OF-2631: Enforce pubsub node access model

When items on a pubsub leaf node are processed, ensure that the access model of the node itself (and not just its collection) are taken into account.
igniterealtime · Sep 4, 2023 · 3754ba9 · 3754ba9
1 parent 01111d8
commit 3754ba9
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 2 deletions.
diff --git a/xmppserver/src/main/java/org/jivesoftware/openfire/pep/IQPEPHandler.java b/xmppserver/src/main/java/org/jivesoftware/openfire/pep/IQPEPHandler.java
@@ -840,6 +840,8 @@ public void run() {
                             item.getSubStatus() == RosterItem.SUB_TO)) {
                         PEPService pepService = pepServiceManager.getPEPService(item.getJid().asBareJID());
                         if (pepService != null) {
+                            pepService.getRootCollectionNode().getSubscriptions(availableSessionJID)
+                            pepService.getRootCollectionNode().getAccessModel().canAccessItems(pepService.getRootCollectionNode(), availableSessionJID, availableSessionJID);
                             pepService.sendLastPublishedItems(availableSessionJID);
                         }
                     }

diff --git a/xmppserver/src/main/java/org/jivesoftware/openfire/pubsub/NodeSubscription.java b/xmppserver/src/main/java/org/jivesoftware/openfire/pubsub/NodeSubscription.java
@@ -40,7 +40,7 @@
  * A subscription to a node. Entities may subscribe to a node to be notified when new events
  * are published to the node. Published events may contain a {@link PublishedItem}. Only
  * nodes that are configured to not deliver payloads with event notifications and to not
- * persist items will let publishers to publish events without items thus not including
+ * persist items will let publishers publish events without items thus not including
  * items in the notifications sent to subscribers.<p>
  *
  * Node subscriptions may need to be configured by the subscriber or approved by a node owner
@@ -596,7 +596,7 @@ public DataForm getConfigurationForm(Locale preferredLocale) {
 
     /**
      * Returns true if an event notification can be sent to the subscriber for the specified
-     * published item based on the subsription configuration and subscriber status.
+     * published item based on the subscription configuration and subscriber status.
      *
      * @param leafNode the node that received the publication.
      * @param publishedItem the published item to send or null if the publication didn't
@@ -627,6 +627,9 @@ public boolean canSendPublicationEvent(LeafNode leafNode, PublishedItem publishe
                 return false;
             }
         }
+        if (!leafNode.getAccessModel().canAccessItems(leafNode, this.owner, this.getJID())) {
+            return false;
+        }
         return true;
     }
 
@@ -660,6 +663,11 @@ boolean canSendChildNodeEvent(Node originatingNode) {
         if (getDepth() == 0 && !node.isDescendantNode(originatingNode)) {
             return false;
         }
+
+        if (!originatingNode.getAccessModel().canAccessItems(originatingNode, this.owner, this.getJID())) {
+            return false;
+        }
+
         return true;
     }