diff --git a/ChangeLog b/ChangeLog
index b23db51fb..dec18ef0c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,6 +4,9 @@
 	permissions (thanks to Andy Skelton)(EJAB-840)
 	* src/mod_pubsub/node_default.erl: Likewise
 
+	* src/mod_pubsub/node_default.erl: prevent unauthorized entity to gain
+	none-affiliation for given entity (EJAB-840)
+
 2009-01-10  Christophe Romain <christophe.romain@process-one.net>
 
 	* src/mod_pubsub/node_default.erl: fix unsubscription of full jid
diff --git a/src/mod_pubsub/node_default.erl b/src/mod_pubsub/node_default.erl
index 87b97dec3..b025627a3 100644
--- a/src/mod_pubsub/node_default.erl
+++ b/src/mod_pubsub/node_default.erl
@@ -364,6 +364,9 @@ unsubscribe_node(Host, Node, Sender, Subscriber, _SubId) ->
 	    SenderState#pubsub_state.affiliation == owner
 	end,
     if
+	%% Requesting entity is prohibited from unsubscribing entity
+	not Authorized ->
+	    {error, ?ERR_FORBIDDEN};
 	%% Entity did not specify SubID
 	%%SubID == "", ?? ->
 	%%	{error, ?ERR_EXTENDED(?ERR_BAD_REQUEST, "subid-required")};
@@ -373,9 +376,6 @@ unsubscribe_node(Host, Node, Sender, Subscriber, _SubId) ->
 	%% Requesting entity is not a subscriber
 	SubState#pubsub_state.subscription == none ->
 	    {error, ?ERR_EXTENDED(?ERR_UNEXPECTED_REQUEST, "not-subscribed")};
-	%% Requesting entity is prohibited from unsubscribing entity
-	not Authorized ->
-	    {error, ?ERR_FORBIDDEN};
 	%% Was just subscriber, remove the record
 	SubState#pubsub_state.affiliation == none ->
 	    del_state(SubState#pubsub_state.stateid),