# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1626967119 -7200
# Node ID d117b92fd8e459170a98a8dece7f3930f4b6aed7
# Parent  aa119de5f6c72a066f6ccb541f21352c38c9cd15
MUC: Fix logic for access to affiliation lists

Fixes https://prosody.im/security/advisory_20210722/

Backs out 4d7b925652d9

diff -r aa119de5f6c7 -r d117b92fd8e4 plugins/muc/muc.lib.lua
--- a/plugins/muc/muc.lib.lua	Sat Jul 03 03:27:57 2021 +0200
+++ b/plugins/muc/muc.lib.lua	Thu Jul 22 17:18:39 2021 +0200
@@ -976,7 +976,7 @@
 		-- e.g. an admin can't ask for a list of owners
 		local affiliation_rank = valid_affiliations[affiliation or "none"];
 		if (affiliation_rank >= valid_affiliations.admin and affiliation_rank >= _aff_rank)
-		or (self:get_whois() == "anyone") then
+		or (self:get_members_only() and self:get_whois() == "anyone" and affiliation_rank >= valid_affiliations.member) then
 			local reply = st.reply(stanza):query("http://jabber.org/protocol/muc#admin");
 			for jid in self:each_affiliation(_aff or "none") do
 				local nick = self:get_registered_nick(jid);
diff -r aa119de5f6c7 -r d117b92fd8e4 spec/scansion/muc_whois_anyone_member.scs
--- a/spec/scansion/muc_whois_anyone_member.scs	Sat Jul 03 03:27:57 2021 +0200
+++ b/spec/scansion/muc_whois_anyone_member.scs	Thu Jul 22 17:18:39 2021 +0200
@@ -1,101 +1,127 @@
 # MUC: Allow members to fetch the affiliation lists in open non-anonymous rooms
 
 [Client] Romeo
-	jid: romeo@localhost/MsliYo9C
+	jid: 4e2pm7er@localhost
 	password: password
 
 [Client] Juliet
-	jid: juliet@localhost/vJrUtY4Z
+	jid: qnjm5253@localhost
+	password: password
+
+[Client] Random
+	jid: iqizbcus@localhost
 	password: password
 
 -----
 
 Romeo connects
 
+Juliet connects
+
+Random connects
+
+# Romeo joins and creates the MUC
 Romeo sends:
-	<presence to='issue1230@conference.localhost/romeo'>
-	<x xmlns='http://jabber.org/protocol/muc'/>
+	<presence to="mcgczevx@conference.localhost/Romeo">
+		<x xmlns="http://jabber.org/protocol/muc"/>
 	</presence>
 
 Romeo receives:
-	<presence from='issue1230@conference.localhost/romeo'>
-	<x xmlns='http://jabber.org/protocol/muc#user'>
-	<status code='201'/>
-	<item jid="${Romeo's JID}" role='moderator' affiliation='owner'/>
-	<status code='110'/>
-	</x>
+	<presence from="mcgczevx@conference.localhost/Romeo">
+		<x xmlns="http://jabber.org/protocol/muc#user" scansion:strict="false">
+			<item affiliation="owner" jid="${Romeo's full JID}" role="moderator"/>
+			<status code="110"/>
+			<status code="201"/>
+		</x>
 	</presence>
 
 Romeo receives:
-	<message from='issue1230@conference.localhost' type='groupchat'>
-	<subject/>
+	<message from="mcgczevx@conference.localhost" type="groupchat">
+		<subject/>
 	</message>
 
+# and configures it for private chat
 Romeo sends:
-	<iq id='lx3' type='set' to='issue1230@conference.localhost'>
-	<query xmlns='http://jabber.org/protocol/muc#owner'>
-	<x type='submit' xmlns='jabber:x:data'>
-	<field var='FORM_TYPE'>
-	<value>http://jabber.org/protocol/muc#roomconfig</value>
-	</field>
-	<field var='muc#roomconfig_whois'>
-	<value>anyone</value>
-	</field>
-	</x>
-	</query>
+	<iq type="set" id="17fb8e7e-c75e-447c-b86f-3f1df8f507c4" to="mcgczevx@conference.localhost">
+		<query xmlns="http://jabber.org/protocol/muc#owner">
+			<x type="submit" xmlns="jabber:x:data">
+				<field var="FORM_TYPE">
+					<value>http://jabber.org/protocol/muc#roomconfig</value>
+				</field>
+				<field var="muc#roomconfig_membersonly">
+					<value>1</value>
+				</field>
+				<field var="muc#roomconfig_whois">
+					<value>anyone</value>
+				</field>
+			</x>
+		</query>
 	</iq>
 
 Romeo receives:
-	<iq from='issue1230@conference.localhost' type='result' id='lx3'/>
+	<iq from="mcgczevx@conference.localhost" id="17fb8e7e-c75e-447c-b86f-3f1df8f507c4" type="result"/>
 
 Romeo receives:
-	<message from='issue1230@conference.localhost' type='groupchat'>
-	<x xmlns='http://jabber.org/protocol/muc#user'>
-	<status code='172'/>
-	</x>
+	<message from="mcgczevx@conference.localhost" type="groupchat">
+		<x xmlns="http://jabber.org/protocol/muc#user" scansion:strict="false">
+			<status code="104"/>
+			<status code="172"/>
+		</x>
 	</message>
 
-Juliet connects
-
-Juliet sends:
-	<presence to='issue1230@conference.localhost/juliet'>
-	<x xmlns='http://jabber.org/protocol/muc'/>
-	</presence>
-
-Juliet receives:
-	<presence from='issue1230@conference.localhost/romeo'>
-	<x xmlns='http://jabber.org/protocol/muc#user'>
-	<item jid="${Romeo's JID}" role='moderator' affiliation='owner'/>
-	</x>
-	</presence>
+# Juliet is made a member
+Romeo sends:
+	<iq type="set" id="32d81574-e1dc-4221-b36d-4c44debb7c19" to="mcgczevx@conference.localhost">
+		<query xmlns="http://jabber.org/protocol/muc#admin">
+			<item affiliation="member" jid="${Juliet's JID}"/>
+		</query>
+	</iq>
 
-Juliet receives:
-	<presence from='issue1230@conference.localhost/juliet'>
-	<x xmlns='http://jabber.org/protocol/muc#user'>
-	<status code='100'/>
-	<item jid="${Juliet's JID}" role='participant' affiliation='none'/>
-	<status code='110'/>
-	</x>
-	</presence>
-
-Juliet receives:
-	<message from='issue1230@conference.localhost' type='groupchat'>
-	<subject/>
-	</message>
-
+# Juliet can read affiliations
 Juliet sends:
-	<iq id='lx2' type='get' to='issue1230@conference.localhost'>
-	<query xmlns='http://jabber.org/protocol/muc#admin'>
-	<item affiliation='member'/>
-	</query>
+	<iq type="get" id="32d81574-e1dc-4221-b36d-4c44debb7c19" to="mcgczevx@conference.localhost">
+		<query xmlns="http://jabber.org/protocol/muc#admin">
+			<item affiliation="owner"/>
+		</query>
 	</iq>
 
 Juliet receives:
-	<iq from='issue1230@conference.localhost' type='result' id='lx2'>
-	<query xmlns='http://jabber.org/protocol/muc#admin'/>
+	<iq from="mcgczevx@conference.localhost" id="32d81574-e1dc-4221-b36d-4c44debb7c19" type="result">
+		<query xmlns="http://jabber.org/protocol/muc#admin">
+			<item affiliation="owner" jid="${Romeo's JID}"/>
+		</query>
+	</iq>
+
+Juliet sends:
+	<iq type="get" id="05e3fe30-976f-4919-8221-ca1ac333eb9b" to="mcgczevx@conference.localhost">
+		<query xmlns="http://jabber.org/protocol/muc#admin">
+			<item affiliation="member"/>
+		</query>
 	</iq>
 
+Juliet receives:
+	<iq from="mcgczevx@conference.localhost" id="05e3fe30-976f-4919-8221-ca1ac333eb9b" type="result">
+		<query xmlns="http://jabber.org/protocol/muc#admin">
+			<item affiliation="member" jid="${Juliet's JID}"/>
+		</query>
+	</iq>
+
+# Others can't read affiliations
+Random sends:
+	<iq type="get" id="df1195e1-7ec8-4102-8561-3e3a1d942adf" to="mcgczevx@conference.localhost">
+		<query xmlns="http://jabber.org/protocol/muc#admin">
+			<item affiliation="owner"/>
+		</query>
+	</iq>
+
+Random receives:
+	<iq from="mcgczevx@conference.localhost" id="df1195e1-7ec8-4102-8561-3e3a1d942adf" type="error"/>
+
+
 Juliet disconnects
 
 Romeo disconnects
 
+Random disconnects
+
+# recording ended on 2021-07-23T12:09:48Z