From 4703ad42a88393fa71b12fc8929eabd28da60d31 Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Fri, 17 Sep 2021 16:28:07 +0200
Subject: MUC: Reject full JID in affiliation queries

XEP-0045 states:
> Affiliations are granted, revoked, and maintained based on the user's
> bare JID, not the nick as with roles.

Therefore inclusion of a full JID in affiliation queries is invalid.

Thanks to Ge0rG and Poezio for discovering this issue.
---
 plugins/muc/muc.lib.lua | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'plugins/muc')

diff --git a/plugins/muc/muc.lib.lua b/plugins/muc/muc.lib.lua
index f4d06529..556363ba 100644
--- a/plugins/muc/muc.lib.lua
+++ b/plugins/muc/muc.lib.lua
@@ -1050,6 +1050,9 @@ function room_mt:handle_admin_query_set_command(origin, stanza)
 		if not item.attr.jid then
 			origin.send(st.error_reply(stanza, "modify", "jid-malformed"));
 			return true;
+		elseif jid_resource(item.attr.jid) then
+			origin.send(st.error_reply(stanza, "modify", "jid-malformed", "Bare JID expected, got full JID"));
+			return true;
 		end
 	end
 	if item.attr.nick then -- Validate provided nick
-- 
cgit v1.2.3