Allow restricting an oper account based on services account.

docs/conf/opers.conf.example

@@ -128,7 +128,11 @@
       # for security reasons.
       host="attila@inspircd.org *@2001:db8::/32"
 
-      # ** ADVANCED ** This option is disabled by default.
+      # account: A space delimited list of account names or account ids that are allowed
+      # to log into this account.
+      # Requires the account module.
+      account="Attila 1234567890"
+
       # fingerprint: When using the sslinfo module, you may specify a space separated
       # list of TLS client certificate fingerprints here. These can be obtained by using
       # the /SSLINFO command while the module is loaded, and is also noticed on connect.

src/modules/m_account.cpp

@@ -338,6 +338,28 @@ public:
 		return MOD_RES_PASSTHRU;
 	}
 
+	ModResult OnPreOperLogin(LocalUser* user, const std::shared_ptr<OperAccount>& oper) override
+	{
+		const std::string accountstr = oper->GetConfig()->getString("account");
+		if (accountstr.empty())
+			return MOD_RES_PASSTHRU;
+
+		const std::string* accountid = accountapi.GetAccountId(user);
+		const std::string* accountname = accountapi.GetAccountName(user);
+
+		irc::spacesepstream accountstream(accountstr);
+		for (std::string account; accountstream.GetToken(account); )
+		{
+			if (accountid && irc::equals(account, *accountid))
+				return MOD_RES_PASSTHRU; // Matches on account id.
+
+			if (accountname && irc::equals(account, *accountname))
+				return MOD_RES_PASSTHRU; // Matches on account name.
+		}
+
+		return MOD_RES_DENY; // Account required but it does not match.
+	}
+
 	ModResult OnSetConnectClass(LocalUser* user, const ConnectClass::Ptr& myclass) override
 	{
 		const char* error = nullptr;