Before forwarding last activity requests to a user, check that the user's presence is visible for From

According to XEP-0012, 4. Online User Query, "if the requesting entity
is not authorized to view the user's presence information (normally via
a presence subscription as defined in XMPP IM), the user's server MUST
NOT deliver the IQ-get to an available resource but instead MUST return
a <forbidden/> error in response to the last activity request."

So check for a subscription of from of the jid and bare jid and whether
outgoing presences to From are allowed.

Fixes problem 3 of EJAB-1158.

1 files changed, 18 insertions, 0 deletions

diff --git a/src/ejabberd_c2s.erl b/src/ejabberd_c2s.erl
index 4bbc6b481..c27baf81c 100644
--- a/src/ejabberd_c2s.erl
+++ b/src/ejabberd_c2s.erl
@@ -1246,6 +1246,24 @@ handle_info({route, From, To, Packet}, StateName, StateData) ->
 	    "iq" ->
 		IQ = jlib:iq_query_info(Packet),
 		case IQ of
+		    #iq{xmlns = ?NS_LAST} ->
+			LFrom = jlib:jid_tolower(From),
+			LBFrom = jlib:jid_remove_resource(LFrom),
+			HasFromSub = (?SETS:is_element(LFrom, StateData#state.pres_f) orelse ?SETS:is_element(LBFrom, StateData#state.pres_f))
+			    andalso is_privacy_allow(StateData, To, From, {xmlelement, "presence", [], []}, out),
+			case HasFromSub of
+			    true ->
+				case privacy_check_packet(StateData, From, To, Packet, in) of
+				    allow ->
+					{true, Attrs, StateData};
+				    deny ->
+					{false, Attrs, StateData}
+				end;
+			    _ ->
+				Err = jlib:make_error_reply(Packet, ?ERR_FORBIDDEN),
+				ejabberd_router:route(To, From, Err),
+				{false, Attrs, StateData}
+			end;
 		    IQ when (is_record(IQ, iq)) or (IQ == reply) ->
 			case privacy_check_packet(StateData, From, To, Packet, in) of
 			    allow ->