History is available from a deleted room if a new room has the same name

Anno_van_Vliet · November 20, 2023, 4:10pm

Using Openfire 4.7 and the monitor plugin and having rooms configured to be permanent with history.

Archive History is available from a deleted room if a new room is created with the same name.

This affects all rooms but is problematic for secure rooms, i.e. Password.

Delete a Password protected Room and create a room with the same name but do not make it password protected.

A chat user can enter the new room and search for the chat history of the room without having had the permissions.

Has anybody any comments on this?

guus · November 20, 2023, 4:25pm

Hi Anno!

This is known behavior, that indeed is undesirable in many cases (especially in context of the example that you provide). This bug was raised for the issue, with some additional comments on log compliancy requirements). Improvements are certainly desirable, possibly in the form of a configuration that allows an administrator to

prevent re-use of the name (adding a tombstone)
cleaning up all data of the room upon its deletion
… ?