Admin/Owner of moderated room can not send message to all occupants

[gsohn]

Ejabberd version: 21.01

We created a room with moderated option as true. Using the API, we added a user into room subscribers list and set his affiliation as owner.

When we are trying to send a message using API (with send_stanza command), the error above occurs:

Visitors are not allowed to send messages to all occupants

It seems this happen because the user is not listed as a room occupant, but as he's owner (or admin) of the room, shouldn't he be allowed to send messages to this moderated room ?

[badlop]

I don't see that problem, it works for me. Maybe you have some configuration in ejabberd.yml, or provide some arguments in API wrong?

I wrote a small script with this content:

ejabberdctl register user2 localhost mypass11
ejabberdctl create_room room1 conference.localhost localhost 
ejabberdctl change_room_option room1 conference.localhost moderated true 
ejabberdctl get_room_options room1 conference.localhost | grep moderated
ejabberdctl set_room_affiliation room1 conference.localhost user2@localhost owner 
ejabberdctl get_room_affiliations room1 conference.localhost 
ejabberdctl subscribe_room user2@localhost UseR2 room1@conference.localhost urn:xmpp:mucsub:nodes:messages 
ejabberdctl send_message groupchat user2@localhost room1@conference.localhost "" testcommandmess

Then execute it:

$ ./3525.txt 
User user2@localhost successfully registered
moderated       true
user2   localhost       owner
urn:xmpp:mucsub:nodes:messages

Now I login with another account (user1), join the room, and the room history contains that message:

<message to='user1@localhost/tka1'
    from='room1@conference.localhost/UseR2'
    type='groupchat'
    id='16625923151172334846'>
  <archived by='room1@conference.localhost'
    id='1612974673594959'
    xmlns='urn:xmpp:mam:tmp'/>
  <stanza-id by='room1@conference.localhost'
    id='1612974673594959'
    xmlns='urn:xmpp:sid:0'/>
  <addresses xmlns='http://jabber.org/protocol/address'>
    <address jid='user2@localhost'
    type='ofrom'/>
  </addresses>
  <delay from='room1@conference.localhost'
    stamp='2021-02-10T16:31:13.664042Z'
    xmlns='urn:xmpp:delay'/>
  <body>testcommandmess</body>
</message>

[gsohn]

Thanks for your reply.

I tested using the ejabberdctl commands you mentionned and still got an error when sending the message :/

[prefiks]

I think this depends is room has members_by_default flag set. With it we allows sending message by all subscribers, but without it we only check if user role is a moderator/member, and since subscribers are offline they don't have any role set. Probably we could add try to get role for them from affiliation (by reusing get_default_role?)

[gsohn]

Hello,

Yes, members_by_default is set as false

[badlop]

Yes, members_by_default is set as false

That is not the default value for that option, right? So you changed the default configuration, did not mention it, and still complain about some problem...

If you want some help, first of all show your configuration, the exact API calls you run including arguments, and any other information that may be required to reproduce your problem.

[gsohn]

Sorry, I wasn't complaining... Just trying to make things work.

Here's our ejabberd conf :

```yaml loglevel: 3 log_rotate_size: 10485760 log_rotate_date: "" log_rotate_count: 1 log_rate_limit: 1000 certfiles: - *** - *** - *** - *** - *** - *** hosts: - *** sql_type: pgsql sql_server: *** sql_database: *** sql_username: *** sql_password: *** sql_keepalive_interval: 60 # -------------- # # Global options # # -------------- # default_db: sql use_cache: true #negotiation_timeout: 40 max_fsm_queue: 10000 listen: - port: 5222 ip: "::" module: ejabberd_c2s #max_stanza_size: 2621440 shaper: c2s_shaper access: c2s starttls_required: true - port: 5443 ip: "::" module: ejabberd_http tls: true tls_compression: false request_handlers: "/bosh": mod_bosh "/captcha": ejabberd_captcha "/upload": mod_http_upload "/ws": ejabberd_http_ws - port: 5280 ip: "::" module: ejabberd_http tls: true request_handlers: "/admin": ejabberd_web_admin "/api": mod_http_api - port: 5281 module: ejabberd_http request_handlers: /.well-known/acme-challenge: ejabberd_acme jwt_auth_only_rule: jwt_only auth_method: [jwt,sql] #auth_method: [sql] jwt_key: "/home/ejabberd/token_key" disable_sasl_mechanisms: - "digest-md5" - "X-OAUTH2" s2s_use_starttls: optional # -------------------- # # ACCESS CONTROL LISTS # # -------------------- # acl: ## ## Blocked users ## ## blocked: ## user: ## - "baduser@example.org" ## - "test" admin: user: - "***" trusted_backends: ip: - *** local: user_regexp: "" loopback: ip: - 127.0.0.0/8 - ::1/128 - ::FFFF:127.0.0.1/128 # ------------ # # ACCESS RULES # # ------------ # access_rules: jwt_only: deny: admin allow: all ## This rule allows access only for local users: local: - allow: local ## Only non-blocked users can use c2s connections: c2s: - deny: blocked - allow: all ## Only admins can send announcement messages: announce: - allow: admin ## Only admins can use the configuration interface: configure: - allow: admin ## Only accounts of the local ejabberd server can create rooms: muc_create: - allow: admin ## Only accounts on the local ejabberd server can create Pubsub nodes: pubsub_createnode: - allow: admin ## In-band registration allows registration of any possible username. ## To disable in-band registration, replace 'allow' with 'deny'. register: - allow: loopback ## Only allow to register and API calls from localhost trusted_network: - allow: loopback # --------------- # # API PERMISSIONS # # --------------- # api_permissions: "console commands": from: - ejabberd_ctl who: all what: "*" "admin access": who: - access: - allow: - acl: loopback - acl: admin - oauth: - scope: "ejabberd:admin" - access: - allow: - acl: loopback - acl: admin what: - "*" - "!stop" - "!start" "API used from localhost allows all calls": who: - ip: **** what: - "*" - "!stop" - "!start" # ------------ # # SHAPER RULES # # ------------ # shaper: normal: 100000 fast: 500000 shaper_rules: ## Maximum number of simultaneous sessions allowed for a single user: max_user_sessions: - 200: admin - 100 ## Maximum number of offline messages that users can have: max_user_offline_messages: - 5000: admin - 200: all ## For C2S connections, all users except admins use the "normal" shaper c2s_shaper: - none: admin - normal: all ## All S2S connections use the "fast" shaper s2s_shaper: fast acme: contact: "mailto:***" ca_url: https://acme-v02.api.letsencrypt.org/directory ###. ======= ###' MODULES ## ## Modules enabled in all ejabberd virtual hosts. ## modules: mod_read_markers: db_type: sql mod_adhoc: {} mod_admin_extra: {} mod_announce: # recommends mod_adhoc access: announce mod_blocking: {} # requires mod_privacy mod_caps: {} mod_carboncopy: {} mod_client_state: queue_chat_states: false queue_presence: false mod_configure: {} # requires mod_adhoc ## mod_delegation: {} # for xep0356 mod_disco: {} ## mod_echo: {} ## mod_irc: {} mod_bosh: max_inactivity: 30 use_cache: false ## mod_http_fileserver: ## docroot: "/var/www" ## accesslog: "/opt/ejabberd/logs/access.log" ## mod_http_upload: ## # docroot: "@HOME@/upload" ## put_url: "https://@HOST@:5444" ## thumbnail: false # otherwise needs the identify command from ImageMagick installed ## mod_http_upload_quota: ## max_days: 30 mod_last: db_type: sql ## XEP-0313: Message Archive Management ## You might want to setup a SQL backend for MAM because the mnesia database is ## limited to 2GB which might be exceeded on large servers mod_mam: db_type: sql assume_mam_usage: true default: always user_mucsub_from_muc_archive: true request_activates_archiving: false mod_muc: host: "***" access: - allow access_admin: - allow: admin access_create: muc_create access_persistent: muc_create access_mam: muc_create access_register: muc_create history_size: 50 db_type: sql max_users: 500 default_room_options: allow_subscription: true allow_change_subj: false allow_visitor_status: false allow_private_messages_from_visitors: nobody anonymous: false lang: "fr" mam: true max_users: 500 persistent: true public: false public_list: false mod_muc_admin: {} ## mod_muc_log: {} ## mod_multicast: {} mod_offline: db_type: sql access_max_user_messages: max_user_offline_messages mod_ping: {} # send_pings: true # ping_interval: 4 min # timeout_action: kill ## mod_pres_counter: ## count: 5 ## interval: 60 mod_privacy: db_type: sql mod_private: db_type: sql ## mod_proxy65: {} mod_pubsub: access_createnode: pubsub_createnode ## reduces resource comsumption, but XEP incompliant ignore_pep_from_offline: true ## XEP compliant, but increases resource comsumption ## ignore_pep_from_offline: false last_item_cache: false max_items_node: 1000 plugins: - "dag" - "flat" - "pep" # pep requires mod_caps force_node_config: ## Avoid buggy clients to make their bookmarks public "storage:bookmarks": access_model: whitelist max_items: 100 "*@last-read": max_items: 500 "*@room-subscriptions": max_items: 1 mod_push: db_type: sql mod_push_keepalive: {} mod_register: ## ## Protect In-Band account registrations with CAPTCHA. ## ## captcha_protected: true ## ## Set the minimum informational entropy for passwords. ## ## password_strength: 32 ## ## After successful registration, the user receives ## a message with this subject and body. ## welcome_message: subject: "Welcome!" body: |- Hi. Welcome to this XMPP server. ## ## When a user registers, send a notification to ## these XMPP accounts. ## ip_access: trusted_network ## ## Local c2s or remote s2s users cannot register accounts ## #access: register mod_roster: db_type: sql access: trusted_network mod_shared_roster: {} ## mod_stats: {} ## mod_time: {} mod_vcard: search: false mod_vcard_xupdate: {} ## Convert all avatars posted by Android clients from WebP to JPEG ## mod_avatar: # this module needs compile option --enable-graphics ## convert: ## webp: jpeg mod_version: show_os: false mod_stream_mgmt: max_ack_queue: 10000 resume_timeout: 5 min #max_resume_timeout: 300 resend_on_timeout: true ack_timeout: infinity ## Non-SASL Authentication (XEP-0078) is now disabled by default ## because it's obsoleted and is used mostly by abandoned ## client software ## mod_legacy_auth: {} ## The module for S2S dialback (XEP-0220). Please note that you cannot ## rely solely on dialback if you want to federate with other servers, ## because a lot of servers have dialback disabled and instead rely on ## PKIX authentication. Make sure you have proper certificates installed ## and check your accessibility at https://check.messaging.one/ mod_s2s_dialback: {} mod_http_api: {} ```

Then we called the commands as the same order you mentioned in your first message. The user is created using ejabberd API. Then we use:

• set_room_affiliation endpoint (with owner role)
• subscribe_room (with "urn:xmpp:mucsub:nodes:presence", "urn:xmpp:mucsub:nodes:messages", "urn:xmpp:mucsub:nodes:affiliations", "urn:xmpp:mucsub:nodes:system")

Thanks

[badlop]

Ok, I can reproduce your problem using your configuration in ejabberd 21.01. The problem is solved when using a recent ejabberd compiled from current source code.

This problem got reported and fixed some weeks ago, see https://github.com/processone/ejabberd/issues/3485

[prefiks]

I think this something different, and patch from that will not help (in that other tickets, messages are sent correctly, just not displayed by clients, in this one message are rejected and aren't propagated).

[prefiks]

This should be fixed by 14871c54acb9f5eeb98cc57faca1ec1d92133a22.