Hello,
I think the way how a voice request should be done (7.13) is a security
problem. XEP-0045 says that the user supplies a from which is then
forwarded by the service to the moderators.
If that should be secure, the service would have to check the complete
form for undefined or insecure fields before forwarding the request.
That is imho the wrong way to do such. A better way would be, if the
request from the user would not be a form, but something like
<message from='[email protected]/box'
to='[email protected]'>
<x xmlns='http://jabber.org/protocol/muc#request' type='submit'>
<item role='participant' nick='foobar'/>
</x>
</message>
After receiving such, the service should generate and send a form to the
moderators (as already described).
That would eliminate the risk, that the form supplied by the requester
contains something which shouldn't be send (with the room as sender) to
moderators.
That way could be used too to request (reserved) nicks or membership too.
E.g. to request membership:
<message from='[email protected]/box'
to='[email protected]'>
<x xmlns='http://jabber.org/protocol/muc#request' type='submit'>
<item affiliation='member' nick='someone'/>
</x>
</message>
Maybe 'request' as type instead of 'submit' could be used or just
without type (I would prefer without).
Btw, I'm also missing how nicks of admins and owners are handled. I
assume that if an item in muc#admin contains a nick, that nick will be
become reserved afterwards (for the jid in the same item).
Regards,
Alexander
