diff options
| author | Kim Alvefur <zash@zash.se> | 2021-07-22 17:18:39 +0200 |
|---|---|---|
| committer | Kim Alvefur <zash@zash.se> | 2021-07-22 17:18:39 +0200 |
| commit | 00735e47597c877f16bdbcd57a7746568e881c99 (patch) | |
| tree | c6d4269946054696d7ab098fb2db614ad9bec77f /plugins | |
| parent | 59d820880f0421041b72b73d1fe52aa64adce43d (diff) | |
| download | prosody-00735e47597c877f16bdbcd57a7746568e881c99.tar.gz prosody-00735e47597c877f16bdbcd57a7746568e881c99.zip | |
MUC: Fix logic for access to affiliation lists0.11.10
Fixes https://prosody.im/security/advisory_20210722/
Backs out 4d7b925652d9
Diffstat (limited to 'plugins')
| -rw-r--r-- | plugins/muc/muc.lib.lua | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/plugins/muc/muc.lib.lua b/plugins/muc/muc.lib.lua index 037baa37..f037c4f6 100644 --- a/plugins/muc/muc.lib.lua +++ b/plugins/muc/muc.lib.lua @@ -976,7 +976,7 @@ function room_mt:handle_admin_query_get_command(origin, stanza) -- e.g. an admin can't ask for a list of owners local affiliation_rank = valid_affiliations[affiliation or "none"]; if (affiliation_rank >= valid_affiliations.admin and affiliation_rank >= _aff_rank) - or (self:get_whois() == "anyone") then + or (self:get_members_only() and self:get_whois() == "anyone" and affiliation_rank >= valid_affiliations.member) then local reply = st.reply(stanza):query("http://jabber.org/protocol/muc#admin"); for jid in self:each_affiliation(_aff or "none") do local nick = self:get_registered_nick(jid); |