OF-2631: Enforce pubsub node access model

When items on a pubsub leaf node are processed, ensure that the access model of the node itself (and not just its collection) are taken into account.
igniterealtime · Nov 1, 2024 · 898314f · 898314f
1 parent 048d479
commit 898314f
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 1 deletion.
diff --git a/xmppserver/src/main/java/org/jivesoftware/openfire/pep/IQPEPHandler.java b/xmppserver/src/main/java/org/jivesoftware/openfire/pep/IQPEPHandler.java
@@ -850,6 +850,8 @@ public void run() {
                             item.getSubStatus() == RosterItem.SUB_TO)) {
                         PEPService pepService = pepServiceManager.getPEPService(item.getJid().asBareJID());
                         if (pepService != null) {
+                            pepService.getRootCollectionNode().getSubscriptions(availableSessionJID)
+                            pepService.getRootCollectionNode().getAccessModel().canAccessItems(pepService.getRootCollectionNode(), availableSessionJID, availableSessionJID);
                             pepService.sendLastPublishedItems(availableSessionJID);
                         }
                     }

diff --git a/xmppserver/src/main/java/org/jivesoftware/openfire/pubsub/NodeSubscription.java b/xmppserver/src/main/java/org/jivesoftware/openfire/pubsub/NodeSubscription.java
@@ -41,7 +41,7 @@
  * A subscription to a node. Entities may subscribe to a node to be notified when new events
  * are published to the node. Published events may contain a {@link PublishedItem}. Only
  * nodes that are configured to not deliver payloads with event notifications and to not
- * persist items will let publishers to publish events without items thus not including
+ * persist items will let publishers publish events without items thus not including
  * items in the notifications sent to subscribers.<p>
  *
  * Node subscriptions may need to be configured by the subscriber or approved by a node owner
@@ -648,6 +648,9 @@ public boolean canSendPublicationEvent(LeafNode leafNode, PublishedItem publishe
                 return false;
             }
         }
+        if (!leafNode.getAccessModel().canAccessItems(leafNode, this.owner, this.getJID())) {
+            return false;
+        }
 
         Log.trace("Can send publication node event.");
         return true;
@@ -688,6 +691,10 @@ boolean canSendChildNodeEvent(Node originatingNode) {
             return false;
         }
 
+        if (!originatingNode.getAccessModel().canAccessItems(originatingNode, this.owner, this.getJID())) {
+            return false;
+        }
+
         Log.trace("Can send child node event.");
         return true;
     }