[JDEV] Auto roster population/lock some groups

Eli Burke eburke at lore.net
Thu Sep 11 13:00:32 CDT 2003


Our situation was not the same but had similar elements, so perhaps this
will help you. 
We had to set up automatic roster population, and then lock clients down
so that they 
could not send messages to users not in their roster (or add/edit/delete
new users or groups).

The eventual solution was to modify both the client and the server. The
client was modified
to make for a better "user experience" but the server was modified to
prevent the actions
entirely. If a user was to use a different client, it might behave
strangely, but the server
prevents any circumvention of the policy. 

So, it seems to me you basically have two choices: modify the
"roster-add-2" query in xdb_sql.xml
so that it rejects or ignores groups that start with "MS-" (I'm not
entirely sure how this will
behave but it is easy enough to test) or modify jabberd. A cursory look
suggests that 
jsm/modules/mod_group.c in mod_groups_roster_insert() would be a good
place to start, though
it has been a while and I can't remember if that bit gets called when
xdb_sql is running.

For the curious, in order to disable ability for users to send IMs or
add users not already in 
their roster, we added the following code to jsm/deliver.c, approx line
158 prior to calling js_user()
[Note: NS_ROSTERCHECKis defined as jabber:iq:rostercheck]

        /* if this is a message packet, make sure the sender is
         * allowed to send a message to the receiver
        if (jp && jp->type == JPACKET_MESSAGE) {
            int found = 0;
            xmlnode x, cur;

            /* query for the allowed user roster */
            if (NULL != (x = xdb_get(si->xc, p->id, NS_ROSTERCHECK))) {

                /* loop through all names returned to make sure we can
send */
                for(cur = xmlnode_get_firstchild(x); cur != NULL;
                            cur = xmlnode_get_nextsibling(cur)) {
                    if (0 == (j_strcmp(jp->to->user,
                        found = 1;

                if (! found) {
                        "User tried to send message to invalid or "
                         "unauthorized user!: %s",xmlnode2str(p->x));
                    return r_DONE;

We also added the following query to the xdb_sql.xml file:
     <querydef name="rosterck-get" dtd="2" type="get"
        <text>SELECT others.uid FROM memberships mem INNER JOIN
memberships others ON others.unit_id = mem.unit_id AND others.unit_type
= mem.unit_type INNER JOIN projects groups ON groups.id = mem.unit_id
WHERE mem.unit_type = 'foo.base.Group.Project' AND mem.uid =
SUBSTRING_INDEX( '$$user$$', '@', 1 ) AND others.uid != mem.uid</text>
    <top-result><results xmlns='jabber:iq:rosterck'/></top-result>
    <bindcol tag="allowed" offset="0" />


-----Original Message-----
From: jdev-admin at jabber.org [mailto:jdev-admin at jabber.org] On Behalf Of
Moore, Michael
Sent: Thursday, September 11, 2003 11:39 AM
To: 'jdev at jabber.org'
Subject: [JDEV] Auto roster population/lock some groups


I'm working on a jabber solution for the US Coast Guard. One feature
they want is automatic roster population (no problem there). They also
want to lock down the groups that were automatically populated so the
user can't mess with them (not too hard) but here's the difficulty: they
want to have a column in the rostergroups table to mark that the group
was automatically generated. Using jabberd 1.4.2 on Linux with xdb_sql
and a mysql database but we will be moving to Solaris and Oracle soon
though, with the client in Java (and I've not used large-scale Java
before... whee!). 

Then the client needs to block modification of those groups marked as
auto-generated. I'm new to this whole project, I took over for someone a
few weeks back and I'm still trying to figure it all out.  The
documentation I've read has confused me more than helped, and Google has
not been my friend. Has anyone done anything like this (added stuff to
the protocol)? Obviously the client needs to know how to handle it, but
would it require changing the server source and rebuilding? Or just
xdb_sql? Any pointers in the right direction would be appreciated.


Michael Moore (mmoore at osc.uscg.mil) (304) 264-2652
Team CGCentral
United States Coast Guard Operations Systems Center

More information about the JDev mailing list