> Scott wrote: > > If the resource list server isn't going to do the enforcement, then > > the protection is more apparent than real... not sure I'd > go there... > > sipXecs RLS already does enforce, in that the user without > the permission will not have a resource list to subscribe to.
I was not aware of that. I know that the RLS challenges the SUBSCRIBE so that only valid users can subscribe but does it also enforce that you can only subscribe to the resource list you own? > > > What we should not do is have sipXproxy examine SUBSCRIBEs > addressed directly to user AORs, and selectively block them > based on the event package type. This is already done. There's a subscriber auth plug-in for thos. > > The "Subscribe to presence" permission should apply only to > sipXecs RLS facilities. i.e. It does not apply to requests > addressed directly addresses to user AORs. If the request > can be authenticated with valid user credentials, then we'll proxy it. > > When the user has network access to the other user's phone, > sipXproxy could not possibly prevent a direct SUBSCRIBE anyway. > > > -Paul > [email protected] > > _______________________________________________ > sipx-dev mailing list [email protected] List > Archive: http://list.sipfoundry.org/archive/sipx-dev > Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev > sipXecs IP PBX -- http://www.sipfoundry.org/ > _______________________________________________ sipx-dev mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-dev Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev sipXecs IP PBX -- http://www.sipfoundry.org/
