# HG changeset patch # User daurnimator # Date 1396291542 14400 # Node ID 8936b9fbedfd3c58c78da9e50cf278e012e7f46a # Parent 1ee4d89535444ab79283526a5bc730cdb49432eb plugins/muc/muc.lib: restrict invitations in members only rooms to admins diff -r 1ee4d8953544 -r 8936b9fbedfd plugins/muc/muc.lib.lua --- a/plugins/muc/muc.lib.lua Mon Mar 31 14:44:52 2014 -0400 +++ b/plugins/muc/muc.lib.lua Mon Mar 31 14:45:42 2014 -0400 @@ -1204,6 +1204,17 @@ end end); +-- Invitation privileges in members-only rooms SHOULD be restricted to room admins; +-- if a member without privileges to edit the member list attempts to invite another user +-- the service SHOULD return a error to the occupant +module:hook("muc-pre-invite", function(event) + local room, stanza = event.room, event.stanza; + if room:get_members_only() and valid_affiliations[room:get_affiliation(stanza.attr.from) or "none"] < valid_affiliations.admin then + event.origin.send(st.error_reply(stanza, "auth", "forbidden")); + return true; + end +end); + function room_mt:handle_mediated_invite(origin, stanza) local payload = stanza:get_child("x", "http://jabber.org/protocol/muc#user"):get_child("invite"); local invitee = jid_prep(payload.attr.to);