From 3754ba98f35852579e4eca511f5aa4f41bfbde09 Mon Sep 17 00:00:00 2001 From: Guus der Kinderen Date: Tue, 25 Jul 2023 10:34:48 +0200 Subject: [PATCH] OF-2631: Enforce pubsub node access model When items on a pubsub leaf node are processed, ensure that the access model of the node itself (and not just its collection) are taken into account. --- .../org/jivesoftware/openfire/pep/IQPEPHandler.java | 2 ++ .../openfire/pubsub/NodeSubscription.java | 12 ++++++++++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/xmppserver/src/main/java/org/jivesoftware/openfire/pep/IQPEPHandler.java b/xmppserver/src/main/java/org/jivesoftware/openfire/pep/IQPEPHandler.java index b541830724..ca54604ac4 100644 --- a/xmppserver/src/main/java/org/jivesoftware/openfire/pep/IQPEPHandler.java +++ b/xmppserver/src/main/java/org/jivesoftware/openfire/pep/IQPEPHandler.java @@ -840,6 +840,8 @@ public void run() { item.getSubStatus() == RosterItem.SUB_TO)) { PEPService pepService = pepServiceManager.getPEPService(item.getJid().asBareJID()); if (pepService != null) { + pepService.getRootCollectionNode().getSubscriptions(availableSessionJID) + pepService.getRootCollectionNode().getAccessModel().canAccessItems(pepService.getRootCollectionNode(), availableSessionJID, availableSessionJID); pepService.sendLastPublishedItems(availableSessionJID); } } diff --git a/xmppserver/src/main/java/org/jivesoftware/openfire/pubsub/NodeSubscription.java b/xmppserver/src/main/java/org/jivesoftware/openfire/pubsub/NodeSubscription.java index 8189bd2475..b7881cfe93 100644 --- a/xmppserver/src/main/java/org/jivesoftware/openfire/pubsub/NodeSubscription.java +++ b/xmppserver/src/main/java/org/jivesoftware/openfire/pubsub/NodeSubscription.java @@ -40,7 +40,7 @@ * A subscription to a node. Entities may subscribe to a node to be notified when new events * are published to the node. Published events may contain a {@link PublishedItem}. Only * nodes that are configured to not deliver payloads with event notifications and to not - * persist items will let publishers to publish events without items thus not including + * persist items will let publishers publish events without items thus not including * items in the notifications sent to subscribers.

* * Node subscriptions may need to be configured by the subscriber or approved by a node owner @@ -596,7 +596,7 @@ public DataForm getConfigurationForm(Locale preferredLocale) { /** * Returns true if an event notification can be sent to the subscriber for the specified - * published item based on the subsription configuration and subscriber status. + * published item based on the subscription configuration and subscriber status. * * @param leafNode the node that received the publication. * @param publishedItem the published item to send or null if the publication didn't @@ -627,6 +627,9 @@ public boolean canSendPublicationEvent(LeafNode leafNode, PublishedItem publishe return false; } } + if (!leafNode.getAccessModel().canAccessItems(leafNode, this.owner, this.getJID())) { + return false; + } return true; } @@ -660,6 +663,11 @@ boolean canSendChildNodeEvent(Node originatingNode) { if (getDepth() == 0 && !node.isDescendantNode(originatingNode)) { return false; } + + if (!originatingNode.getAccessModel().canAccessItems(originatingNode, this.owner, this.getJID())) { + return false; + } + return true; }