diff options
author | daurnimator <quae@daurnimator.com> | 2014-09-26 17:43:00 -0400 |
---|---|---|
committer | daurnimator <quae@daurnimator.com> | 2014-09-26 17:43:00 -0400 |
commit | 405759369aac19f1f5dae92f0da69f744a14b04e (patch) | |
tree | e1ac2daeef563c745a70f7b057433efa0b9c2358 | |
parent | ed99ded1baed03ffe925265d85db71c2d4603a93 (diff) | |
download | prosody-405759369aac19f1f5dae92f0da69f744a14b04e.tar.gz prosody-405759369aac19f1f5dae92f0da69f744a14b04e.zip |
plugins/muc/muc.lib: Validate affiliations and roles to admin query get
-rw-r--r-- | plugins/muc/muc.lib.lua | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/plugins/muc/muc.lib.lua b/plugins/muc/muc.lib.lua index fa0f6b26..ef62ddd2 100644 --- a/plugins/muc/muc.lib.lua +++ b/plugins/muc/muc.lib.lua @@ -734,9 +734,13 @@ function room_mt:handle_admin_query_get_command(origin, stanza) local affiliation = self:get_affiliation(actor); local item = stanza.tags[1].tags[1]; local _aff = item.attr.affiliation; + local _aff_rank = valid_affiliations[_aff or "none"]; local _rol = item.attr.role; - if _aff and not _rol then - if affiliation == "owner" or (affiliation == "admin" and _aff ~= "owner" and _aff ~= "admin") then + if _aff and _aff_rank and not _rol then + -- You need to be at least an admin, and be requesting info about your affifiliation or lower + -- e.g. an admin can't ask for a list of owners + local affiliation_rank = valid_affiliations[affiliation]; + if affiliation_rank >= valid_affiliations.admin and affiliation_rank >= _aff_rank then local reply = st.reply(stanza):query("http://jabber.org/protocol/muc#admin"); for jid, affiliation in pairs(self._affiliations) do if affiliation == _aff then @@ -749,7 +753,7 @@ function room_mt:handle_admin_query_get_command(origin, stanza) origin.send(st.error_reply(stanza, "auth", "forbidden")); return true; end - elseif _rol and not _aff then + elseif _rol and valid_roles[_rol or "none"] and not _aff then local role = self:get_role(self:get_occupant_jid(actor)) or self:get_default_role(affiliation); if valid_roles[role or "none"] >= valid_roles.moderator then if _rol == "none" then _rol = nil; end |