From 00735e47597c877f16bdbcd57a7746568e881c99 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Thu, 22 Jul 2021 17:18:39 +0200 Subject: MUC: Fix logic for access to affiliation lists Fixes https://prosody.im/security/advisory_20210722/ Backs out 4d7b925652d9 --- plugins/muc/muc.lib.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'plugins') diff --git a/plugins/muc/muc.lib.lua b/plugins/muc/muc.lib.lua index 037baa37..f037c4f6 100644 --- a/plugins/muc/muc.lib.lua +++ b/plugins/muc/muc.lib.lua @@ -976,7 +976,7 @@ function room_mt:handle_admin_query_get_command(origin, stanza) -- e.g. an admin can't ask for a list of owners local affiliation_rank = valid_affiliations[affiliation or "none"]; if (affiliation_rank >= valid_affiliations.admin and affiliation_rank >= _aff_rank) - or (self:get_whois() == "anyone") then + or (self:get_members_only() and self:get_whois() == "anyone" and affiliation_rank >= valid_affiliations.member) then local reply = st.reply(stanza):query("http://jabber.org/protocol/muc#admin"); for jid in self:each_affiliation(_aff or "none") do local nick = self:get_registered_nick(jid); -- cgit v1.2.3