-
Holger
Yes yes, I just meant that having a single setting for MAM and public logs might obviously circumvent MAM's access restrictions. If the admin enabled public logging in general, and the room owner (or his client) just wants to enable MAM logging for a private group. L✎ -
Holger
Yes yes, I just meant that having a single setting for MAM and public logs might obviously circumvent MAM's access restrictions. If the admin enabled public logging in general, and the room owner (or his client) just wants to enable MAM logging for a private group. ✏
-
Holger
(But seems everyone agrees now anyway. This was different last time we discussed this.)
-
pep.
Zash: the changesubject thing was wrong in that MUC example right? roominfo / roomconfig
-
pep.
Holger: everyone on a subset of 3
-
pep.
Maybe that's already better than last time :p
-
Holger
pep.: Everyone else had an entire night of time to object!
-
Zash
pep.: Hm? No? Just weird and inconsistent.
-
lovetox
is it somewhere definied what a server needs to return on disco-info to a account that does not exist?
-
Zash
https://xmpp.org/rfcs/rfc6120.html#rules-local-barejid-nosuchuser > For an IQ stanza, the server MUST return a <service-unavailable/> stanza error (Section 8.3.3.19) to the sender.
-
lovetox
ejabberd returns subscription-required
-
lovetox
but ok
-
pep.
What would you have to subscribe to to disco an account? Roster?
-
Guus
It might be needed to distinguish between JIDs that do not refer to an existing entity, and JIDs that are associated to users that used SASL ANON.
-
Guus
You can probably disco/info an anonymous user?
-
Ge0rG
something something user enumeration attacks
-
Guus
'something something' isn't going to cut it. Be more specific please.
-
Ge0rG
A server should ideally return the same response for an existing user as for a non-existing one, unless you are allowed to see the respective record
-
Zash
so that it's not trivial to find out which users exist
-
lovetox
yeah so subscription-required makes more sense
-
lovetox
because this you can return for ALL users
-
lovetox
while service-unavailable you can only return for users that dont exist?
-
lovetox
or does prosody also return that if you are not subscribed to a contact
-
Zash
Should be the same error in both cases
-
lovetox
am i allowed to disco info the contact if he sent me a message?
-
lovetox
or can i simply never disco info a contact im not subscribed to
-
Zash
no. probably.
-
Zash
sending a message wouldn't matter here
-
Ge0rG
lovetox: most servers try to stay stateless as far as possible, so incoming traffic isn't registered as any kind of auth, only presence subscriptions
-
Zash
Storage hit for roster lookups