Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

REST API not respecting mod_register access rules #2837

Closed
mightyBroccoli opened this issue Mar 20, 2019 · 1 comment
Closed

REST API not respecting mod_register access rules #2837

mightyBroccoli opened this issue Mar 20, 2019 · 1 comment
Assignees

Comments

@mightyBroccoli
Copy link
Contributor

mightyBroccoli commented Mar 20, 2019

Defined access rules within mod_register are not respected when registration is done through REST api, thus it is possible to register blocked usernames.

OS: Debian 9.8
Ejabberd: Debian Backports 18.12.1-2~bpo9+1

module config excerpt
  mod_register:
    access: access_register
access rules excerpt
   access_register:
     - deny: blocked
     - allow
acl excerpt
  blocked:
    user:
      - "hostmaster"
      - "ejabberd"
@badlop
Copy link
Member

badlop commented May 28, 2019

The change introduced in 1f2b8ad to restrict the register command with mod_register options, as requested in this ticket, has been very problematic (#2828 and #2893).

After considering in more detail the topic, the register command is expected to be run by administrators. So it doesn't make sense to restrict it with mod_register options, which are designed to restrict public account registration. In this sense, the problem initially mentioned in this ticket is not considered a bug, in any case it could be considered a feature request. So, the original behaviour has been restored in commit 4eaba13

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants