--- a/plugins/muc/muc.lib.lua Fri Sep 26 17:34:02 2014 -0400
+++ b/plugins/muc/muc.lib.lua Fri Sep 26 17:43:00 2014 -0400
@@ -734,9 +734,13 @@
local affiliation = self:get_affiliation(actor);
local item = stanza.tags[1].tags[1];
local _aff = item.attr.affiliation;
+ local _aff_rank = valid_affiliations[_aff or "none"];
local _rol = item.attr.role;
- if _aff and not _rol then
- if affiliation == "owner" or (affiliation == "admin" and _aff ~= "owner" and _aff ~= "admin") then
+ if _aff and _aff_rank and not _rol then
+ -- You need to be at least an admin, and be requesting info about your affifiliation or lower
+ -- e.g. an admin can't ask for a list of owners
+ local affiliation_rank = valid_affiliations[affiliation];
+ if affiliation_rank >= valid_affiliations.admin and affiliation_rank >= _aff_rank then
local reply = st.reply(stanza):query("http://jabber.org/protocol/muc#admin");
for jid, affiliation in pairs(self._affiliations) do
if affiliation == _aff then
@@ -749,7 +753,7 @@
origin.send(st.error_reply(stanza, "auth", "forbidden"));
return true;
end
- elseif _rol and not _aff then
+ elseif _rol and valid_roles[_rol or "none"] and not _aff then
local role = self:get_role(self:get_occupant_jid(actor)) or self:get_default_role(affiliation);
if valid_roles[role or "none"] >= valid_roles.moderator then
if _rol == "none" then _rol = nil; end