prosody
d117b92fd8e4
plugins/muc/muc.lib.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Diff

plugins/muc/muc.lib.lua @ 11712:d117b92fd8e4 0.11 0.11.10

MUC: Fix logic for access to affiliation lists Fixes https://prosody.im/security/advisory_20210722/ Backs out 4d7b925652d9
author Kim Alvefur <zash@zash.se>
date Thu, 22 Jul 2021 17:18:39 +0200
parent 11235:1dba335eacea
child 11713:7623767df468
line wrap: on
line diff
--- a/plugins/muc/muc.lib.lua	Sat Jul 03 03:27:57 2021 +0200
+++ b/plugins/muc/muc.lib.lua	Thu Jul 22 17:18:39 2021 +0200
@@ -976,7 +976,7 @@
 		-- e.g. an admin can't ask for a list of owners
 		local affiliation_rank = valid_affiliations[affiliation or "none"];
 		if (affiliation_rank >= valid_affiliations.admin and affiliation_rank >= _aff_rank)
-		or (self:get_whois() == "anyone") then
+		or (self:get_members_only() and self:get_whois() == "anyone" and affiliation_rank >= valid_affiliations.member) then
 			local reply = st.reply(stanza):query("http://jabber.org/protocol/muc#admin");
 			for jid in self:each_affiliation(_aff or "none") do
 				local nick = self:get_registered_nick(jid);