When user A requests subscription to user B, user A is added to roster of user B (#119)

Closed

wojciech.kapcia@tigase.net opened 1 decade ago

Due Date
2015-04-29

How to replicate:

User A create account
User B create account
User A logins
User B logins
User A binds resource
User B binds resource
User A send presence available
User B send presence available
User A sends subscription request to User B
User B requests its roster : user A is in roster with subscription "none", ask "none".

I believe that User A should not enter the roster at all.

as per RFC6121

3.1.3. Server Processing of Inbound Subscription Request

Security Warning: Until and unless the contact approves the

subscription request as described under Section 3.1.4, the

contact's server MUST NOT add an item for the user to the

contact's roster.

Artur Hefczyc commented 10 years ago

I think, the best way to handle this would be to actually add the new item to user's roster but never send the item to a client as a response to roster get request. So, all the existing storage and logic could be preserved with a small change of excluding such items when a roster result is created for a client.

wojciech.kapcia@tigase.net commented 9 years ago

Applied in changeset commit:tigase-server|2eb9b8d0.

wojciech.kapcia@tigase.net commented 9 years ago

Items with SubscriptionType.none_pending_in are no longer included in the roster returned to the user. As for the security consideration -- I think it mostly relates to avoid broadcasting presence/probes to such contacts, but Tigase handles those differently and already took into consideration presence/transition state to avoid implied security problems, hence this was mostly cosmetic change.

Type	Bug
Priority	Normal
Assignee	Artur Hefczyc
RedmineID	663
Version	tigase-server-7.1.0
Estimation	16h
Spent time	6h

Duplicate

#210 Closed

Add/Subscribe/Remove issue

Issue Votes (0)

Watchers (0)

Reference

tigase/_server/server-core#119