Hi folks, There are a couple of issues with this section of XEP-0045: https://xmpp.org/extensions/xep-0045.html#modifymember
In particular, I think this text was squeezed in at a later date: " Note: A service SHOULD also return the member list to any occupant in a members-only room; i.e., it SHOULD NOT generate a <forbidden/> error when a member in the room requests the member list. This functionality can assist clients in showing all the existing members even if some of them are not in the room, e.g. to help a member determine if another user should be invited. A service SHOULD also allow any member to retrieve the member list even if not yet an occupant. " Firstly, I think that although it says this behaviour is conditional on the room being members-only, I think it should more correctly be conditional on the room being non-anonymous. Otherwise JIDs of other users are leaked through this mechanism, even if the room is semi-anonymous. Implementing the behaviour as defined will cause an unexpected privacy leak for anyone who configured their room so that JIDs are visible to "moderators only" (as per XEP-0045 config form wording). With that out of the way, I think the MUC should additionally allow requesting the admin and owner lists (again, only if the room is non-anonymous and already reveals the JIDs of occupants). There is little point in the described feature if it is not able to retrieve the full list of affiliated users. I believe ejabberd already implements what I wrote above, and I'm planning to implement the same logic in Prosody. Assuming nobody finds a reason to object, we should probably update the XEP accordingly. Regards, Matthew _______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
