prevent unauthorized entity to gain none-affiliation for given entity

SVN Revision: 1801

diff --git a/ChangeLog b/ChangeLog
index b23db51fb45f614ec40236f26d197e2097087339..dec18ef0c133fced6aee3ce989fe20c0511e6def 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,6 +4,9 @@
        permissions (thanks to Andy Skelton)(EJAB-840)
        * src/mod_pubsub/node_default.erl: Likewise
 
+       * src/mod_pubsub/node_default.erl: prevent unauthorized entity to gain
+       none-affiliation for given entity (EJAB-840)
+
 2009-01-10  Christophe Romain <christophe.romain@process-one.net>
 
        * src/mod_pubsub/node_default.erl: fix unsubscription of full jid

diff --git a/src/mod_pubsub/node_default.erl b/src/mod_pubsub/node_default.erl
index 87b97dec3267b052239bb96bdf387e836162f1aa..b025627a306051644967e84e99a2805bef9b55e1 100644 (file)
--- a/src/mod_pubsub/node_default.erl
+++ b/src/mod_pubsub/node_default.erl
@@ -364,6 +364,9 @@ unsubscribe_node(Host, Node, Sender, Subscriber, _SubId) ->
            SenderState#pubsub_state.affiliation == owner
        end,
     if
+       %% Requesting entity is prohibited from unsubscribing entity
+       not Authorized ->
+           {error, ?ERR_FORBIDDEN};
        %% Entity did not specify SubID
        %%SubID == "", ?? ->
        %%      {error, ?ERR_EXTENDED(?ERR_BAD_REQUEST, "subid-required")};
@@ -373,9 +376,6 @@ unsubscribe_node(Host, Node, Sender, Subscriber, _SubId) ->
        %% Requesting entity is not a subscriber
        SubState#pubsub_state.subscription == none ->
            {error, ?ERR_EXTENDED(?ERR_UNEXPECTED_REQUEST, "not-subscribed")};
-       %% Requesting entity is prohibited from unsubscribing entity
-       not Authorized ->
-           {error, ?ERR_FORBIDDEN};
        %% Was just subscriber, remove the record
        SubState#pubsub_state.affiliation == none ->
            del_state(SubState#pubsub_state.stateid),