diff --git a/ChangeLog b/ChangeLog
index 7ff49b086..c0b59c9f9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,6 +4,9 @@
 	permissions (thanks to Andy Skelton)(EJAB-840)
 	* src/mod_pubsub/node_default.erl: Likewise
 
+	* src/mod_pubsub/node_default.erl: prevent unauthorized entity to gain
+	none-affiliation for given entity (EJAB-840)
+
 2009-01-10  Christophe Romain <christophe.romain@process-one.net>
 
 	* src/mod_pubsub/node_default.erl: fix unsubscription of full jid
diff --git a/src/mod_pubsub/node_default.erl b/src/mod_pubsub/node_default.erl
index a92c49aa8..e1d4fd6ea 100644
--- a/src/mod_pubsub/node_default.erl
+++ b/src/mod_pubsub/node_default.erl
@@ -356,6 +356,9 @@ unsubscribe_node(Host, Node, Sender, Subscriber, _SubId) ->
 	_ -> get_state(Host, Node, SubKey)
 	end,
     if
+	%% Requesting entity is prohibited from unsubscribing entity
+	not Authorized ->
+	    {error, ?ERR_FORBIDDEN};
 	%% Entity did not specify SubID
 	%%SubID == "", ?? ->
 	%%	{error, ?ERR_EXTENDED(?ERR_BAD_REQUEST, "subid-required")};
@@ -365,9 +368,6 @@ unsubscribe_node(Host, Node, Sender, Subscriber, _SubId) ->
 	%% Requesting entity is not a subscriber
 	SubState#pubsub_state.subscription == none ->
 	    {error, ?ERR_EXTENDED(?ERR_UNEXPECTED_REQUEST, "not-subscribed")};
-	%% Requesting entity is prohibited from unsubscribing entity
-	not Authorized ->
-	    {error, ?ERR_FORBIDDEN};
 	%% Was just subscriber, remove the record
 	SubState#pubsub_state.affiliation == none ->
 	    del_state(SubState#pubsub_state.stateid),