aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authordaurnimator <quae@daurnimator.com>2014-09-26 17:43:00 -0400
committerdaurnimator <quae@daurnimator.com>2014-09-26 17:43:00 -0400
commit405759369aac19f1f5dae92f0da69f744a14b04e (patch)
treee1ac2daeef563c745a70f7b057433efa0b9c2358
parented99ded1baed03ffe925265d85db71c2d4603a93 (diff)
downloadprosody-405759369aac19f1f5dae92f0da69f744a14b04e.tar.gz
prosody-405759369aac19f1f5dae92f0da69f744a14b04e.zip
plugins/muc/muc.lib: Validate affiliations and roles to admin query get
-rw-r--r--plugins/muc/muc.lib.lua10
1 files changed, 7 insertions, 3 deletions
diff --git a/plugins/muc/muc.lib.lua b/plugins/muc/muc.lib.lua
index fa0f6b26..ef62ddd2 100644
--- a/plugins/muc/muc.lib.lua
+++ b/plugins/muc/muc.lib.lua
@@ -734,9 +734,13 @@ function room_mt:handle_admin_query_get_command(origin, stanza)
local affiliation = self:get_affiliation(actor);
local item = stanza.tags[1].tags[1];
local _aff = item.attr.affiliation;
+ local _aff_rank = valid_affiliations[_aff or "none"];
local _rol = item.attr.role;
- if _aff and not _rol then
- if affiliation == "owner" or (affiliation == "admin" and _aff ~= "owner" and _aff ~= "admin") then
+ if _aff and _aff_rank and not _rol then
+ -- You need to be at least an admin, and be requesting info about your affifiliation or lower
+ -- e.g. an admin can't ask for a list of owners
+ local affiliation_rank = valid_affiliations[affiliation];
+ if affiliation_rank >= valid_affiliations.admin and affiliation_rank >= _aff_rank then
local reply = st.reply(stanza):query("http://jabber.org/protocol/muc#admin");
for jid, affiliation in pairs(self._affiliations) do
if affiliation == _aff then
@@ -749,7 +753,7 @@ function room_mt:handle_admin_query_get_command(origin, stanza)
origin.send(st.error_reply(stanza, "auth", "forbidden"));
return true;
end
- elseif _rol and not _aff then
+ elseif _rol and valid_roles[_rol or "none"] and not _aff then
local role = self:get_role(self:get_occupant_jid(actor)) or self:get_default_role(affiliation);
if valid_roles[role or "none"] >= valid_roles.moderator then
if _rol == "none" then _rol = nil; end