prevent unauthorized entity to gain none-affiliation for given entity

SVN Revision: 1801
2009-01-11 04:07:39 +00:00 · 2009-01-11 04:07:39 +00:00 · be99c4b0eb
parent da893f4293
commit be99c4b0eb
2 changed files with 6 additions and 3 deletions
--- a/3
+++ b/3
@ -4,6 +4,9 @@
 	permissions (thanks to Andy Skelton)(EJAB-840)
 	* src/mod_pubsub/node_default.erl: Likewise

+	* src/mod_pubsub/node_default.erl: prevent unauthorized entity to gain
+	none-affiliation for given entity (EJAB-840)
+
 2009-01-10  Christophe Romain <christophe.romain@process-one.net>

 	* src/mod_pubsub/node_default.erl: fix unsubscription of full jid
--- a/src/mod_pubsub/node_default.erl
+++ b/src/mod_pubsub/node_default.erl
@ -364,6 +364,9 @@ unsubscribe_node(Host, Node, Sender, Subscriber, _SubId) ->
 	    SenderState#pubsub_state.affiliation == owner
 	end,
    if
+	%% Requesting entity is prohibited from unsubscribing entity
+	not Authorized ->
+	    {error, ?ERR_FORBIDDEN};
 	%% Entity did not specify SubID
 	%%SubID == "", ?? ->
 	%%	{error, ?ERR_EXTENDED(?ERR_BAD_REQUEST, "subid-required")};
@ -373,9 +376,6 @@ unsubscribe_node(Host, Node, Sender, Subscriber, _SubId) ->
 	%% Requesting entity is not a subscriber
 	SubState#pubsub_state.subscription == none ->
 	    {error, ?ERR_EXTENDED(?ERR_UNEXPECTED_REQUEST, "not-subscribed")};
-	%% Requesting entity is prohibited from unsubscribing entity
-	not Authorized ->
-	    {error, ?ERR_FORBIDDEN};
 	%% Was just subscriber, remove the record
 	SubState#pubsub_state.affiliation == none ->
 	    del_state(SubState#pubsub_state.stateid),