[jdev] XEP-0060 Subscription Authorization

Ralph Meijer jabber.org at ralphm.ik.nu
Mon Dec 3 11:07:44 CST 2007

On Mon, 2007-11-19 at 13:05 -0700, Peter Saint-Andre wrote:
> Lindsay Oproman wrote:
> > [..]
> If the node is configured for an access model of "authorize" then each
> subscription request will need to be approved by the node owner, unless
> the implementation includes some logic to pre-approve subscription
> requests from all resources based on the bare JID (node at domain.tld).
> (Sounds like a good feature request.)

I think that XEP-0060 was designed to do access control on bare JIDs,
although we never made that explicit, apparently. You can see this in
various parts of the specification. For example, any resource can
manipulate the subscriptions and affiliations that are associated with
any resource of the bare JID and the bare JID itself.

I don't think making it explicit that all access control is done on the
bare JID should pose any issues. The only area that might be a concern
is doing publish-subscribe from within a MUC room, but this is a special
use case that we haven't given much attention anyway. I do have some
thoughts on it, were it necessary to pull that into this thread.

For what it is worth, Idavoll assigns affiliations to, and does access
control based on, bare JIDs.



More information about the JDev mailing list