[Standards] XEP-0045: Members fetching the "members" list

Daniel Gultsch daniel at gultsch.de
Fri Nov 9 10:58:46 UTC 2018


Am Fr., 9. Nov. 2018 um 10:29 Uhr schrieb Matthew Wild <mwild1 at gmail.com>:
> There are a couple of issues with this section of XEP-0045:
> https://xmpp.org/extensions/xep-0045.html#modifymember
>
> In particular, I think this text was squeezed in at a later date:

Probably yes.


> Firstly, I think that although it says this behaviour is conditional
> on the room being members-only, I think it should more correctly be
> conditional on the room being non-anonymous. Otherwise JIDs of other
> users are leaked through this mechanism, even if the room is
> semi-anonymous. Implementing the behaviour as defined will cause an
> unexpected privacy leak for anyone who configured their room so that
> JIDs are visible to "moderators only" (as per XEP-0045 config form
> wording).

Yes

> With that out of the way, I think the MUC should additionally allow
> requesting the admin and owner lists (again, only if the room is
> non-anonymous and already reveals the JIDs of occupants). There is
> little point in the described feature if it is not able to retrieve
> the full list of affiliated users.

Yes

> I believe ejabberd already implements what I wrote above,

Yes

> planning to implement the same logic in Prosody.

Cool, please do. Although I assumed it does so already.

cheers
Daniel


More information about the Standards mailing list