From 898314ff1f2a03dc9f25364a44524e1045e6f8f4 Mon Sep 17 00:00:00 2001 From: Guus der Kinderen Date: Tue, 25 Jul 2023 10:34:48 +0200 Subject: [PATCH] OF-2631: Enforce pubsub node access model When items on a pubsub leaf node are processed, ensure that the access model of the node itself (and not just its collection) are taken into account. --- .../java/org/jivesoftware/openfire/pep/IQPEPHandler.java | 2 ++ .../jivesoftware/openfire/pubsub/NodeSubscription.java | 9 ++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/xmppserver/src/main/java/org/jivesoftware/openfire/pep/IQPEPHandler.java b/xmppserver/src/main/java/org/jivesoftware/openfire/pep/IQPEPHandler.java index 79077160d0..78a4175e9c 100644 --- a/xmppserver/src/main/java/org/jivesoftware/openfire/pep/IQPEPHandler.java +++ b/xmppserver/src/main/java/org/jivesoftware/openfire/pep/IQPEPHandler.java @@ -850,6 +850,8 @@ public void run() { item.getSubStatus() == RosterItem.SUB_TO)) { PEPService pepService = pepServiceManager.getPEPService(item.getJid().asBareJID()); if (pepService != null) { + pepService.getRootCollectionNode().getSubscriptions(availableSessionJID) + pepService.getRootCollectionNode().getAccessModel().canAccessItems(pepService.getRootCollectionNode(), availableSessionJID, availableSessionJID); pepService.sendLastPublishedItems(availableSessionJID); } } diff --git a/xmppserver/src/main/java/org/jivesoftware/openfire/pubsub/NodeSubscription.java b/xmppserver/src/main/java/org/jivesoftware/openfire/pubsub/NodeSubscription.java index a0b218a016..62f0ffc3d5 100644 --- a/xmppserver/src/main/java/org/jivesoftware/openfire/pubsub/NodeSubscription.java +++ b/xmppserver/src/main/java/org/jivesoftware/openfire/pubsub/NodeSubscription.java @@ -41,7 +41,7 @@ * A subscription to a node. Entities may subscribe to a node to be notified when new events * are published to the node. Published events may contain a {@link PublishedItem}. Only * nodes that are configured to not deliver payloads with event notifications and to not - * persist items will let publishers to publish events without items thus not including + * persist items will let publishers publish events without items thus not including * items in the notifications sent to subscribers.

* * Node subscriptions may need to be configured by the subscriber or approved by a node owner @@ -648,6 +648,9 @@ public boolean canSendPublicationEvent(LeafNode leafNode, PublishedItem publishe return false; } } + if (!leafNode.getAccessModel().canAccessItems(leafNode, this.owner, this.getJID())) { + return false; + } Log.trace("Can send publication node event."); return true; @@ -688,6 +691,10 @@ boolean canSendChildNodeEvent(Node originatingNode) { return false; } + if (!originatingNode.getAccessModel().canAccessItems(originatingNode, this.owner, this.getJID())) { + return false; + } + Log.trace("Can send child node event."); return true; }