diff --git a/ChangeLog b/ChangeLog index b64bd1f6d..907eda035 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,8 @@ 2009-02-21 Badlop + * src/mod_muc/mod_muc_room.erl: Owner of a password protected room + must provide the password, like other participants (EJAB-867) + * src/mod_muc/mod_muc_log.erl: Prevent XSS in MUC logs by linkifying only a few known protocols (EJAB-850) diff --git a/src/mod_muc/mod_muc_room.erl b/src/mod_muc/mod_muc_room.erl index 458edaa4f..b32ed4c08 100644 --- a/src/mod_muc/mod_muc_room.erl +++ b/src/mod_muc/mod_muc_room.erl @@ -1461,7 +1461,7 @@ add_new_user(From, Nick, {xmlelement, _, Attrs, Els} = Packet, StateData) -> From, Err), StateData; {_, _, _, Role} -> - case check_password(Affiliation, Els, StateData) of + case check_password(ServiceAffiliation, Els, StateData) of true -> NewState = add_user_presence( @@ -1518,8 +1518,9 @@ add_new_user(From, Nick, {xmlelement, _, Attrs, Els} = Packet, StateData) -> end. check_password(owner, _Els, _StateData) -> + %% Don't check pass if user is owner in MUC service (access_admin option) true; -check_password(_Affiliation, Els, StateData) -> +check_password(_ServiceAffiliation, Els, StateData) -> case (StateData#state.config)#config.password_protected of false -> true;