mirror of
https://github.com/processone/ejabberd.git
synced 2024-12-26 17:38:45 +01:00
Before forwarding last activity requests to a user, check that the user's presence is visible for From
According to XEP-0012, 4. Online User Query, "if the requesting entity is not authorized to view the user's presence information (normally via a presence subscription as defined in XMPP IM), the user's server MUST NOT deliver the IQ-get to an available resource but instead MUST return a <forbidden/> error in response to the last activity request." So check for a subscription of from of the jid and bare jid and whether outgoing presences to From are allowed. Fixes problem 3 of EJAB-1158.
This commit is contained in:
parent
080922a3de
commit
510fd8cf73
@ -1246,6 +1246,24 @@ handle_info({route, From, To, Packet}, StateName, StateData) ->
|
|||||||
"iq" ->
|
"iq" ->
|
||||||
IQ = jlib:iq_query_info(Packet),
|
IQ = jlib:iq_query_info(Packet),
|
||||||
case IQ of
|
case IQ of
|
||||||
|
#iq{xmlns = ?NS_LAST} ->
|
||||||
|
LFrom = jlib:jid_tolower(From),
|
||||||
|
LBFrom = jlib:jid_remove_resource(LFrom),
|
||||||
|
HasFromSub = (?SETS:is_element(LFrom, StateData#state.pres_f) orelse ?SETS:is_element(LBFrom, StateData#state.pres_f))
|
||||||
|
andalso is_privacy_allow(StateData, To, From, {xmlelement, "presence", [], []}, out),
|
||||||
|
case HasFromSub of
|
||||||
|
true ->
|
||||||
|
case privacy_check_packet(StateData, From, To, Packet, in) of
|
||||||
|
allow ->
|
||||||
|
{true, Attrs, StateData};
|
||||||
|
deny ->
|
||||||
|
{false, Attrs, StateData}
|
||||||
|
end;
|
||||||
|
_ ->
|
||||||
|
Err = jlib:make_error_reply(Packet, ?ERR_FORBIDDEN),
|
||||||
|
ejabberd_router:route(To, From, Err),
|
||||||
|
{false, Attrs, StateData}
|
||||||
|
end;
|
||||||
IQ when (is_record(IQ, iq)) or (IQ == reply) ->
|
IQ when (is_record(IQ, iq)) or (IQ == reply) ->
|
||||||
case privacy_check_packet(StateData, From, To, Packet, in) of
|
case privacy_check_packet(StateData, From, To, Packet, in) of
|
||||||
allow ->
|
allow ->
|
||||||
|
Loading…
Reference in New Issue
Block a user