[Standards] XEP-0060 (and dependent ones): overwriting an item of somebody else

Goffi goffi at goffi.org
Mon Aug 10 23:05:14 UTC 2015


It seems that in XEP-0060 nothing prevent a publisher to overwrite an 
item published by somebody else (or at least it's ambiguous)

while that may be desirable in some cases, it's pretty bad with XEP-0277 

In XEP-0060 § 7.1.1, it's said that
"Any entity that is allowed to publish items to a node (i.e., a 
publisher or an owner)  [...]"
  and "The <item/> element provided by the publisher MAY possess an 'id' 
attribute, specifying a unique ItemID for the item."

in § 7.1.2 it's said "Note: If the publisher previously published an 
item with the same ItemID, successfully processing the request means 
that the service MUST overwrite the old item with the new item and then 
proceed as follows."

Well the ambiguous part is "the publisher": in the case of XEP-0277 
comments, the publish model if most of time "subscribers", so any 
subscriber is a publisher. It's not explicit in the XEP that the service 
should prevent a publisher to overwrite an item from an other publisher.

Im my opinion the following points should be modified:

- this case should be made explicit in the XEP-0060, with e.g. a 
security warning

- a node configuration option can be used to specify if a publisher can 
overwrite an item initially published by somebody else

- if this option is present, it MUST default to false (i.e. a publisher 
can't overwrite something that he didn't publish).


More information about the Standards mailing list