On 21 December 2015 at 04:08, Ying LEE <mr.ying....@gmail.com> wrote: > As a demo, support-chat is the one I am looking for. But, I am wondering > there is some security problems. For the team MUC is known by client by > checking the source code, and team MUC is open to anonymous visitors. So it > is easy to use an XMPP client to access team MUC and get the private > messages (of course, not all) between other visitors and supporters.
The MUC is used only for co-ordination and discovery of the (online) members of teams. The initial message/invitation is sent privately, so is not visible to other users in the room. The supporters then join the private room that the user created, and all discussion happens there. At the end of the day it is, like many other services on the internet, providing an anonymous chat service. So yes, it is wise to be aware of what is and isn't visble or accessible to anonymous users. A service would, for example, probably want to put some restrictions on submitting queries, but that would need to be enforced server-side, and not in the client code. Regards, Matthew -- You received this message because you are subscribed to the Google Groups "prosody-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to prosody-dev+unsubscr...@googlegroups.com. To post to this group, send email to prosody-dev@googlegroups.com. Visit this group at https://groups.google.com/group/prosody-dev. For more options, visit https://groups.google.com/d/optout.
