

 l2i(I) when is_integer(I) -> I;
 l2i(L) when is_binary(L) -> binary_to_integer(L).
@@ -35,7 +35,7 @@
 	 process_sm_iq/3, get_local_commands/5,
 	 get_local_identity/5, get_local_features/5,
 	 get_sm_commands/5, get_sm_identity/5, get_sm_features/5,
-	 ping_item/4, ping_command/4, mod_opt_type/1]).
+	 ping_item/4, ping_command/4, mod_opt_type/1, depends/2]).

 -include("ejabberd.hrl").
 -include("logger.hrl").
@@ -284,6 +284,9 @@ ping_command(_Acc, _From, _To,
    end;
 ping_command(Acc, _From, _To, _Request) -> Acc.

+depends(_Host, _Opts) ->
+    [].
+
 mod_opt_type(iqdisc) -> fun gen_iq_handler:check_type/1;
 mod_opt_type(report_commands_node) ->
    fun (B) when is_boolean(B) -> B end;
@@ -47,7 +47,7 @@
 	 srg_delete/2, srg_list/1, srg_get_info/2,
 	 srg_get_members/2, srg_user_add/4, srg_user_del/4,
 	 send_message/5, send_stanza/3, send_stanza_c2s/4, privacy_set/3,
-	 stats/1, stats/2, mod_opt_type/1, get_commands_spec/0]).
+	 stats/1, stats/2, mod_opt_type/1, get_commands_spec/0, depends/2]).


 -include("ejabberd.hrl").
@@ -66,6 +66,8 @@ start(_Host, _Opts) ->
 stop(_Host) ->
    ejabberd_commands:unregister_commands(get_commands_spec()).

+depends(_Host, _Opts) ->
+    [].

 %%%
 %%% Register commands
@@ -533,7 +535,7 @@ get_commands_spec() ->
                        policy = user,
 			module = mod_offline, function = count_offline_messages,
 			args = [],
-			result = {res, integer}},
+			result = {value, integer}},
     #ejabberd_commands{name = send_message, tags = [stanza],
 			desc = "Send a message to a local or remote bare of full JID",
 			module = ?MODULE, function = send_message,
@@ -861,28 +863,41 @@ connected_users_vhost(Host) ->

 %% Code copied from ejabberd_sm.erl and customized
 dirty_get_sessions_list2() ->
-    mnesia:dirty_select(
-      session,
-      [{#session{usr = '$1', sid = '$2', priority = '$3', info = '$4', _ = '_'},
-	[],
-	[['$1', '$2', '$3', '$4']]}]).
+    Ss = mnesia:dirty_select(
+	   session,
+	   [{#session{usr = '$1', sid = '$2', priority = '$3', info = '$4',
+		      _ = '_'},
+	     [],
+	     [['$1', '$2', '$3', '$4']]}]),
+    lists:filter(fun([_USR, _SID, _Priority, Info]) ->
+			 not proplists:get_bool(offline, Info)
+		 end, Ss).

 %% Make string more print-friendly
 stringize(String) ->
    %% Replace newline characters with other code
    ejabberd_regexp:greplace(String, <<"\n">>, <<"\\n">>).

+set_presence(User, Host, Resource, Type, Show, Status, Priority)
+        when is_integer(Priority) ->
+    BPriority = integer_to_binary(Priority),
+    set_presence(User, Host, Resource, Type, Show, Status, BPriority);
 set_presence(User, Host, Resource, Type, Show, Status, Priority) ->
-    Pid = ejabberd_sm:get_session_pid(User, Host, Resource),
-    USR = jid:to_string(jid:make(User, Host, Resource)),
-    US = jid:to_string(jid:make(User, Host, <<>>)),
-    Message = {route_xmlstreamelement,
-	       {xmlel, <<"presence">>,
-		[{<<"from">>, USR}, {<<"to">>, US}, {<<"type">>, Type}],
-		[{xmlel, <<"show">>, [], [{xmlcdata, Show}]},
-		 {xmlel, <<"status">>, [], [{xmlcdata, Status}]},
-		 {xmlel, <<"priority">>, [], [{xmlcdata, Priority}]}]}},
-    Pid ! Message.
+    case ejabberd_sm:get_session_pid(User, Host, Resource) of
+	none ->
+	    error;
+	Pid ->
+	    USR = jid:to_string(jid:make(User, Host, Resource)),
+	    US = jid:to_string(jid:make(User, Host, <<>>)),
+	    Message = {route_xmlstreamelement,
+		    {xmlel, <<"presence">>,
+			[{<<"from">>, USR}, {<<"to">>, US}, {<<"type">>, Type}],
+			[{xmlel, <<"show">>, [], [{xmlcdata, Show}]},
+			{xmlel, <<"status">>, [], [{xmlcdata, Status}]},
+			{xmlel, <<"priority">>, [], [{xmlcdata, Priority}]}]}},
+	    Pid ! Message,
+	    ok
+    end.

 user_sessions_info(User, Host) ->
    CurrentSec = calendar:datetime_to_gregorian_seconds({date(), time()}),
@@ -891,7 +906,9 @@ user_sessions_info(User, Host) ->
 		   {'EXIT', _Reason} ->
 		       [];
 		   Ss ->
-		       Ss
+		       lists:filter(fun(#session{info = Info}) ->
+					    not proplists:get_bool(offline, Info)
+				    end, Ss)
 	       end,
    lists:map(
      fun(Session) ->
@@ -1154,7 +1171,8 @@ subscribe_roster({Name, Server, Group, Nick}, [{Name, Server, _, _} | Roster]) -
    subscribe_roster({Name, Server, Group, Nick}, Roster);
 %% Subscribe Name2 to Name1
 subscribe_roster({Name1, Server1, Group1, Nick1}, [{Name2, Server2, Group2, Nick2} | Roster]) ->
-    subscribe(Name1, Server1, Name2, Server2, Nick2, Group2, <<"both">>, []),
+    subscribe(Name1, Server1, iolist_to_binary(Name2), iolist_to_binary(Server2),
+	iolist_to_binary(Nick2), iolist_to_binary(Group2), <<"both">>, []),
    subscribe_roster({Name1, Server1, Group1, Nick1}, Roster).

 push_alltoall(S, G) ->
@@ -1297,11 +1315,11 @@ srg_create(Group, Host, Name, Description, Display) ->
    Opts = [{name, Name},
 	    {displayed_groups, DisplayList},
 	    {description, Description}],
-    {atomic, ok} = mod_shared_roster:create_group(Host, Group, Opts),
+    {atomic, _} = mod_shared_roster:create_group(Host, Group, Opts),
    ok.

 srg_delete(Group, Host) ->
-    {atomic, ok} = mod_shared_roster:delete_group(Host, Group),
+    {atomic, _} = mod_shared_roster:delete_group(Host, Group),
    ok.

 srg_list(Host) ->
@@ -1324,11 +1342,11 @@ srg_get_members(Group, Host) ->
     || {MUser, MServer} <- Members].

 srg_user_add(User, Host, Group, GroupHost) ->
-    {atomic, ok} = mod_shared_roster:add_user_to_group(GroupHost, {User, Host}, Group),
+    {atomic, _} = mod_shared_roster:add_user_to_group(GroupHost, {User, Host}, Group),
    ok.

 srg_user_del(User, Host, Group, GroupHost) ->
-    {atomic, ok} = mod_shared_roster:remove_user_from_group(GroupHost, {User, Host}, Group),
+    {atomic, _} = mod_shared_roster:remove_user_from_group(GroupHost, {User, Host}, Group),
    ok.


@@ -33,7 +33,7 @@

 -export([start/2, init/0, stop/1, export/1, import/1,
 	 import/3, announce/3, send_motd/1, disco_identity/5,
-	 disco_features/5, disco_items/5,
+	 disco_features/5, disco_items/5, depends/2,
 	 send_announcement_to_all/3, announce_commands/4,
 	 announce_items/4, mod_opt_type/1]).

@@ -74,6 +74,9 @@ start(Host, Opts) ->
    register(gen_mod:get_module_proc(Host, ?PROCNAME),
 	     proc_lib:spawn(?MODULE, init, [])).

+depends(_Host, _Opts) ->
+    [{mod_adhoc, hard}].
+
 init() ->
    loop().

@@ -693,7 +696,7 @@ announce_all(From, To, Packet) ->
 	    lists:foreach(
 	      fun({User, Server}) ->
 		      Dest = jid:make(User, Server, <<>>),
-		      ejabberd_router:route(Local, Dest, Packet)
+		      ejabberd_router:route(Local, Dest, add_store_hint(Packet))
 	      end, ejabberd_auth:get_vh_registered_users(Host))
    end.

@@ -710,7 +713,7 @@ announce_all_hosts_all(From, To, Packet) ->
 	    lists:foreach(
 	      fun({User, Server}) ->
 		      Dest = jid:make(User, Server, <<>>),
-		      ejabberd_router:route(Local, Dest, Packet)
+		      ejabberd_router:route(Local, Dest, add_store_hint(Packet))
 	      end, ejabberd_auth:dirty_get_registered_users())
    end.

@@ -896,16 +899,22 @@ send_announcement_to_all(Host, SubjectS, BodyS) ->
    lists:foreach(
      fun({U, S, R}) ->
 	      Dest = jid:make(U, S, R),
-	      ejabberd_router:route(Local, Dest, Packet)
+	      ejabberd_router:route(Local, Dest, add_store_hint(Packet))
      end, Sessions).

 -spec get_access(global | binary()) -> atom().

 get_access(Host) ->
    gen_mod:get_module_opt(Host, ?MODULE, access,
-                           fun(A) when is_atom(A) -> A end,
+                           fun(A) -> A end,
                           none).

+-spec add_store_hint(xmlel()) -> xmlel().
+
+add_store_hint(El) ->
+    Hint = #xmlel{name = <<"store">>, attrs = [{<<"xmlns">>, ?NS_HINTS}]},
+    fxml:append_subtags(El, [Hint]).
+
 %%-------------------------------------------------------------------------
 export(LServer) ->
    Mod = gen_mod:db_mod(LServer, ?MODULE),
@@ -920,6 +929,6 @@ import(LServer, DBType, LA) ->
    Mod:import(LServer, LA).

 mod_opt_type(access) ->
-    fun (A) when is_atom(A) -> A end;
+    fun acl:access_rules_validator/1;
 mod_opt_type(db_type) -> fun(T) -> ejabberd_config:v_db(?MODULE, T) end;
 mod_opt_type(_) -> [access, db_type].
@@ -9,6 +9,8 @@
 -module(mod_announce_sql).
 -behaviour(mod_announce).

+-compile([{parse_transform, ejabberd_sql_pt}]).
+
 %% API
 -export([init/2, set_motd_users/2, set_motd/2, delete_motd/1,
 	 get_motd/1, is_motd_user/2, set_motd_user/2, import/1,
@@ -16,6 +18,7 @@

 -include("jlib.hrl").
 -include("mod_announce.hrl").
+-include("ejabberd_sql_pt.hrl").

 %%%===================================================================
 %%% API
@@ -27,37 +30,35 @@ set_motd_users(LServer, USRs) ->
    F = fun() ->
 		lists:foreach(
 		  fun({U, _S, _R}) ->
-			  Username = ejabberd_sql:escape(U),
-			  sql_queries:update_t(
-			    <<"motd">>,
-			    [<<"username">>, <<"xml">>],
-			    [Username, <<"">>],
-			    [<<"username='">>, Username, <<"'">>])
+                          ?SQL_UPSERT_T(
+                             "motd",
+                             ["!username=%(U)s",
+                              "xml=''"])
 		  end, USRs)
 	end,
    ejabberd_sql:sql_transaction(LServer, F).

 set_motd(LServer, Packet) ->
-    XML = ejabberd_sql:escape(fxml:element_to_binary(Packet)),
+    XML = fxml:element_to_binary(Packet),
    F = fun() ->
-		sql_queries:update_t(
-		  <<"motd">>,
-		  [<<"username">>, <<"xml">>],
-		  [<<"">>, XML],
-		  [<<"username=''">>])
+                ?SQL_UPSERT_T(
+                   "motd",
+                   ["!username=''",
+                    "xml=%(XML)s"])
 	end,
    ejabberd_sql:sql_transaction(LServer, F).

 delete_motd(LServer) ->
    F = fun() ->
-		ejabberd_sql:sql_query_t([<<"delete from motd;">>])
+                ejabberd_sql:sql_query_t(?SQL("delete from motd"))
 	end,
    ejabberd_sql:sql_transaction(LServer, F).

 get_motd(LServer) ->
    case catch ejabberd_sql:sql_query(
-                 LServer, [<<"select xml from motd where username='';">>]) of
-        {selected, [<<"xml">>], [[XML]]} ->
+                 LServer,
+                 ?SQL("select @(xml)s from motd where username=''")) of
+        {selected, [{XML}]} ->
            case fxml_stream:parse_element(XML) of
                {error, _} ->
                    error;
@@ -69,46 +70,40 @@ get_motd(LServer) ->
    end.

 is_motd_user(LUser, LServer) ->
-    Username = ejabberd_sql:escape(LUser),
    case catch ejabberd_sql:sql_query(
-		 LServer,
-		 [<<"select username from motd "
-		    "where username='">>, Username, <<"';">>]) of
-	{selected, [<<"username">>], [_|_]} ->
+                 LServer,
+                 ?SQL("select @(username)s from motd"
+                      " where username=%(LUser)s")) of
+        {selected, [_|_]} ->
 	    true;
 	_ ->
 	    false
    end.

 set_motd_user(LUser, LServer) ->
-    Username = ejabberd_sql:escape(LUser),
    F = fun() ->
-		sql_queries:update_t(
-		  <<"motd">>,
-		  [<<"username">>, <<"xml">>],
-		  [Username, <<"">>],
-		  [<<"username='">>, Username, <<"'">>])
-	end,
+                ?SQL_UPSERT_T(
+                   "motd",
+                   ["!username=%(LUser)s",
+                    "xml=''"])
+        end,
    ejabberd_sql:sql_transaction(LServer, F).

 export(_Server) ->
    [{motd,
      fun(Host, #motd{server = LServer, packet = El})
            when LServer == Host ->
-              [[<<"delete from motd where username='';">>],
-               [<<"insert into motd(username, xml) values ('', '">>,
-                ejabberd_sql:escape(fxml:element_to_binary(El)),
-                <<"');">>]];
+              XML = fxml:element_to_binary(El),
+              [?SQL("delete from motd where username='';"),
+               ?SQL("insert into motd(username, xml) values ('', %(XML)s);")];
         (_Host, _R) ->
              []
      end},
     {motd_users,
      fun(Host, #motd_users{us = {LUser, LServer}})
            when LServer == Host, LUser /= <<"">> ->
-              Username = ejabberd_sql:escape(LUser),
-              [[<<"delete from motd where username='">>, Username, <<"';">>],
-               [<<"insert into motd(username, xml) values ('">>,
-                Username, <<"', '');">>]];
+              [?SQL("delete from motd where username=%(LUser)s;"),
+               ?SQL("insert into motd(username, xml) values (%(LUser)s, '');")];
         (_Host, _R) ->
              []
      end}].
@@ -30,7 +30,7 @@
 -protocol({xep, 191, '1.2'}).

 -export([start/2, stop/1, process_iq/3,
-	 process_iq_set/4, process_iq_get/5, mod_opt_type/1]).
+	 process_iq_set/4, process_iq_get/5, mod_opt_type/1, depends/2]).

 -include("ejabberd.hrl").
 -include("logger.hrl").
@@ -63,6 +63,9 @@ stop(Host) ->
    gen_iq_handler:remove_iq_handler(ejabberd_sm, Host,
 				     ?NS_BLOCKING).

+depends(_Host, _Opts) ->
+    [{mod_privacy, hard}].
+
 process_iq(_From, _To, IQ) ->
    SubEl = IQ#iq.sub_el,
    IQ#iq{type = error, sub_el = [SubEl, ?ERR_NOT_ALLOWED]}.
@@ -25,7 +25,12 @@ process_blocklist_block(LUser, LServer, Filter) ->
 		Default = case mod_privacy_sql:sql_get_default_privacy_list_t(LUser) of
 			      {selected, []} ->
 				  Name = <<"Blocked contacts">>,
-				  mod_privacy_sql:sql_add_privacy_list(LUser, Name),
+				  case mod_privacy_sql:sql_get_privacy_list_id_t(LUser, Name) of
+				      {selected, []} ->
+					  mod_privacy_sql:sql_add_privacy_list(LUser, Name);
+				      {selected, [{_ID}]} ->
+					  ok
+				  end,
 				  mod_privacy_sql:sql_set_default_privacy_list(LUser, Name),
 				  Name;
 			      {selected, [{Name}]} -> Name
@@ -41,7 +41,7 @@
         import_start/2, import_stop/2]).

 %% gen_mod callbacks
-export([start/2, start_link/2, stop/1]).
+-export([start/2, start_link/2, stop/1, depends/2]).

 %% gen_server callbacks
 -export([init/1, handle_info/2, handle_call/3,
@@ -306,6 +306,9 @@ c2s_broadcast_recipients(InAcc, Host, C2SState,
    end;
 c2s_broadcast_recipients(Acc, _, _, _, _, _) -> Acc.

+depends(_Host, _Opts) ->
+    [].
+
 init([Host, Opts]) ->
    Mod = gen_mod:db_mod(Host, Opts, ?MODULE),
    Mod:init(Host, Opts),
@@ -9,10 +9,13 @@
 -module(mod_caps_sql).
 -behaviour(mod_caps).

+-compile([{parse_transform, ejabberd_sql_pt}]).
+
 %% API
 -export([init/2, caps_read/2, caps_write/3, export/1]).

 -include("mod_caps.hrl").
+-include("ejabberd_sql_pt.hrl").

 %%%===================================================================
 %%% API
@@ -21,21 +24,19 @@ init(_Host, _Opts) ->
    ok.

 caps_read(LServer, {Node, SubNode}) ->
-    SNode = ejabberd_sql:escape(Node),
-    SSubNode = ejabberd_sql:escape(SubNode),
    case ejabberd_sql:sql_query(
-	   LServer, [<<"select feature from caps_features where ">>,
-		     <<"node='">>, SNode, <<"' and subnode='">>,
-		     SSubNode, <<"';">>]) of
-	{selected, [<<"feature">>], [[H]|_] = Fs} ->
-	    case catch jlib:binary_to_integer(H) of
-		Int when is_integer(Int), Int>=0 ->
-		    {ok, Int};
-		_ ->
-		    {ok, lists:flatten(Fs)}
-	    end;
-	_ ->
-	    error
+           LServer,
+           ?SQL("select @(feature)s from caps_features where"
+                " node=%(Node)s and subnode=%(SubNode)s")) of
+        {selected, [{H}|_] = Fs} ->
+            case catch jlib:binary_to_integer(H) of
+                Int when is_integer(Int), Int>=0 ->
+                    {ok, Int};
+                _ ->
+                    {ok, [F || {F} <- Fs]}
+            end;
+        _ ->
+            error
    end.

 caps_write(LServer, NodePair, Features) ->
@@ -56,16 +57,13 @@ export(_Server) ->
 %%% Internal functions
 %%%===================================================================
 sql_write_features_t({Node, SubNode}, Features) ->
-    SNode = ejabberd_sql:escape(Node),
-    SSubNode = ejabberd_sql:escape(SubNode),
    NewFeatures = if is_integer(Features) ->
                          [jlib:integer_to_binary(Features)];
                     true ->
                          Features
                  end,
-    [[<<"delete from caps_features where node='">>,
-      SNode, <<"' and subnode='">>, SSubNode, <<"';">>]|
-     [[<<"insert into caps_features(node, subnode, feature) ">>,
-       <<"values ('">>, SNode, <<"', '">>, SSubNode, <<"', '">>,
-       ejabberd_sql:escape(F), <<"');">>] || F <- NewFeatures]].
+    [?SQL("delete from caps_features where node=%(Node)s"
+          " and subnode=%(SubNode)s;") |
+     [?SQL("insert into caps_features(node, subnode, feature)"
+           " values (%(Node)s, %(SubNode)s, %(F)s);") || F <- NewFeatures]].

@@ -37,7 +37,7 @@

 -export([user_send_packet/4, user_receive_packet/5,
 	 iq_handler2/3, iq_handler1/3, remove_connection/4,
-	 is_carbon_copy/1, mod_opt_type/1]).
+	 is_carbon_copy/1, mod_opt_type/1, depends/2]).

 -include("ejabberd.hrl").
 -include("logger.hrl").
@@ -278,6 +278,9 @@ list(User, Server) ->
    Mod = gen_mod:db_mod(Server, ?MODULE),
    Mod:list(User, Server).

+depends(_Host, _Opts) ->
+    [].
+
 mod_opt_type(iqdisc) -> fun gen_iq_handler:check_type/1;
 mod_opt_type(db_type) -> fun(T) -> ejabberd_config:v_db(?MODULE, T) end;
 mod_opt_type(_) -> [db_type, iqdisc].
@@ -30,24 +30,44 @@

 -behavior(gen_mod).

-export([start/2, stop/1, add_stream_feature/2,
-	 filter_presence/2, filter_chat_states/2,
-	 mod_opt_type/1]).
+%% gen_mod callbacks.
+-export([start/2, stop/1, mod_opt_type/1, depends/2]).
+
+%% ejabberd_hooks callbacks.
+-export([filter_presence/4, filter_chat_states/4, filter_pep/4, filter_other/4,
+	 flush_queue/3, add_stream_feature/2]).

 -include("ejabberd.hrl").
 -include("logger.hrl").
 -include("jlib.hrl").

+-define(CSI_QUEUE_MAX, 100).
+
+-type csi_type() :: presence | chatstate | {pep, binary()}.
+-type csi_key() :: {ljid(), csi_type()}.
+-type csi_stanza() :: {csi_key(), erlang:timestamp(), xmlel()}.
+-type csi_queue() :: [csi_stanza()].
+
+%%--------------------------------------------------------------------
+%% gen_mod callbacks.
+%%--------------------------------------------------------------------
+
+-spec start(binary(), gen_mod:opts()) -> ok.
+
 start(Host, Opts) ->
-    QueuePresence = gen_mod:get_opt(queue_presence, Opts,
-				    fun(true) -> true;
-				       (false) -> false
-				    end, true),
-    DropChatStates = gen_mod:get_opt(drop_chat_states, Opts,
-				     fun(true) -> true;
-				        (false) -> false
-				     end, true),
-    if QueuePresence; DropChatStates ->
+    QueuePresence =
+	gen_mod:get_opt(queue_presence, Opts,
+			fun(B) when is_boolean(B) -> B end,
+			true),
+    QueueChatStates =
+	gen_mod:get_opt(queue_chat_states, Opts,
+			fun(B) when is_boolean(B) -> B end,
+			true),
+    QueuePEP =
+	gen_mod:get_opt(queue_pep, Opts,
+			fun(B) when is_boolean(B) -> B end,
+			true),
+    if QueuePresence; QueueChatStates; QueuePEP ->
 	   ejabberd_hooks:add(c2s_post_auth_features, Host, ?MODULE,
 			      add_stream_feature, 50),
 	   if QueuePresence ->
@@ -55,23 +75,151 @@ start(Host, Opts) ->
 				     filter_presence, 50);
 	      true -> ok
 	   end,
-	   if DropChatStates ->
+	   if QueueChatStates ->
 		  ejabberd_hooks:add(csi_filter_stanza, Host, ?MODULE,
 				     filter_chat_states, 50);
 	      true -> ok
-	   end;
+	   end,
+	   if QueuePEP ->
+		  ejabberd_hooks:add(csi_filter_stanza, Host, ?MODULE,
+				     filter_pep, 50);
+	      true -> ok
+	   end,
+	   ejabberd_hooks:add(csi_filter_stanza, Host, ?MODULE,
+			      filter_other, 100),
+	   ejabberd_hooks:add(csi_flush_queue, Host, ?MODULE,
+			      flush_queue, 50);
       true -> ok
-    end,
-    ok.
+    end.
+
+-spec stop(binary()) -> ok.

 stop(Host) ->
-    ejabberd_hooks:delete(csi_filter_stanza, Host, ?MODULE,
-			  filter_presence, 50),
-    ejabberd_hooks:delete(csi_filter_stanza, Host, ?MODULE,
-			  filter_chat_states, 50),
-    ejabberd_hooks:delete(c2s_post_auth_features, Host, ?MODULE,
-			  add_stream_feature, 50),
-    ok.
+    QueuePresence =
+	gen_mod:get_module_opt(Host, ?MODULE, queue_presence,
+			       fun(B) when is_boolean(B) -> B end,
+			       true),
+    QueueChatStates =
+	gen_mod:get_module_opt(Host, ?MODULE, queue_chat_states,
+			       fun(B) when is_boolean(B) -> B end,
+			       true),
+    QueuePEP =
+	gen_mod:get_module_opt(Host, ?MODULE, queue_pep,
+			       fun(B) when is_boolean(B) -> B end,
+			       true),
+    if QueuePresence; QueueChatStates; QueuePEP ->
+	   ejabberd_hooks:delete(c2s_post_auth_features, Host, ?MODULE,
+				 add_stream_feature, 50),
+	   if QueuePresence ->
+		  ejabberd_hooks:delete(csi_filter_stanza, Host, ?MODULE,
+					filter_presence, 50);
+	      true -> ok
+	   end,
+	   if QueueChatStates ->
+		  ejabberd_hooks:delete(csi_filter_stanza, Host, ?MODULE,
+					filter_chat_states, 50);
+	      true -> ok
+	   end,
+	   if QueuePEP ->
+		  ejabberd_hooks:delete(csi_filter_stanza, Host, ?MODULE,
+					filter_pep, 50);
+	      true -> ok
+	   end,
+	   ejabberd_hooks:delete(csi_filter_stanza, Host, ?MODULE,
+				 filter_other, 100),
+	   ejabberd_hooks:delete(csi_flush_queue, Host, ?MODULE,
+				 flush_queue, 50);
+       true -> ok
+    end.
+
+-spec mod_opt_type(atom()) -> fun((term()) -> term()) | [atom()].
+
+mod_opt_type(queue_presence) ->
+    fun(B) when is_boolean(B) -> B end;
+mod_opt_type(queue_chat_states) ->
+    fun(B) when is_boolean(B) -> B end;
+mod_opt_type(queue_pep) ->
+    fun(B) when is_boolean(B) -> B end;
+mod_opt_type(_) -> [queue_presence, queue_chat_states, queue_pep].
+
+-spec depends(binary(), gen_mod:opts()) -> [{module(), hard | soft}].
+
+depends(_Host, _Opts) ->
+    [].
+
+%%--------------------------------------------------------------------
+%% ejabberd_hooks callbacks.
+%%--------------------------------------------------------------------
+
+-spec filter_presence({term(), [xmlel()]}, binary(), jid(), xmlel())
+      -> {term(), [xmlel()]} | {stop, {term(), [xmlel()]}}.
+
+filter_presence({C2SState, _OutStanzas} = Acc, Host, To,
+		#xmlel{name = <<"presence">>, attrs = Attrs} = Stanza) ->
+    case fxml:get_attr(<<"type">>, Attrs) of
+      {value, Type} when Type /= <<"unavailable">> ->
+	  Acc;
+      _ ->
+	  ?DEBUG("Got availability presence stanza for ~s",
+		 [jid:to_string(To)]),
+	  queue_add(presence, Stanza, Host, C2SState)
+    end;
+filter_presence(Acc, _Host, _To, _Stanza) -> Acc.
+
+-spec filter_chat_states({term(), [xmlel()]}, binary(), jid(), xmlel())
+      -> {term(), [xmlel()]} | {stop, {term(), [xmlel()]}}.
+
+filter_chat_states({C2SState, _OutStanzas} = Acc, Host, To,
+		   #xmlel{name = <<"message">>} = Stanza) ->
+    case jlib:is_standalone_chat_state(Stanza) of
+      true ->
+	  From = fxml:get_tag_attr_s(<<"from">>, Stanza),
+	  case {jid:from_string(From), To} of
+	    {#jid{luser = U, lserver = S}, #jid{luser = U, lserver = S}} ->
+		%% Don't queue (carbon copies of) chat states from other
+		%% resources, as they might be used to sync the state of
+		%% conversations across clients.
+		Acc;
+	    _ ->
+		?DEBUG("Got standalone chat state notification for ~s",
+		       [jid:to_string(To)]),
+		queue_add(chatstate, Stanza, Host, C2SState)
+	  end;
+      false ->
+	  Acc
+    end;
+filter_chat_states(Acc, _Host, _To, _Stanza) -> Acc.
+
+-spec filter_pep({term(), [xmlel()]}, binary(), jid(), xmlel())
+      -> {term(), [xmlel()]} | {stop, {term(), [xmlel()]}}.
+
+filter_pep({C2SState, _OutStanzas} = Acc, Host, To,
+	   #xmlel{name = <<"message">>} = Stanza) ->
+    case get_pep_node(Stanza) of
+      {value, Node} ->
+	  ?DEBUG("Got PEP notification for ~s", [jid:to_string(To)]),
+	  queue_add({pep, Node}, Stanza, Host, C2SState);
+      false ->
+	  Acc
+    end;
+filter_pep(Acc, _Host, _To, _Stanza) -> Acc.
+
+-spec filter_other({term(), [xmlel()]}, binary(), jid(), xmlel())
+      -> {term(), [xmlel()]}.
+
+filter_other({C2SState, _OutStanzas}, Host, To, Stanza) ->
+    ?DEBUG("Won't add stanza for ~s to CSI queue", [jid:to_string(To)]),
+    queue_take(Stanza, Host, C2SState).
+
+-spec flush_queue({term(), [xmlel()]}, binary(), jid()) -> {term(), [xmlel()]}.
+
+flush_queue({C2SState, _OutStanzas}, Host, JID) ->
+    ?DEBUG("Going to flush CSI queue of ~s", [jid:to_string(JID)]),
+    Queue = get_queue(C2SState),
+    NewState = set_queue([], C2SState),
+    {NewState, get_stanzas(Queue, Host)}.
+
+-spec add_stream_feature([xmlel()], binary) -> [xmlel()].

 add_stream_feature(Features, _Host) ->
    Feature = #xmlel{name = <<"csi">>,
@@ -79,34 +227,82 @@ add_stream_feature(Features, _Host) ->
 		     children = []},
    [Feature | Features].

-filter_presence(_Action, #xmlel{name = <<"presence">>, attrs = Attrs}) ->
-    case fxml:get_attr(<<"type">>, Attrs) of
-      {value, Type} when Type /= <<"unavailable">> ->
-	  ?DEBUG("Got important presence stanza", []),
-	  {stop, send};
+%%--------------------------------------------------------------------
+%% Internal functions.
+%%--------------------------------------------------------------------
+
+-spec queue_add(csi_type(), xmlel(), binary(), term())
+      -> {stop, {term(), [xmlel()]}}.
+
+queue_add(Type, Stanza, Host, C2SState) ->
+    case get_queue(C2SState) of
+      Queue when length(Queue) >= ?CSI_QUEUE_MAX ->
+	  ?DEBUG("CSI queue too large, going to flush it", []),
+	  NewState = set_queue([], C2SState),
+	  {stop, {NewState, get_stanzas(Queue, Host) ++ [Stanza]}};
+      Queue ->
+	  ?DEBUG("Adding stanza to CSI queue", []),
+	  From = fxml:get_tag_attr_s(<<"from">>, Stanza),
+	  Key = {jid:tolower(jid:from_string(From)), Type},
+	  Entry = {Key, p1_time_compat:timestamp(), Stanza},
+	  NewQueue = lists:keystore(Key, 1, Queue, Entry),
+	  NewState = set_queue(NewQueue, C2SState),
+	  {stop, {NewState, []}}
+    end.
+
+-spec queue_take(xmlel(), binary(), term()) -> {term(), [xmlel()]}.
+
+queue_take(Stanza, Host, C2SState) ->
+    From = fxml:get_tag_attr_s(<<"from">>, Stanza),
+    {LUser, LServer, _LResource} = jid:tolower(jid:from_string(From)),
+    {Selected, Rest} = lists:partition(
+			 fun({{{U, S, _R}, _Type}, _Time, _Stanza}) ->
+				 U == LUser andalso S == LServer
+			 end, get_queue(C2SState)),
+    NewState = set_queue(Rest, C2SState),
+    {NewState, get_stanzas(Selected, Host) ++ [Stanza]}.
+
+-spec set_queue(csi_queue(), term()) -> term().
+
+set_queue(Queue, C2SState) ->
+    ejabberd_c2s:set_aux_field(csi_queue, Queue, C2SState).
+
+-spec get_queue(term()) -> csi_queue().
+
+get_queue(C2SState) ->
+    case ejabberd_c2s:get_aux_field(csi_queue, C2SState) of
+      {ok, Queue} ->
+	      Queue;
+      error ->
+	      []
+    end.
+
+-spec get_stanzas(csi_queue(), binary()) -> [xmlel()].
+
+get_stanzas(Queue, Host) ->
+    lists:map(fun({_Key, Time, Stanza}) ->
+		      jlib:add_delay_info(Stanza, Host, Time,
+					  <<"Client Inactive">>)
+	      end, Queue).
+
+-spec get_pep_node(xmlel()) -> {value, binary()} | false.
+
+get_pep_node(#xmlel{name = <<"message">>} = Stanza) ->
+    From = fxml:get_tag_attr_s(<<"from">>, Stanza),
+    case jid:from_string(From) of
+      #jid{luser = <<>>} -> % It's not PEP.
+	  false;
      _ ->
-	  ?DEBUG("Got availability presence stanza", []),
-	  {stop, queue}
-    end;
-filter_presence(Action, _Stanza) -> Action.
-
-filter_chat_states(_Action, #xmlel{name = <<"message">>} = Stanza) ->
-    case jlib:is_standalone_chat_state(Stanza) of
-      true ->
-	  ?DEBUG("Got standalone chat state notification", []),
-	  {stop, drop};
-      false ->
-	  ?DEBUG("Got message stanza", []),
-	  {stop, send}
-    end;
-filter_chat_states(Action, _Stanza) -> Action.
-
-mod_opt_type(drop_chat_states) ->
-    fun (true) -> true;
-	(false) -> false
-    end;
-mod_opt_type(queue_presence) ->
-    fun (true) -> true;
-	(false) -> false
-    end;
-mod_opt_type(_) -> [drop_chat_states, queue_presence].
+	  case fxml:get_subtag_with_xmlns(Stanza, <<"event">>,
+					  ?NS_PUBSUB_EVENT) of
+	    #xmlel{children = Els} ->
+		case fxml:remove_cdata(Els) of
+		  [#xmlel{name = <<"items">>, attrs = ItemsAttrs}] ->
+		      fxml:get_attr(<<"node">>, ItemsAttrs);
+		  _ ->
+		      false
+		end;
+	    false ->
+		false
+	  end
+    end.
@@ -35,7 +35,8 @@
 	 get_local_features/5, get_local_items/5,
 	 adhoc_local_items/4, adhoc_local_commands/4,
 	 get_sm_identity/5, get_sm_features/5, get_sm_items/5,
-	 adhoc_sm_items/4, adhoc_sm_commands/4, mod_opt_type/1]).
+	 adhoc_sm_items/4, adhoc_sm_commands/4, mod_opt_type/1,
+	 depends/2]).

 -include("ejabberd.hrl").
 -include("logger.hrl").
@@ -95,6 +96,9 @@ stop(Host) ->
    gen_iq_handler:remove_iq_handler(ejabberd_sm, Host,
 				     ?NS_COMMANDS).

+depends(_Host, _Opts) ->
+    [{mod_adhoc, hard}, {mod_last, soft}].
+
 %%%-----------------------------------------------------------------------

 -define(INFO_IDENTITY(Category, Type, Name, Lang),
@@ -1368,10 +1372,9 @@ get_form(Host, [<<"config">>, <<"access">>], Lang) ->
 							  [{xmlcdata, S}]}
 				       end,
 				       str:tokens(iolist_to_binary(io_lib:format("~p.",
-										 [ets:select(local_config,
-											     [{{local_config,
-												{access,
-												 '$1',
+										 [ets:select(access,
+											     [{{access,
+												{'$1',
 												 '$2'},
 												'$3'},
 											       [{'==',
@@ -1826,10 +1829,9 @@ set_form(_From, Host, [<<"config">>, <<"access">>],
 	 Lang, XData) ->
    SetAccess = fun (Rs) ->
 			mnesia:transaction(fun () ->
-						   Os = mnesia:select(local_config,
-								      [{{local_config,
-									 {access,
-									  '$1',
+						   Os = mnesia:select(access,
+								      [{{access,
+									 {'$1',
 									  '$2'},
 									 '$3'},
 									[{'==',
@@ -1843,9 +1845,8 @@ set_form(_From, Host, [<<"config">>, <<"access">>],
 						   lists:foreach(fun ({access,
 								       Name,
 								       Rules}) ->
-									 mnesia:write({local_config,
-										       {access,
-											Name,
+									 mnesia:write({access,
+										       {Name,
 											Host},
 										       Rules})
 								 end,
@@ -1916,19 +1917,29 @@ set_form(From, Host, ?NS_ADMINL(<<"end-user-session">>),
    Xmlelement = ?SERRT_POLICY_VIOLATION(Lang, <<"has been kicked">>),
    case JID#jid.lresource of
      <<>> ->
-	  SIDs = mnesia:dirty_select(session,
-				     [{#session{sid = '$1',
-						usr = {LUser, LServer, '_'},
-						_ = '_'},
-				       [], ['$1']}]),
-	  [Pid ! {kick, kicked_by_admin, Xmlelement} || {_, Pid} <- SIDs];
+	  SIs = mnesia:dirty_select(session,
+				    [{#session{usr = {LUser, LServer, '_'},
+					       sid = '$1',
+					       info = '$2',
+					       _ = '_'},
+				      [], [{{'$1', '$2'}}]}]),
+	  Pids = [P || {{_, P}, Info} <- SIs,
+		       not proplists:get_bool(offline, Info)],
+	  lists:foreach(fun(Pid) ->
+				Pid ! {kick, kicked_by_admin, Xmlelement}
+			end, Pids);
      R ->
-	  [{_, Pid}] = mnesia:dirty_select(session,
-					   [{#session{sid = '$1',
-						      usr = {LUser, LServer, R},
-						      _ = '_'},
-					     [], ['$1']}]),
-	  Pid ! {kick, kicked_by_admin, Xmlelement}
+	  [{{_, Pid}, Info}] = mnesia:dirty_select(
+				 session,
+				 [{#session{usr = {LUser, LServer, R},
+					    sid = '$1',
+					    info = '$2',
+					    _ = '_'},
+				   [], [{{'$1', '$2'}}]}]),
+	  case proplists:get_bool(offline, Info) of
+	    true -> ok;
+	    false -> Pid ! {kick, kicked_by_admin, Xmlelement}
+	  end
    end,
    {result, []};
 set_form(From, Host,
@@ -32,7 +32,7 @@
 -behaviour(gen_mod).

 -export([start/2, stop/1, process_local_iq/3,
-	 mod_opt_type/1, opt_type/1]).
+	 mod_opt_type/1, opt_type/1, depends/2]).

 -include("ejabberd.hrl").
 -include("logger.hrl").
@@ -201,6 +201,9 @@ process_get(#xmlel{name = <<"last">>, attrs = Attrs}, Lang) ->
 %%    {result, };
 process_get(_, _) -> {error, ?ERR_BAD_REQUEST}.

+depends(_Host, _Opts) ->
+    [].
+
 mod_opt_type(iqdisc) -> fun gen_iq_handler:check_type/1;
 mod_opt_type(_) -> [iqdisc].

@@ -0,0 +1,538 @@
+%%%--------------------------------------------------------------------------------------
+%%% File    : mod_delegation.erl
+%%% Author  : Anna Mukharram <amuhar3@gmail.com>
+%%% Purpose : This module is an implementation for XEP-0355: Namespace Delegation
+%%%--------------------------------------------------------------------------------------
+
+-module(mod_delegation).
+
+-author('amuhar3@gmail.com').
+
+-behaviour(gen_mod).
+
+-protocol({xep, 0355, '0.3'}).
+
+-export([start/2, stop/1, depends/2, mod_opt_type/1]).
+
+-export([advertise_delegations/1, process_iq/3,
+         disco_local_features/5, disco_sm_features/5,
+         disco_local_identity/5, disco_sm_identity/5, disco_info/5, clean/0]).
+
+-include_lib("stdlib/include/ms_transform.hrl").
+
+-include("ejabberd_service.hrl").
+
+-define(CLEAN_INTERVAL, timer:minutes(10)).
+
+%%%--------------------------------------------------------------------------------------
+%%%  API
+%%%--------------------------------------------------------------------------------------
+
+start(Host, _Opts) ->
+    mod_disco:register_feature(Host, ?NS_DELEGATION),
+    %% start timer for hooks_tmp table cleaning 
+    timer:apply_after(?CLEAN_INTERVAL, ?MODULE, clean, []),
+
+    ejabberd_hooks:add(disco_local_features, Host, ?MODULE,
+                       disco_local_features, 500), %% This hook should be the last
+    ejabberd_hooks:add(disco_local_identity, Host, ?MODULE,
+                       disco_local_identity, 500),
+    ejabberd_hooks:add(disco_sm_identity, Host, ?MODULE,
+                       disco_sm_identity, 500),
+    ejabberd_hooks:add(disco_sm_features, Host, ?MODULE, 
+                       disco_sm_features, 500),
+    ejabberd_hooks:add(disco_info, Host, ?MODULE,
+                       disco_info, 500).
+
+
+stop(Host) ->
+    mod_disco:unregister_feature(Host, ?NS_DELEGATION),
+    ejabberd_hooks:delete(disco_local_features, Host, ?MODULE,
+                          disco_local_features, 500), 
+    ejabberd_hooks:delete(disco_local_identity, Host, ?MODULE,
+                          disco_local_identity, 500),
+    ejabberd_hooks:delete(disco_sm_identity, Host, ?MODULE,
+                          disco_sm_identity, 500),
+    ejabberd_hooks:delete(disco_sm_features, Host, ?MODULE, 
+                          disco_sm_features, 500),
+    ejabberd_hooks:delete(disco_info, Host, ?MODULE,
+                          disco_info, 500).
+
+depends(_Host, _Opts) -> [].
+
+mod_opt_type(_Opt) -> [].
+
+%%%--------------------------------------------------------------------------------------
+%%% 4.2 Functions to advertise service of delegated namespaces
+%%%--------------------------------------------------------------------------------------
+attribute_tag(Attrs) ->
+    lists:map(fun(Attr) ->
+                #xmlel{name = <<"attribute">>, attrs = [{<<"name">> , Attr}]}
+              end, Attrs).
+
+delegations(From, To, Delegations) ->
+    {Elem0, DelegatedNs} = 
+      lists:foldl(fun({Ns, FiltAttr}, {Acc, AccNs}) ->
+                    case ets:insert_new(delegated_namespaces, 
+                                        {Ns, FiltAttr, self(), To, {}, {}}) of
+                      true ->
+                        Attrs = 
+                          if
+                            FiltAttr == [] ->
+                              ?DEBUG("namespace ~s is delegated to ~s with"
+                                     " no filtering attributes ~n",[Ns, To]),
+                              [];
+                            true ->
+                              ?DEBUG("namespace ~s is delegated to ~s with"
+                                     " ~p filtering attributes ~n",[Ns, To, FiltAttr]),
+                              attribute_tag(FiltAttr)
+                          end,
+                        add_iq_handlers(Ns),
+                        {[#xmlel{name = <<"delegated">>, 
+                                 attrs = [{<<"namespace">>, Ns}],
+                                 children = Attrs}| Acc], [{Ns, FiltAttr}|AccNs]};
+                      false -> {Acc, AccNs}
+                    end
+                  end, {[], []}, Delegations),
+    case Elem0 of
+      [] -> {ignore, DelegatedNs};
+      _ -> 
+        Elem1 = #xmlel{name = <<"delegation">>, 
+                       attrs = [{<<"xmlns">>, ?NS_DELEGATION}],
+                       children = Elem0},
+        Id = randoms:get_string(),
+        {#xmlel{name = <<"message">>, 
+                attrs = [{<<"id">>, Id}, {<<"from">>, From}, {<<"to">>, To}],
+                children = [Elem1]}, DelegatedNs}
+    end.
+
+add_iq_handlers(Ns) ->
+    lists:foreach(fun(Host) ->
+                    IQDisc = 
+                      gen_mod:get_module_opt(Host, ?MODULE, iqdisc,
+                                             fun gen_iq_handler:check_type/1, one_queue),
+                    gen_iq_handler:add_iq_handler(ejabberd_sm, Host,
+                                                  Ns, ?MODULE, 
+                                                  process_iq, IQDisc),
+                    gen_iq_handler:add_iq_handler(ejabberd_local, Host,
+                                                  Ns, ?MODULE,
+                                                  process_iq, IQDisc)
+                  end, ?MYHOSTS).
+
+advertise_delegations(#state{delegations = []}) -> [];
+advertise_delegations(StateData) ->
+    {Delegated, DelegatedNs} = 
+      delegations(?MYNAME, StateData#state.host, StateData#state.delegations),
+    if 
+      Delegated /= ignore ->
+        ejabberd_service:send_element(StateData, Delegated),
+        % server asks available features for delegated namespaces 
+        disco_info(StateData#state{delegations = DelegatedNs});
+      true -> ok
+    end,
+    DelegatedNs.
+
+%%%--------------------------------------------------------------------------------------
+%%%  Delegated namespaces hook
+%%%--------------------------------------------------------------------------------------
+
+check_filter_attr([], _Children) -> true;
+check_filter_attr(_FilterAttr, []) -> false;
+check_filter_attr(FilterAttr, [#xmlel{} = Stanza|_]) ->
+    Attrs = proplists:get_keys(Stanza#xmlel.attrs),
+    lists:all(fun(Attr) ->
+                  lists:member(Attr, Attrs)
+              end, FilterAttr);
+check_filter_attr(_FilterAttr, _Children) -> false.
+
+-spec get_client_server([attr()]) -> {jid(), jid()}. 
+
+get_client_server(Attrs) ->
+    Client = fxml:get_attr_s(<<"from">>, Attrs),
+    ClientJID = jid:from_string(Client),
+    ServerJID = jid:from_string(ClientJID#jid.lserver),
+    {ClientJID, ServerJID}.
+
+decapsulate_result(#xmlel{children = []}) -> ok;
+decapsulate_result(#xmlel{children = Children}) ->
+    decapsulate_result0(Children).
+
+decapsulate_result0([]) -> ok;
+decapsulate_result0([#xmlel{name = <<"delegation">>, 
+                            attrs = [{<<"xmlns">>, ?NS_DELEGATION}]} = Packet]) ->
+    decapsulate_result1(Packet#xmlel.children);
+decapsulate_result0(_Children) -> ok.
+
+decapsulate_result1([]) -> ok;
+decapsulate_result1([#xmlel{name = <<"forwarded">>,
+                            attrs = [{<<"xmlns">>, ?NS_FORWARD}]} = Packet]) ->
+    decapsulate_result2(Packet#xmlel.children);
+decapsulate_result1(_Children) -> ok.
+
+decapsulate_result2([]) -> ok;
+decapsulate_result2([#xmlel{name = <<"iq">>, attrs = Attrs} = Packet]) ->
+    Ns = fxml:get_attr_s(<<"xmlns">>, Attrs),
+    if
+      Ns /= <<"jabber:client">> ->
+        ok;
+      true -> Packet
+    end;
+decapsulate_result2(_Children) -> ok.
+
+-spec check_iq(xmlel(), xmlel()) -> xmlel() | ignore.
+
+check_iq(#xmlel{attrs = Attrs} = Packet,
+         #xmlel{attrs = AttrsOrigin} = OriginPacket) ->
+    % Id attribute of OriginPacket Must be equil to Packet Id attribute
+    Id1 = fxml:get_attr_s(<<"id">>, Attrs),
+    Id2 = fxml:get_attr_s(<<"id">>, AttrsOrigin),
+    % From attribute of OriginPacket Must be equil to Packet To attribute
+    From = fxml:get_attr_s(<<"from">>, AttrsOrigin),
+    To = fxml:get_attr_s(<<"to">>, Attrs),
+    % Type attribute Must be error or result
+    Type = fxml:get_attr_s(<<"type">>, Attrs),
+    if
+      ((Type == <<"result">>) or (Type == <<"error">>)),
+      Id1 == Id2, To == From ->
+        NewPacket = jlib:remove_attr(<<"xmlns">>, Packet),
+        %% We can send the decapsulated stanza from Server to Client (To)
+        NewPacket;
+      true ->
+        %% service-unavailable
+        Err = jlib:make_error_reply(OriginPacket, ?ERR_SERVICE_UNAVAILABLE),
+        Err
+    end;
+check_iq(_Packet, _OriginPacket) -> ignore.
+
+-spec manage_service_result(atom(), atom(), binary(), xmlel()) -> ok.
+
+manage_service_result(HookRes, HookErr, Service, OriginPacket) ->
+    fun(Packet) ->
+        {ClientJID, ServerJID} = get_client_server(OriginPacket#xmlel.attrs),
+        Server = ClientJID#jid.lserver,
+
+        ets:delete(hooks_tmp, {HookRes, Server}),
+        ets:delete(hooks_tmp, {HookErr, Server}),
+        % Check Packet "from" attribute
+        % It Must be equil to current service host
+        From = fxml:get_attr_s(<<"from">> , Packet#xmlel.attrs),
+        if
+          From == Service  ->
+              % decapsulate iq result
+              ResultIQ = decapsulate_result(Packet),
+              ServResponse = check_iq(ResultIQ, OriginPacket),
+              if
+                ServResponse /= ignore ->
+                  ejabberd_router:route(ServerJID, ClientJID, ServResponse);
+                true -> ok
+              end;
+          true ->
+              % service unavailable
+              Err = jlib:make_error_reply(OriginPacket, ?ERR_SERVICE_UNAVAILABLE),
+              ejabberd_router:route(ServerJID, ClientJID, Err) 
+        end       
+    end.
+
+-spec manage_service_error(atom(), atom(), xmlel()) -> ok.
+
+manage_service_error(HookRes, HookErr, OriginPacket) ->
+    fun(_Packet) ->
+        {ClientJID, ServerJID} = get_client_server(OriginPacket#xmlel.attrs),
+        Server = ClientJID#jid.lserver,
+        ets:delete(hooks_tmp, {HookRes, Server}),
+        ets:delete(hooks_tmp, {HookErr, Server}),
+        Err = jlib:make_error_reply(OriginPacket, ?ERR_SERVICE_UNAVAILABLE),
+        ejabberd_router:route(ServerJID, ClientJID, Err)        
+    end.
+
+
+-spec forward_iq(binary(), binary(), xmlel()) -> ok.
+
+forward_iq(Server, Service, Packet) ->
+    Elem0 = #xmlel{name = <<"forwarded">>,
+                   attrs = [{<<"xmlns">>, ?NS_FORWARD}], children = [Packet]},
+    Elem1 = #xmlel{name = <<"delegation">>, 
+                   attrs = [{<<"xmlns">>, ?NS_DELEGATION}], children = [Elem0]},
+    Id = randoms:get_string(),
+    Elem2 = #xmlel{name = <<"iq">>,
+                   attrs = [{<<"from">>, Server}, {<<"to">>, Service},
+                            {<<"type">>, <<"set">>}, {<<"id">>, Id}],
+                   children = [Elem1]},
+
+    HookRes = {iq, result, Id},
+    HookErr = {iq, error, Id},
+
+    FunRes = manage_service_result(HookRes, HookErr, Service, Packet),
+    FunErr = manage_service_error(HookRes, HookErr, Packet),
+    
+    Timestamp = p1_time_compat:system_time(seconds),
+    ets:insert(hooks_tmp, {{HookRes, Server}, FunRes, Timestamp}),
+    ets:insert(hooks_tmp, {{HookErr, Server}, FunErr, Timestamp}),
+
+    From = jid:make(<<"">>, Server, <<"">>),
+    To = jid:make(<<"">>, Service, <<"">>),
+    ejabberd_router:route(From, To, Elem2).
+
+process_iq(From, #jid{lresource = <<"">>} = To, 
+               #iq{type = Type, xmlns = XMLNS} = IQ) ->
+    %% check if stanza directed to server
+    %% or directed to the bare JID of the sender
+    case ((Type == get) or (Type == set)) of
+        true ->
+            Packet = jlib:iq_to_xml(IQ),
+            #xmlel{name = <<"iq">>, attrs = Attrs, children = Children} = Packet,
+            AttrsNew = [{<<"xmlns">>, <<"jabber:client">>} | Attrs],
+            AttrsNew2 = jlib:replace_from_to_attrs(jid:to_string(From),
+                                                   jid:to_string(To), AttrsNew),
+            case ets:lookup(delegated_namespaces, XMLNS) of
+              [{XMLNS, FiltAttr, _Pid, ServiceHost, _, _}] ->
+                case check_filter_attr(FiltAttr, Children) of
+                    true ->
+                        forward_iq(From#jid.server, ServiceHost,
+                                   Packet#xmlel{attrs = AttrsNew2});
+                    _ -> ok
+                end;
+              [] -> ok
+            end, 
+            ignore;
+        _ -> 
+            ignore
+    end;
+process_iq(_From, _To, _IQ) -> ignore.
+
+%%%--------------------------------------------------------------------------------------
+%%%  7. Discovering Support
+%%%--------------------------------------------------------------------------------------
+
+decapsulate_features(#xmlel{attrs = Attrs} = Packet, Node) ->
+  case fxml:get_attr_s(<<"node">>, Attrs) of 
+      Node ->
+          PREFIX = << ?NS_DELEGATION/binary, "::" >>,
+          Size = byte_size(PREFIX),
+          BARE_PREFIX = << ?NS_DELEGATION/binary, ":bare:" >>,
+          SizeBare = byte_size(BARE_PREFIX),
+
+          Features = [Feat || #xmlel{attrs = [{<<"var">>, Feat}]} <-
+                              fxml:get_subtags(Packet, <<"feature">>)],
+                       
+          Identity = [I || I <- fxml:get_subtags(Packet, <<"identity">>)],
+
+          Exten = [I || I <- fxml:get_subtags_with_xmlns(Packet, <<"x">>, ?NS_XDATA)],
+
+          case Node of
+            << PREFIX:Size/binary, NS/binary >> ->
+              ets:update_element(delegated_namespaces, NS,
+                                 {5, {Features, Identity, Exten}});
+            << BARE_PREFIX:SizeBare/binary, NS/binary >> ->
+              ets:update_element(delegated_namespaces, NS,
+                                 {6, {Features, Identity, Exten}});
+               _ -> ok
+          end;
+      _ -> ok 
+  end;
+decapsulate_features(_Packet, _Node) -> ok.
+    
+-spec disco_result(atom(), atom(), binary()) -> ok.
+
+disco_result(HookRes, HookErr, Node) ->
+    fun(Packet) ->
+        Tag = fxml:get_subtag_with_xmlns(Packet, <<"query">>, ?NS_DISCO_INFO),
+        decapsulate_features(Tag, Node),
+        
+        ets:delete(hooks_tmp, {HookRes, ?MYNAME}),
+        ets:delete(hooks_tmp, {HookErr, ?MYNAME})
+    end.
+
+-spec disco_error(atom(), atom()) -> ok.
+
+disco_error(HookRes, HookErr) ->
+    fun(_Packet) ->
+        ets:delete(hooks_tmp, {HookRes, ?MYNAME}),
+        ets:delete(hooks_tmp, {HookErr, ?MYNAME})
+    end.
+
+-spec disco_info(state()) -> ok.
+
+disco_info(StateData) -> 
+    disco_info(StateData, <<"::">>),
+    disco_info(StateData, <<":bare:">>).
+
+-spec disco_info(state(), binary()) -> ok.
+
+disco_info(StateData, Sep) ->
+    lists:foreach(fun({Ns, _FilterAttr}) ->
+                    Id = randoms:get_string(),
+                    Node = << ?NS_DELEGATION/binary, Sep/binary, Ns/binary >>,
+
+                    HookRes = {iq, result, Id},
+                    HookErr = {iq, error, Id},
+
+                    FunRes = disco_result(HookRes, HookErr, Node),
+                    FunErr = disco_error(HookRes, HookErr),
+
+                    Timestamp = p1_time_compat:system_time(seconds),
+                    ets:insert(hooks_tmp, {{HookRes, ?MYNAME}, FunRes, Timestamp}),
+                    ets:insert(hooks_tmp, {{HookErr, ?MYNAME}, FunErr, Timestamp}),
+
+                    Tag = #xmlel{name = <<"query">>,
+                                 attrs = [{<<"xmlns">>, ?NS_DISCO_INFO}, 
+                                          {<<"node">>, Node}],
+                                 children = []},
+                    DiscoReq = #xmlel{name = <<"iq">>,
+                                      attrs = [{<<"type">>, <<"get">>}, {<<"id">>, Id},
+                                               {<<"from">>, ?MYNAME},
+                                               {<<"to">>, StateData#state.host }],
+                                      children = [Tag]},
+                    ejabberd_service:send_element(StateData, DiscoReq)
+
+                  end, StateData#state.delegations).
+
+
+disco_features(Acc, Bare) ->
+    Fun = fun(Feat) ->
+            ets:foldl(fun({Ns, _, _, _, _, _}, A) ->  
+                          A or str:prefix(Ns, Feat)
+                      end, false, delegated_namespaces)
+          end,
+    % delete feature namespace which is delegated to service
+    Features = lists:filter(fun ({{Feature, _Host}}) ->
+                                  not Fun(Feature);
+                                (Feature) when is_binary(Feature) ->
+                                  not Fun(Feature)
+                            end, Acc),
+    % add service features
+    FeaturesList =
+      ets:foldl(fun({_, _, _, _, {Feats, _, _}, {FeatsBare, _, _}}, A) ->
+                      if
+                        Bare -> A ++ FeatsBare;
+                        true -> A ++ Feats
+                      end;
+                   (_, A) -> A
+                end, Features, delegated_namespaces),
+    {result, FeaturesList}.
+
+disco_identity(Acc, Bare) ->
+    % filter delegated identites
+    Fun = fun(Ident) ->
+            ets:foldl(fun({_, _, _, _, {_ , I, _}, {_ , IBare, _}}, A) ->
+                            Identity = 
+                              if
+                                Bare -> IBare;
+                                true -> I
+                              end,
+                            (fxml:get_attr_s(<<"category">> , Ident) ==
+                             fxml:get_attr_s(<<"category">>, Identity)) and
+                            (fxml:get_attr_s(<<"type">> , Ident) ==
+                              fxml:get_attr_s(<<"type">>, Identity)) or A;
+                            (_, A) -> A
+                      end, false, delegated_namespaces)
+          end,
+
+    Identities =
+      lists:filter(fun (#xmlel{attrs = Attrs}) ->
+                      not Fun(Attrs)
+                   end, Acc),
+    % add service features
+    ets:foldl(fun({_, _, _, _, {_, I, _}, {_, IBare, _}}, A) ->
+                    if
+                      Bare -> A ++ IBare;
+                      true -> A ++ I
+                    end;
+                  (_, A) -> A
+              end, Identities, delegated_namespaces).
+
+%% xmlns from value element
+
+-spec get_field_value([xmlel()]) -> binary().
+
+get_field_value([]) -> <<"">>;
+get_field_value([Elem| Elems]) ->
+    case (fxml:get_attr_s(<<"var">>, Elem#xmlel.attrs) == <<"FORM_TYPE">>) and
+         (fxml:get_attr_s(<<"type">>, Elem#xmlel.attrs) == <<"hidden">>) of
+      true ->
+        Ns = fxml:get_subtag_cdata(Elem, <<"value">>),
+        if
+          Ns /= <<"">> -> Ns;
+          true -> get_field_value(Elems)
+        end;
+      _ -> get_field_value(Elems)
+    end.
+
+get_info(Acc, Bare) ->
+    Fun = fun(Feat) ->
+            ets:foldl(fun({Ns, _, _, _, _, _}, A) ->  
+                        (A or str:prefix(Ns, Feat))
+                      end, false, delegated_namespaces)
+          end,
+    Exten = lists:filter(fun(Xmlel) ->
+                           Tags = fxml:get_subtags(Xmlel, <<"field">>),
+                           case get_field_value(Tags) of
+                             <<"">> -> true;
+                             Value -> not Fun(Value)
+                           end
+                         end, Acc),
+    ets:foldl(fun({_, _, _, _, {_, _, Ext}, {_, _, ExtBare}}, A) ->
+                    if
+                      Bare -> A ++ ExtBare;
+                      true -> A ++ Ext
+                      end;
+                 (_, A) -> A
+              end, Exten, delegated_namespaces).
+    
+%% 7.2.1 General Case
+
+disco_local_features({error, _Error} = Acc, _From, _To, _Node, _Lang) ->
+    Acc;
+disco_local_features(Acc, _From, _To, <<>>, _Lang) ->
+    FeatsOld = case Acc of
+                 {result, I} -> I;
+                 _ -> []
+               end,
+    disco_features(FeatsOld, false);
+disco_local_features(Acc, _From, _To, _Node, _Lang) ->
+    Acc.
+
+disco_local_identity(Acc, _From, _To, <<>>, _Lang) ->
+    disco_identity(Acc, false);
+disco_local_identity(Acc, _From, _To, _Node, _Lang) ->
+    Acc.
+
+%% 7.2.2 Rediction Of Bare JID Disco Info
+
+disco_sm_features({error, ?ERR_ITEM_NOT_FOUND}, _From,
+                  #jid{lresource = <<"">>}, <<>>, _Lang) ->
+    disco_features([], true);
+disco_sm_features({error, _Error} = Acc, _From, _To, _Node, _Lang) ->
+    Acc;
+disco_sm_features(Acc, _From, #jid{lresource = <<"">>}, <<>>, _Lang) ->
+    FeatsOld = case Acc of
+                 {result, I} -> I;
+                 _ -> []
+               end,
+    disco_features(FeatsOld, true);
+disco_sm_features(Acc, _From, _To, _Node, _Lang) ->
+    Acc.
+
+disco_sm_identity(Acc, _From, #jid{lresource = <<"">>}, <<>>, _Lang) ->
+    disco_identity(Acc, true);
+disco_sm_identity(Acc, _From, _To, _Node, _Lang) ->
+    Acc.
+
+disco_info(Acc, #jid{}, #jid{lresource = <<"">>}, <<>>, _Lang) ->
+    get_info(Acc, true);
+disco_info(Acc, _Host, _Mod, <<>>, _Lang) ->
+    get_info(Acc, false);
+disco_info(Acc, _Host, _Mod, _Node, _Lang) ->
+    Acc.
+
+%% clean hooks_tmp table
+
+clean() ->
+    ?DEBUG("cleaning ~p ETS table~n", [hooks_tmp]),
+    Now = p1_time_compat:system_time(seconds),
+    catch ets:select_delete(hooks_tmp, 
+                            ets:fun2ms(fun({_, _, Timestamp}) -> 
+                                         Now - 300 >= Timestamp
+                                       end)),
+    %% start timer for table cleaning 
+    timer:apply_after(?CLEAN_INTERVAL, ?MODULE, clean, []).
@@ -39,7 +39,7 @@
 	 get_sm_identity/5, get_sm_features/5, get_sm_items/5,
 	 get_info/5, register_feature/2, unregister_feature/2,
 	 register_extra_domain/2, unregister_extra_domain/2,
-	 transform_module_options/1, mod_opt_type/1]).
+	 transform_module_options/1, mod_opt_type/1, depends/2]).

 -include("ejabberd.hrl").
 -include("logger.hrl").
@@ -534,6 +534,9 @@ values_to_xml(Values) ->
 	      end,
 	      Values).

+depends(_Host, _Opts) ->
+    [].
+
 mod_opt_type(extra_domains) ->
    fun (Hs) -> [iolist_to_binary(H) || H <- Hs] end;
 mod_opt_type(iqdisc) -> fun gen_iq_handler:check_type/1;
@@ -37,7 +37,7 @@

 -export([init/1, handle_call/3, handle_cast/2,
 	 handle_info/2, terminate/2, code_change/3,
-	 mod_opt_type/1]).
+	 mod_opt_type/1, depends/2]).

 -include("ejabberd.hrl").
 -include("logger.hrl").
@@ -63,7 +63,7 @@ start_link(Host, Opts) ->
 start(Host, Opts) ->
    Proc = gen_mod:get_module_proc(Host, ?PROCNAME),
    ChildSpec = {Proc, {?MODULE, start_link, [Host, Opts]},
-		 temporary, 1000, worker, [?MODULE]},
+		 transient, 1000, worker, [?MODULE]},
    supervisor:start_child(ejabberd_sup, ChildSpec).

 stop(Host) ->
@@ -200,5 +200,8 @@ do_client_version(enabled, From, To) ->
    ?INFO_MSG("Information of the client: ~s~s",
 	      [ToS, Values_string2]).

+depends(_Host, _Opts) ->
+    [].
+
 mod_opt_type(host) -> fun iolist_to_binary/1;
 mod_opt_type(_) -> [host].
@@ -33,7 +33,7 @@

 -export([init/1, handle_call/3, handle_cast/2,
 	 handle_info/2, terminate/2, code_change/3,
-	 mod_opt_type/1]).
+	 mod_opt_type/1, depends/2]).

 -include_lib("stdlib/include/ms_transform.hrl").
 -include("ejabberd.hrl").
@@ -120,6 +120,9 @@ stop(Host) ->
    supervisor:terminate_child(ejabberd_sup, Proc),
    supervisor:delete_child(ejabberd_sup, Proc).

+depends(_Host, _Opts) ->
+    [].
+
 %%%===================================================================
 %%% gen_server callbacks
 %%%===================================================================
@@ -167,7 +170,7 @@ code_change(_OldVsn, State, _Extra) ->
 %%%===================================================================
 is_whitelisted(Host, Addr) ->
    Access = gen_mod:get_module_opt(Host, ?MODULE, access,
-				    fun(A) when is_atom(A) -> A end,
+				    fun(A) -> A end,
 				    none),
    acl:match_rule(Host, Access, Addr) == allow.

@@ -187,7 +190,7 @@ format_date({{Year, Month, Day}, {Hour, Minute, Second}}) ->
 		  [Hour, Minute, Second, Day, Month, Year]).

 mod_opt_type(access) ->
-    fun (A) when is_atom(A) -> A end;
+    fun acl:access_rules_validator/1;
 mod_opt_type(c2s_auth_ban_lifetime) ->
    fun (T) when is_integer(T), T > 0 -> T end;
 mod_opt_type(c2s_max_auth_failures) ->
@@ -74,7 +74,7 @@

 -behaviour(gen_mod).

-export([start/2, stop/1, process/2, mod_opt_type/1]).
+-export([start/2, stop/1, process/2, mod_opt_type/1, depends/2]).

 -include("ejabberd.hrl").
 -include("jlib.hrl").
@@ -101,7 +101,7 @@

 -define(AC_ALLOW_HEADERS,
        {<<"Access-Control-Allow-Headers">>,
-         <<"Content-Type">>}).
+         <<"Content-Type, Authorization, X-Admin">>}).

 -define(AC_MAX_AGE,
        {<<"Access-Control-Max-Age">>, <<"86400">>}).
@@ -123,6 +123,9 @@ start(_Host, _Opts) ->
 stop(_Host) ->
    ok.

+depends(_Host, _Opts) ->
+    [].
+
 %% ----------
 %% basic auth
 %% ----------
@@ -130,13 +133,13 @@ stop(_Host) ->
 check_permissions(Request, Command) ->
    case catch binary_to_existing_atom(Command, utf8) of
        Call when is_atom(Call) ->
-            {ok, CommandPolicy} = ejabberd_commands:get_command_policy(Call),
-            check_permissions2(Request, Call, CommandPolicy);
+            {ok, CommandPolicy, Scope} = ejabberd_commands:get_command_policy_and_scope(Call),
+            check_permissions2(Request, Call, CommandPolicy, Scope);
        _ ->
-            unauthorized_response()
+            json_error(404, 40, <<"Endpoint not found.">>)
    end.

-check_permissions2(#request{auth = HTTPAuth, headers = Headers}, Call, _)
+check_permissions2(#request{auth = HTTPAuth, headers = Headers}, Call, _, ScopeList)
  when HTTPAuth /= undefined ->
    Admin =
        case lists:keysearch(<<"X-Admin">>, 1, Headers) of
@@ -156,24 +159,25 @@ check_permissions2(#request{auth = HTTPAuth, headers = Headers}, Call, _)
                        false
                end;
            {oauth, Token, _} ->
-                case oauth_check_token(Call, Token) of
-                    {ok, User, Server} ->
+                case oauth_check_token(ScopeList, Token) of
+                    {ok, user, {User, Server}} ->
                        {ok, {User, Server, {oauth, Token}, Admin}};
-                    false ->
-                        false
+                    {false, Reason} ->
+                        {false, Reason}
                end;
            _ ->
                false
        end,
    case Auth of
        {ok, A} -> {allowed, Call, A};
+        {false, no_matching_scope} -> outofscope_response();
        _ -> unauthorized_response()
    end;
-check_permissions2(_Request, Call, open) ->
+check_permissions2(_Request, Call, open, _Scope) ->
    {allowed, Call, noauth};
-check_permissions2(#request{ip={IP, _Port}}, Call, _Policy) ->
+check_permissions2(#request{ip={IP, _Port}}, Call, _Policy, _Scope) ->
    Access = gen_mod:get_module_opt(global, ?MODULE, admin_ip_access,
-                                    mod_opt_type(admin_ip_access),
+                                    fun(V) -> V end,
                                    none),
    Res = acl:match_rule(global, Access, IP),
    case Res of
@@ -186,19 +190,16 @@ check_permissions2(#request{ip={IP, _Port}}, Call, _Policy) ->
        Commands when is_list(Commands) ->
            case lists:member(Call, Commands) of
                true -> {allowed, Call, admin};
-                _ -> unauthorized_response()
+                _ -> outofscope_response()
            end;
-        E ->
-	    ?DEBUG("Unauthorized: ~p", [E]),
-            unauthorized_response()
+        _E ->
+            {allowed, Call, noauth}
    end;
-check_permissions2(_Request, _Call, _Policy) ->
+check_permissions2(_Request, _Call, _Policy, _Scope) ->
    unauthorized_response().

-oauth_check_token(Scope, Token) when is_atom(Scope) ->
-    oauth_check_token(atom_to_binary(Scope, utf8), Token);
-oauth_check_token(Scope, Token) ->
-    ejabberd_oauth:check_token(Scope, Token).
+oauth_check_token(ScopeList, Token) when is_list(ScopeList) ->
+    ejabberd_oauth:check_token(ScopeList, Token).

 %% ------------------
 %% command processing
@@ -209,27 +210,27 @@ oauth_check_token(Scope, Token) ->
 process(_, #request{method = 'POST', data = <<>>}) ->
    ?DEBUG("Bad Request: no data", []),
    badrequest_response(<<"Missing POST data">>);
-process([Call], #request{method = 'POST', data = Data, ip = IP} = Req) ->
+process([Call], #request{method = 'POST', data = Data, ip = {IP, _} = IPPort} = Req) ->
    Version = get_api_version(Req),
    try
-        Args = case jiffy:decode(Data) of
-            List when is_list(List) -> List;
-            {List} when is_list(List) -> List;
-            Other -> [Other]
-        end,
-        log(Call, Args, IP),
+        Args = extract_args(Data),
+        log(Call, Args, IPPort),
        case check_permissions(Req, Call) of
            {allowed, Cmd, Auth} ->
-                {Code, Result} = handle(Cmd, Auth, Args, Version),
-                json_response(Code, jiffy:encode(Result));
+                Result = handle(Cmd, Auth, Args, Version, IP),
+                json_format(Result);
            %% Warning: check_permission direcly formats 401 reply if not authorized
            ErrorResponse ->
                ErrorResponse
        end
-    catch _:{error,{_,invalid_json}} = _Err ->
-	    ?DEBUG("Bad Request: ~p", [_Err]),
-	    badrequest_response(<<"Invalid JSON input">>);
-	  _:_Error ->
+    catch
+        %% TODO We need to refactor to remove redundant error return formatting
+        throw:{error, unknown_command} ->
+            {404, 40, <<"Command not found.">>};
+        _:{error,{_,invalid_json}} = _Err ->
+            ?DEBUG("Bad Request: ~p", [_Err]),
+            badrequest_response(<<"Invalid JSON input">>);
+          _:_Error ->
            ?DEBUG("Bad Request: ~p ~p", [_Error, erlang:get_stacktrace()]),
            badrequest_response()
    end;
@@ -243,31 +244,47 @@ process([Call], #request{method = 'GET', q = Data, ip = IP} = Req) ->
        log(Call, Args, IP),
        case check_permissions(Req, Call) of
            {allowed, Cmd, Auth} ->
-                {Code, Result} = handle(Cmd, Auth, Args, Version),
-                json_response(Code, jiffy:encode(Result));
+                Result = handle(Cmd, Auth, Args, Version, IP),
+                json_format(Result);
            %% Warning: check_permission direcly formats 401 reply if not authorized
            ErrorResponse ->
                ErrorResponse
        end
-    catch _:_Error ->
+    catch
+        %% TODO We need to refactor to remove redundant error return formatting
+        throw:{error, unknown_command} ->
+            json_format({404, 44, <<"Command not found.">>});
+        _:_Error ->
+
        ?DEBUG("Bad Request: ~p ~p", [_Error, erlang:get_stacktrace()]),
        badrequest_response()
    end;
-process([], #request{method = 'OPTIONS', data = <<>>}) ->
+process([_Call], #request{method = 'OPTIONS', data = <<>>}) ->
    {200, ?OPTIONS_HEADER, []};
+process(_, #request{method = 'OPTIONS'}) ->
+    {400, ?OPTIONS_HEADER, []};
 process(_Path, Request) ->
    ?DEBUG("Bad Request: no handler ~p", [Request]),
-    badrequest_response().
+    json_error(400, 40, <<"Missing command name.">>).
+
+%% Be tolerant to make API more easily usable from command-line pipe.
+extract_args(<<"\n">>) -> [];
+extract_args(Data) ->
+    case jiffy:decode(Data) of
+        List when is_list(List) -> List;
+        {List} when is_list(List) -> List;
+        Other -> [Other]
+    end.

 % get API version N from last "vN" element in URL path
 get_api_version(#request{path = Path}) ->
    get_api_version(lists:reverse(Path));
 get_api_version([<<"v", String/binary>> | Tail]) ->
    case catch jlib:binary_to_integer(String) of
-	N when is_integer(N) ->
-	    N;
-	_ ->
-	    get_api_version(Tail)
+        N when is_integer(N) ->
+            N;
+        _ ->
+            get_api_version(Tail)
    end;
 get_api_version([_Head | Tail]) ->
    get_api_version(Tail);
@@ -278,8 +295,10 @@ get_api_version([]) ->
 %% command handlers
 %% ----------------

+%% TODO Check accept types of request before decided format of reply.
+
 % generic ejabberd command handler
-handle(Call, Auth, Args, Version) when is_atom(Call), is_list(Args) ->
+handle(Call, Auth, Args, Version, IP) when is_atom(Call), is_list(Args) ->
    case ejabberd_commands:get_command_format(Call, Auth, Version) of
        {ArgsSpec, _} when is_list(ArgsSpec) ->
            Args2 = [{jlib:binary_to_atom(Key), Value} || {Key, Value} <- Args],
@@ -296,7 +315,7 @@ handle(Call, Auth, Args, Version) when is_atom(Call), is_list(Args) ->
                            [{Key, undefined}|Acc]
                    end, [], ArgsSpec),
 	    try
-		handle2(Call, Auth, match(Args2, Spec), Version)
+          handle2(Call, Auth, match(Args2, Spec), Version, IP)
 	    catch throw:not_found ->
 		    {404, <<"not_found">>};
 		  throw:{not_found, Why} when is_atom(Why) ->
@@ -309,8 +328,10 @@ handle(Call, Auth, Args, Version) when is_atom(Call), is_list(Args) ->
 		    {401, jlib:atom_to_binary(Why)};
 		  throw:{not_allowed, Msg} ->
 		    {401, iolist_to_binary(Msg)};
-                  throw:{error, account_unprivileged} ->
-                    {401, iolist_to_binary(<<"Unauthorized: Account Unpriviledged">>)};
+      throw:{error, account_unprivileged} ->
+        {403, 31, <<"Command need to be run with admin priviledge.">>};
+      throw:{error, access_rules_unauthorized} ->
+        {403, 32, <<"AccessRules: Account associated to token does not have the right to perform the operation.">>};
 		  throw:{invalid_parameter, Msg} ->
 		    {400, iolist_to_binary(Msg)};
 		  throw:{error, Why} when is_atom(Why) ->
@@ -333,10 +354,10 @@ handle(Call, Auth, Args, Version) when is_atom(Call), is_list(Args) ->
            {400, <<"Error">>}
    end.

-handle2(Call, Auth, Args, Version) when is_atom(Call), is_list(Args) ->
+handle2(Call, Auth, Args, Version, IP) when is_atom(Call), is_list(Args) ->
    {ArgsF, _ResultF} = ejabberd_commands:get_command_format(Call, Auth, Version),
    ArgsFormatted = format_args(Args, ArgsF),
-    ejabberd_command(Auth, Call, ArgsFormatted, Version).
+    ejabberd_command(Auth, Call, ArgsFormatted, Version, IP).

 get_elem_delete(A, L) ->
    case proplists:get_all_values(A, L) of
@@ -366,28 +387,47 @@ format_args(Args, ArgsFormat) ->
      L when is_list(L) -> exit({additional_unused_args, L})
    end.

-format_arg({array, Elements},
-	   {list, {ElementDefName, ElementDefFormat}})
+format_arg({Elements},
+	   {list, {_ElementDefName, {tuple, [{_Tuple1N, Tuple1S}, {_Tuple2N, Tuple2S}]} = Tuple}})
+    when is_list(Elements) andalso
+	 (Tuple1S == binary orelse Tuple1S == string) ->
+    lists:map(fun({F1, F2}) ->
+		      {format_arg(F1, Tuple1S), format_arg(F2, Tuple2S)};
+		 ({Val}) when is_list(Val) ->
+		      format_arg({Val}, Tuple)
+	      end, Elements);
+format_arg(Elements,
+	   {list, {_ElementDefName, {list, _} = ElementDefFormat}})
    when is_list(Elements) ->
-    lists:map(fun ({struct, [{ElementName, ElementValue}]}) when
-                        ElementDefName == ElementName ->
-		      format_arg(ElementValue, ElementDefFormat)
-	      end,
-	      Elements);
-format_arg({array, [{struct, Elements}]},
-	   {list, {ElementDefName, ElementDefFormat}})
+    [{format_arg(Element, ElementDefFormat)}
+     || Element <- Elements];
+format_arg(Elements,
+	   {list, {_ElementDefName, ElementDefFormat}})
    when is_list(Elements) ->
-    lists:map(fun ({ElementName, ElementValue}) ->
-		      true = ElementDefName == ElementName,
-		      format_arg(ElementValue, ElementDefFormat)
-	      end,
-	      Elements);
-format_arg({array, [{struct, Elements}]},
+    [format_arg(Element, ElementDefFormat)
+     || Element <- Elements];
+format_arg({[{Name, Value}]},
+	   {tuple, [{_Tuple1N, Tuple1S}, {_Tuple2N, Tuple2S}]})
+  when Tuple1S == binary;
+       Tuple1S == string ->
+    {format_arg(Name, Tuple1S), format_arg(Value, Tuple2S)};
+format_arg({Elements},
 	   {tuple, ElementsDef})
    when is_list(Elements) ->
-    FormattedList = format_args(Elements, ElementsDef),
-    list_to_tuple(FormattedList);
-format_arg({array, Elements}, {list, ElementsDef})
+    F = lists:map(fun({TElName, TElDef}) ->
+			  case lists:keyfind(atom_to_binary(TElName, latin1), 1, Elements) of
+			      {_, Value} ->
+				  format_arg(Value, TElDef);
+			      _ when TElDef == binary; TElDef == string ->
+				  <<"">>;
+			      _ ->
+				  ?ERROR_MSG("missing field ~p in tuple ~p", [TElName, Elements]),
+				  throw({invalid_parameter,
+					 io_lib:format("Missing field ~w in tuple ~w", [TElName, Elements])})
+			  end
+		  end, ElementsDef),
+    list_to_tuple(F);
+format_arg(Elements, {list, ElementsDef})
    when is_list(Elements) and is_atom(ElementsDef) ->
    [format_arg(Element, ElementsDef)
     || Element <- Elements];
@@ -401,7 +441,7 @@ format_arg(undefined, string) -> <<>>;
 format_arg(Arg, Format) ->
    ?ERROR_MSG("don't know how to format Arg ~p for format ~p", [Arg, Format]),
    throw({invalid_parameter,
-	   io_lib:format("Arg ~p is not in format ~p",
+	   io_lib:format("Arg ~w is not in format ~w",
 			 [Arg, Format])}).

 process_unicode_codepoints(Str) ->
@@ -416,12 +456,12 @@ process_unicode_codepoints(Str) ->
 match(Args, Spec) ->
    [{Key, proplists:get_value(Key, Args, Default)} || {Key, Default} <- Spec].

-ejabberd_command(Auth, Cmd, Args, Version) ->
+ejabberd_command(Auth, Cmd, Args, Version, IP) ->
    Access = case Auth of
                 admin -> [];
                 _ -> undefined
             end,
-    case ejabberd_commands:execute_command(Access, Auth, Cmd, Args, Version) of
+    case ejabberd_commands:execute_command(Access, Auth, Cmd, Args, Version, #{ip => IP}) of
        {error, Error} ->
            throw(Error);
        Res ->
@@ -431,22 +471,24 @@ ejabberd_command(Auth, Cmd, Args, Version) ->
 format_command_result(Cmd, Auth, Result, Version) ->
    {_, ResultFormat} = ejabberd_commands:get_command_format(Cmd, Auth, Version),
    case {ResultFormat, Result} of
-	{{_, rescode}, V} when V == true; V == ok ->
-	    {200, 0};
-	{{_, rescode}, _} ->
-	    {200, 1};
-	{{_, restuple}, {V1, Text1}} when V1 == true; V1 == ok ->
-	    {200, iolist_to_binary(Text1)};
-	{{_, restuple}, {_, Text2}} ->
-	    {500, iolist_to_binary(Text2)};
-	{{_, {list, _}}, _V} ->
-	    {_, L} = format_result(Result, ResultFormat),
-	    {200, L};
-	{{_, {tuple, _}}, _V} ->
-	    {_, T} = format_result(Result, ResultFormat),
-	    {200, T};
-	_ ->
-	    {200, {[format_result(Result, ResultFormat)]}}
+        {{_, rescode}, V} when V == true; V == ok ->
+            {200, 0};
+        {{_, rescode}, _} ->
+            {200, 1};
+        {_, {error, ErrorAtom, Code, Msg}} ->
+            format_error_result(ErrorAtom, Code, Msg);
+        {{_, restuple}, {V, Text}} when V == true; V == ok ->
+            {200, iolist_to_binary(Text)};
+        {{_, restuple}, {ErrorAtom, Msg}} ->
+            format_error_result(ErrorAtom, 0, Msg);
+        {{_, {list, _}}, _V} ->
+            {_, L} = format_result(Result, ResultFormat),
+            {200, L};
+        {{_, {tuple, _}}, _V} ->
+            {_, T} = format_result(Result, ResultFormat),
+            {200, T};
+        _ ->
+            {200, {[format_result(Result, ResultFormat)]}}
    end.

 format_result(Atom, {Name, atom}) ->
@@ -466,6 +508,11 @@ format_result({Code, Text}, {Name, restuple}) ->
     {[{<<"res">>, Code == true orelse Code == ok},
       {<<"text">>, iolist_to_binary(Text)}]}};

+format_result(Code, {Name, restuple}) ->
+    {jlib:atom_to_binary(Name),
+     {[{<<"res">>, Code == true orelse Code == ok},
+       {<<"text">>, <<"">>}]}};
+
 format_result(Els, {Name, {list, {_, {tuple, [{_, atom}, _]}} = Fmt}}) ->
    {jlib:atom_to_binary(Name), {[format_result(El, Fmt) || El <- Els]}};

@@ -484,25 +531,45 @@ format_result(Tuple, {Name, {tuple, Def}}) ->
 format_result(404, {_Name, _}) ->
    "not_found".

+
+format_error_result(conflict, Code, Msg) ->
+    {409, Code, iolist_to_binary(Msg)};
+format_error_result(_ErrorAtom, Code, Msg) ->
+    {500, Code, iolist_to_binary(Msg)}.
+
 unauthorized_response() ->
-    unauthorized_response(<<"401 Unauthorized">>).
-unauthorized_response(Body) ->
-    json_response(401, jiffy:encode(Body)).
+    json_error(401, 10, <<"Oauth Token is invalid or expired.">>).
+
+outofscope_response() ->
+    json_error(401, 11, <<"Token does not grant usage to command required scope.">>).

 badrequest_response() ->
    badrequest_response(<<"400 Bad Request">>).
 badrequest_response(Body) ->
    json_response(400, jiffy:encode(Body)).

+json_format({Code, Result}) ->
+    json_response(Code, jiffy:encode(Result));
+json_format({HTMLCode, JSONErrorCode, Message}) ->
+    json_error(HTMLCode, JSONErrorCode, Message).
+
 json_response(Code, Body) when is_integer(Code) ->
    {Code, ?HEADER(?CT_JSON), Body}.

+%% HTTPCode, JSONCode = integers
+%% message is binary
+json_error(HTTPCode, JSONCode, Message) ->
+    {HTTPCode, ?HEADER(?CT_JSON),
+     jiffy:encode({[{<<"status">>, <<"error">>},
+                    {<<"code">>, JSONCode},
+                    {<<"message">>, Message}]})
+    }.
+
 log(Call, Args, {Addr, Port}) ->
    AddrS = jlib:ip_to_list({Addr, Port}),
    ?INFO_MSG("API call ~s ~p from ~s:~p", [Call, Args, AddrS, Port]);
 log(Call, Args, IP) ->
    ?INFO_MSG("API call ~s ~p (~p)", [Call, Args, IP]).

-mod_opt_type(admin_ip_access) ->
-    fun(Access) when is_atom(Access) -> Access end;
+mod_opt_type(admin_ip_access) -> fun acl:access_rules_validator/1;
 mod_opt_type(_) -> [admin_ip_access].
@@ -37,7 +37,7 @@

 -behaviour(gen_mod).

-export([start/2, stop/1, process/2, mod_opt_type/1]).
+-export([start/2, stop/1, process/2, mod_opt_type/1, depends/2]).

 -include("ejabberd.hrl").
 -include("logger.hrl").
@@ -109,6 +109,8 @@ mod_opt_type(max_pause) ->
    fun (I) when is_integer(I), I > 0 -> I end;
 mod_opt_type(_) -> [max_inactivity, max_pause].

+depends(_Host, _Opts) ->
+    [].

 %%%----------------------------------------------------------------------
 %%% Help Web Page
@@ -46,7 +46,7 @@
 %% utility for other http modules
 -export([content_type/3]).

-export([reopen_log/1, mod_opt_type/1]).
+-export([reopen_log/1, mod_opt_type/1, depends/2]).

 -include("ejabberd.hrl").
 -include("logger.hrl").
@@ -109,6 +109,9 @@ stop(Host) ->
    supervisor:terminate_child(ejabberd_sup, Proc),
    supervisor:delete_child(ejabberd_sup, Proc).

+depends(_Host, _Opts) ->
+    [].
+
 %%====================================================================
 %% API
 %%====================================================================
@@ -68,6 +68,7 @@
 -export([start_link/3,
 	 start/2,
 	 stop/1,
+	 depends/2,
 	 mod_opt_type/1]).

 %% gen_server callbacks.
@@ -178,7 +179,7 @@ mod_opt_type(host) ->
 mod_opt_type(name) ->
    fun iolist_to_binary/1;
 mod_opt_type(access) ->
-    fun(A) when is_atom(A) -> A end;
+    fun acl:access_rules_validator/1;
 mod_opt_type(max_size) ->
    fun(I) when is_integer(I), I > 0 -> I;
       (infinity) -> infinity
@@ -222,6 +223,11 @@ mod_opt_type(_) ->
     dir_mode, docroot, put_url, get_url, service_url, custom_headers,
     rm_on_unregister, thumbnail].

+-spec depends(binary(), gen_mod:opts()) -> [{module(), hard | soft}].
+
+depends(_Host, _Opts) ->
+    [].
+
 %%--------------------------------------------------------------------
 %% gen_server callbacks.
 %%--------------------------------------------------------------------
@@ -235,7 +241,7 @@ init({ServerHost, Opts}) ->
 			   fun iolist_to_binary/1,
 			   <<"HTTP File Upload">>),
    Access = gen_mod:get_opt(access, Opts,
-			     fun(A) when is_atom(A) -> A end,
+			     fun acl:access_rules_validator/1,
 			     local),
    MaxSize = gen_mod:get_opt(max_size, Opts,
 			      fun(I) when is_integer(I), I > 0 -> I;
@@ -321,22 +327,24 @@ init({ServerHost, Opts}) ->
      -> {reply, {ok, pos_integer(), binary(),
 		      pos_integer() | undefined,
 		      pos_integer() | undefined}, state()} |
-	 {reply, {error, binary()}, state()} | {noreply, state()}.
+	 {reply, {error, atom()}, state()} | {noreply, state()}.

-handle_call({use_slot, Slot}, _From, #state{file_mode = FileMode,
-					    dir_mode = DirMode,
-					    get_url = GetPrefix,
-					    thumbnail = Thumbnail,
-					    docroot = DocRoot} = State) ->
+handle_call({use_slot, Slot, Size}, _From, #state{file_mode = FileMode,
+						  dir_mode = DirMode,
+						  get_url = GetPrefix,
+						  thumbnail = Thumbnail,
+						  docroot = DocRoot} = State) ->
    case get_slot(Slot, State) of
 	{ok, {Size, Timer}} ->
 	    timer:cancel(Timer),
 	    NewState = del_slot(Slot, State),
 	    Path = str:join([DocRoot | Slot], <<$/>>),
-	    {reply, {ok, Size, Path, FileMode, DirMode, GetPrefix, Thumbnail},
+	    {reply, {ok, Path, FileMode, DirMode, GetPrefix, Thumbnail},
 	     NewState};
+	{ok, {_WrongSize, _Timer}} ->
+	    {reply, {error, size_mismatch}, State};
 	error ->
-	    {reply, {error, <<"Invalid slot">>}, State}
+	    {reply, {error, invalid_slot}, State}
    end;
 handle_call(get_docroot, _From, #state{docroot = DocRoot} = State) ->
    {reply, {ok, DocRoot}, State};
@@ -406,9 +414,8 @@ process(LocalPath, #request{method = Method, host = Host, ip = IP})
 process(_LocalPath, #request{method = 'PUT', host = Host, ip = IP,
 			     data = Data} = Request) ->
    {Proc, Slot} = parse_http_request(Request),
-    case catch gen_server:call(Proc, {use_slot, Slot}) of
-	{ok, Size, Path, FileMode, DirMode, GetPrefix, Thumbnail}
-	    when byte_size(Data) == Size ->
+    case catch gen_server:call(Proc, {use_slot, Slot, byte_size(Data)}) of
+	{ok, Path, FileMode, DirMode, GetPrefix, Thumbnail} ->
 	    ?DEBUG("Storing file from ~s for ~s: ~s",
 		   [?ADDR_TO_STR(IP), Host, Path]),
 	    case store_file(Path, Data, FileMode, DirMode,
@@ -422,13 +429,13 @@ process(_LocalPath, #request{method = 'PUT', host = Host, ip = IP,
 			       [Path, ?ADDR_TO_STR(IP), Host, ?FORMAT(Error)]),
 		    http_response(Host, 500)
 	    end;
-	{ok, Size, Path, _FileMode, _DirMode, _GetPrefix, _Thumbnail} ->
-	    ?INFO_MSG("Rejecting file ~s from ~s for ~s: Size is ~B, not ~B",
-		      [Path, ?ADDR_TO_STR(IP), Host, byte_size(Data), Size]),
+	{error, size_mismatch} ->
+	    ?INFO_MSG("Rejecting file from ~s for ~s: Unexpected size (~B)",
+		      [?ADDR_TO_STR(IP), Host, byte_size(Data)]),
 	    http_response(Host, 413);
-	{error, Error} ->
-	    ?INFO_MSG("Rejecting file from ~s for ~s: ~p",
-		      [?ADDR_TO_STR(IP), Host, Error]),
+	{error, invalid_slot} ->
+	    ?INFO_MSG("Rejecting file from ~s for ~s: Invalid slot",
+		      [?ADDR_TO_STR(IP), Host]),
 	    http_response(Host, 403);
 	Error ->
 	    ?ERROR_MSG("Cannot handle PUT request from ~s for ~s: ~p",
--- a/Show More
+++ b/Show More