prevent unauthorized entity to gain none-affiliation for given entity

SVN Revision: 1802

diff --git a/ChangeLog b/ChangeLog
index 7ff49b0860bbe13d9efe027cbb286d0666f4f586..c0b59c9f9f784153b365645510da252801318725 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,6 +4,9 @@
        permissions (thanks to Andy Skelton)(EJAB-840)
        * src/mod_pubsub/node_default.erl: Likewise
 
+       * src/mod_pubsub/node_default.erl: prevent unauthorized entity to gain
+       none-affiliation for given entity (EJAB-840)
+
 2009-01-10  Christophe Romain <christophe.romain@process-one.net>
 
        * src/mod_pubsub/node_default.erl: fix unsubscription of full jid

diff --git a/src/mod_pubsub/node_default.erl b/src/mod_pubsub/node_default.erl
index a92c49aa881ef3effa8835e3ae4b5cc95e4cfe2f..e1d4fd6eafdaaee8ca0adce29a7311b432a5237b 100644 (file)
--- a/src/mod_pubsub/node_default.erl
+++ b/src/mod_pubsub/node_default.erl
@@ -356,6 +356,9 @@ unsubscribe_node(Host, Node, Sender, Subscriber, _SubId) ->
        _ -> get_state(Host, Node, SubKey)
        end,
     if
+       %% Requesting entity is prohibited from unsubscribing entity
+       not Authorized ->
+           {error, ?ERR_FORBIDDEN};
        %% Entity did not specify SubID
        %%SubID == "", ?? ->
        %%      {error, ?ERR_EXTENDED(?ERR_BAD_REQUEST, "subid-required")};
@@ -365,9 +368,6 @@ unsubscribe_node(Host, Node, Sender, Subscriber, _SubId) ->
        %% Requesting entity is not a subscriber
        SubState#pubsub_state.subscription == none ->
            {error, ?ERR_EXTENDED(?ERR_UNEXPECTED_REQUEST, "not-subscribed")};
-       %% Requesting entity is prohibited from unsubscribing entity
-       not Authorized ->
-           {error, ?ERR_FORBIDDEN};
        %% Was just subscriber, remove the record
        SubState#pubsub_state.affiliation == none ->
            del_state(SubState#pubsub_state.stateid),