[jdev] Idavoll 2
jabber.org at ralphm.ik.nu
Wed Apr 13 03:53:29 CDT 2005
Cross posting to standards-jig. Let's continue the discussion there.
See below for my comments.
On Tue, Apr 12, 2005 at 11:25:24AM -0500, Peter Saint-Andre wrote:
> On Tue, Apr 12, 2005 at 09:26:56AM +0200, Ralph Meijer wrote:
> > While working on Idavoll last week, I discovered that when another resource of
> > the same JID that was subscribed requests the items, you get a not-authorized.
> > Maybe it would be better to check against the bare JID (without resource)?
> So the subscriber is <node at host/resource>? If so, then it seems correct
> for Idavoll to refuse access. If the subscriber is node at host, then it is
> probably right to allow access from any resource. (It's always a bit
> dangerous to make assumptions about what an entity is based on the JID,
> e.g., node at host could be jdev at conference.jabber.org, I suppose.)
> > Being an owner does not automatically allow you to get items. That's probably
> > not desirable, but it isn't really clear from the spec.
> Well, let's clarify that, then! :-)
Ok. As I see it, a node's owner should be able to request items. It is silly
that he first has to subscribe (possibly confirming himself in the process,
when subscriptions have to be authenticated), to get items of a node he owns.
> > Also, should publishers
> > that are not subscribed be allowed to get items?
> Hmm. Is that kind of special-casing a problem in the code?
Well, yes, currently, my code only checks if the requestor is a subscriber.
If we do allow owners to request items (without subscription) I have to find
out the requestor's affiliation with the node anyway, so this is not an issue.
That reminds me: I should probably also deny outcasts here. What happens to
(existing) subscriptions of entities that are marked outcast? Do they still
> It does seem reasonable that owners and publishers would be allowed to
> get items, but of course they could simply subscribe, too.
I'm not sure about publishers, here. I can imagine nodes that have (multiple)
publishers and a clear distinction between them and the list of subscribers,
and it not being desirable for a publisher to view the items published by
others. I suppose we could honour the same checking as for removing items in
that you can only view your own published items.
If the subscription policy is open, anyone should be able to retrieve items, as
proposed elsewhere. See the pubsub#subscription_model node configuration
More information about the JDev