I have Openfire running, and experience an issue where users can unsubscribe from another users roster while roster sharing is enabled in a group (which should not be possible). This would not be a big issue, however re-subscribing is impossible, even from the admin panel. To re-subscribe, I need to disable user roster sharing in the group settings and re-enable it. This is quite a major problem since users often don’t even realize they unsubscribed.
Steps to reproduce:
=Configuration=
- Create some users, add them to a group.
- Enable “Contact List (Roster) Sharing” for that group.
- Verify in the admin panel that all users have subscribed to each other.
- Install Blabber.im on a smartphone (Android client), log in to one of the group’s users.
=Trigger the issue=
- On Blabber.im, add a chat with one of the group’s users, remove checkmarks for “Send presence updates” and “Receive presence updates” under a contact’s properties (tap the username in the top of the chat window).
- Now, back in the Openfire admin panel, check the user roster. It will have subscriptions removed.
This subscription now can’t be enabled again, not from the Blabber.im client (it will report it is subscribed already), and not from the admin panel (it will throw an error). The only way to re-enable this subscription (AFAIK) is to toggle the roster sharing for the whole group.
The issue is quite severe, since users can’t see whether they unsubscribed since the client still reports it is subscribed, and if you accidentally remove subscription you can’t enable it again (as a user) since it will report to be enabled anyway.
From my point of view, the best fix to avoid this issue would be to block client-side subscription editing for users that are in the same group with roster sharing enabled. This now seems to be broken. (The admin panel error is another issue, but IMO not as severe since shared rosters should not be editable anyway.)