Robert Norris writes: > - Suitable access controls are required. Obviously, it won't do to > allow anyone to change anyone elses roster. One thought we > had is to > restrict operations based on the transport JID (domain) - ie, the > transport can only set roster items of its own users, and when a > roster is retrieved, it only receives items for its own users. > This may not be a good idea, however, as not all servers are > transports - do I really want a remote (Jabber) server to > be able to > modify the contacts on my roster for its own users?
Even if you allowed transports to do this, there should probably be an access-control check. I can't think of a good (secure) way to do that such that I can be a user on server A, and access a transport running on server B. Aside from the S2S thing, you could get there with today's servers by having the transport start a session on behalf of the user, retrieve the roster, and then do roster sets/presence subscribes. The roster pushes would then happen automatically to other sessions. -- Joe Hildebrand _______________________________________________ jdev mailing list [EMAIL PROTECTED] http://mailman.jabber.org/listinfo/jdev
