prosody
d117b92fd8e4
plugins/muc/muc.lib.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Comparison

plugins/muc/muc.lib.lua @ 11712:d117b92fd8e4 0.11 0.11.10

MUC: Fix logic for access to affiliation lists Fixes https://prosody.im/security/advisory_20210722/ Backs out 4d7b925652d9
author Kim Alvefur <zash@zash.se>
date Thu, 22 Jul 2021 17:18:39 +0200
parent 11235:1dba335eacea
child 11713:7623767df468
comparison
equal deleted inserted replaced
11649:aa119de5f6c7 11712:d117b92fd8e4
974 if _aff and _aff_rank and not _rol then 974 if _aff and _aff_rank and not _rol then
975 -- You need to be at least an admin, and be requesting info about your affifiliation or lower 975 -- You need to be at least an admin, and be requesting info about your affifiliation or lower
976 -- e.g. an admin can't ask for a list of owners 976 -- e.g. an admin can't ask for a list of owners
977 local affiliation_rank = valid_affiliations[affiliation or "none"]; 977 local affiliation_rank = valid_affiliations[affiliation or "none"];
978 if (affiliation_rank >= valid_affiliations.admin and affiliation_rank >= _aff_rank) 978 if (affiliation_rank >= valid_affiliations.admin and affiliation_rank >= _aff_rank)
979 or (self:get_whois() == "anyone") then 979 or (self:get_members_only() and self:get_whois() == "anyone" and affiliation_rank >= valid_affiliations.member) then
980 local reply = st.reply(stanza):query("http://jabber.org/protocol/muc#admin"); 980 local reply = st.reply(stanza):query("http://jabber.org/protocol/muc#admin");
981 for jid in self:each_affiliation(_aff or "none") do 981 for jid in self:each_affiliation(_aff or "none") do
982 local nick = self:get_registered_nick(jid); 982 local nick = self:get_registered_nick(jid);
983 reply:tag("item", {affiliation = _aff, jid = jid, nick = nick }):up(); 983 reply:tag("item", {affiliation = _aff, jid = jid, nick = nick }):up();
984 end 984 end