Project

General

Profile

Support for privacy lists - XEP-0016

Peter Rajcani
Added over 4 years ago

We have a requirement to restrict messaging only to an authorized group of users. I'd like to use privacy lists for this but I cannot find any documentation on how to create / maintain a privacy list. Is there an HTTP API for this? By searching the site I found out that Tigase server supports privacy lists (XEP-0016) but I could not find any more documentation on how these lists are supported.


Replies (11)

Added by Peter Rajcani over 4 years ago

I created the following privacy list to allow user1 and user2 and block test2:

<item type='jid'

      value='user1@Peters-MacBook-Pro.local'

      action='allow'

      order='1'/>

<item type='jid'

      value='user2@Peters-MacBook-Pro.local'

      action='allow'

      order='2'/>

    <item type='jid'

      value='test2@Peters-MacBook-Pro.local'

      action='deny'

      order='3'/>

I can see the correct settings in PSI client under Modify Account -> Privacy -> Advanced, however the messages from test2 still reach test1 even though test1 has blocked test2. Is there any specific configuration setting to enable privacy lists?

Added by Andrzej Wójcik IoT 1 CloudTigaseTeam over 4 years ago

Peter Rajcani wrote:

We have a requirement to restrict messaging only to an authorized group of users. I'd like to use privacy lists for this but I cannot find any documentation on how to create / maintain a privacy list. Is there an HTTP API for this? By searching the site I found out that Tigase server supports privacy lists (XEP-0016) but I could not find any more documentation on how these lists are supported.

For now there is no support in HTTP API to modify privacy lists (XEP-0016) but it is possible to add this new feature to HTTP API.

Peter Rajcani wrote:

I created the following privacy list to allow user1 and user2 and block test2:

<item type='jid'

      value='user1@Peters-MacBook-Pro.local'

      action='allow'

      order='1'/>

<item type='jid'

      value='user2@Peters-MacBook-Pro.local'

      action='allow'

      order='2'/>

    <item type='jid'

      value='test2@Peters-MacBook-Pro.local'

      action='deny'

      order='3'/>

I can see the correct settings in PSI client under Modify Account -> Privacy -> Advanced, however the messages from test2 still reach test1 even though test1 has blocked test2. Is there any specific configuration setting to enable privacy lists?

Support for privacy lists is enabled in Tigase XMPP Server by default, however if you create list by manually (using XMPP stanza) you need to remember that you need to activate privacy list to make it work. Only one privacy list may be active at a time. In you case you would need:

<iq type='set' id='active1'>
<query xmlns='jabber:iq:privacy'>
  <active name='public'/>
</query>
</iq>

Also after reconnection default privacy list is always activated - this default privacy list can also be changed.

This is described in XEP-0016 - 2.4 Managing Active List and in XEP-0016 - 2.5 Managing the Default List

Added by Peter Rajcani over 4 years ago

Thanks! I tried it - created a privacy list and activated it as you suggested:

However, I still see messages from test2 reaching test1:

test

Test user 2

In the privacy settings (PSI client) I see the list as active and test2 shows up as a blocked user.

Added by Peter Rajcani over 4 years ago

What is the best way to manage a privacy list? Are there ad-hoc commands that I can run from the shell or should I use stanzas?

Added by Andrzej Wójcik IoT 1 CloudTigaseTeam over 4 years ago

Right now as I know only supported way is thru stanzas so for now there is no support for management of privacy lists using adhoc commands.

Added by Peter Rajcani over 4 years ago

Thanks! Our requirement is to only allow communication / messages for a group of users and block everyone outside the group. What is the best way to implement this? Do I need to list all blocked users or just list the users that are allowed to communicate? We will have millions of users so listing all denied users is impractical.

Added by Peter Rajcani over 4 years ago

Figured out why my privacy list did not work. The list was not created correctly. The correct stanza should be:

<query xmlns="jabber:iq:privacy">

    <list name="private_group">

        <item action="allow" order="1" type="jid" value="user1@Peters-MacBook-Pro.local"/>

        <item action="deny" order="2"/>

    </list>

</query>

Activate the newly created privacy list:

Now I do not see messages from test2 reaching test1 and I get 'service unavailable' error when test2 tries to send a message to test1 which is correct behavior. This also answers my question above.

Added by Andrzej Wójcik IoT 1 CloudTigaseTeam over 4 years ago

With privacy lists it is possible block communication with listed users (what you tried in your example) or to block all communication between users with exception of listed users (which is what I suppose you expect). To create list in which you would block all communication with exception of listed users you could use ie. following request:

<iq type="set" id="abe0a">
<query xmlns="jabber:iq:privacy">
<list name="blocked">
<item action="allow" order="100" type="jid" value="test1@Peters-MacBook-Pro.local"/>
<item action="deny" order="110"/>
</list>
</query>
</iq>

which will block all communications with exception of @test1@Peters-MacBook-Pro.local@.

And about issue with not blocking I suppose it may be due to a fact that I see in stanzas that domain part is lowercased while in privacy list it is not lowercased so it might be a possible cause of an issue.

Added by Peter Rajcani over 4 years ago

Thanks, the lowercase domain was the issue. Also if user has an 'allow' privacy list, to receive PubSub notifications, the pubsub component needs to be added to the privacy list:

<iq from='test1@peters-macbook-pro.local' type='set' id='001'>
     <query xmlns="jabber:iq:privacy">
          <list name="private">
                <item action="allow" order="1" type="jid" value="user1@peters-macbook-pro.local"/>
                <item action="allow" order="2" type="jid" value="user2@peters-macbook-pro.local"/>
                <item action="allow" order="3" type="jid" value="pubsub@peters-macbook-pro.local"/>
                <item action="deny" order="4"/>
          </list>
     </query>
</iq>

This privacy list allows messages between test1, user1 and user2 and allows pubsub notifications for test1.

Added by Igor Khomenko about 2 years ago

had the same question and found here a proper solution

one thing that is still need to be done to fully support it: we need to block an ability to work with PrivacyLists API for regular users (only super Admin can whitelist users)

Is there any standard solution for this?

or we should manually customize Tigase Privacy Lists plugin?

Added by Wojciech Kapcia TigaseTeam about 2 years ago

You can utilize Packet Filtering and per-user configuration.

    (1-11/11)