andydvsn
commented
5 days ago Apologies, I'm an idiot and have just finished reading the User roles documentation page where it clearly states:
Caveats
The current support for limited users has some known issues. It is designed to prevent casual misuse of the server, but it is not intended to be a foolproof security measure. For example, limited users are still able to receive messages and contact requests from other servers, even though they cannot send them to other servers. It is expected that we will restrict incoming traffic for limited users in a future release, after further testing.
I don't know where this is on the priority list right now, but I'd personally like this to receive some attention as I'm far more concerned about incoming rather than outgoing messages for limited accounts.
mwild1
I've been setting up a Snikket instance for family chats, but noticed that "Limited" accounts can receive messages from external XMPP accounts just fine. Using a test account on xmpp.social the messages come through to the Snikket client with OMEMO encryption and are displayed, including images, followed by a message "Error: Communication with xmpp.social is not available". I have not tested voice or video chats.
Any attempt to add the external account to the "Limited" account's contact list fails with no error and the prompt "Contact added you to their contact list. Add to contacts?" remains on the screen. Any attempt to reply fails as shown in the image below, tapping the info symbol returns "There is no trusted device to send message to".
Given that limited accounts are supposed to be restricted to on-server communications, this is all a bit concerning. Could it please be investigated? Something that may be affecting this could be that I am running this server behind a reverse proxy as configured here. I don't know for a fact that this would make any difference, but it's a pecularity of this server I thought should be mentioned.