logbot and whisperbot can be invited by anyone, using their xmpp addresses, enabling write access to the server. Let's be careful with that.
Leaving some snippets from the conversation here:
My first instinct is this is a bad idea to have out in the open like this.
But yeah something with writeaccess to the server should not be able to invited this way by random people
we can add a flag where you whitelist servers / rooms that the bot will join. Easy way to address it.
nice promiscious pipeline
logbot and whisperbot can be invited by anyone, using their xmpp addresses, enabling write access to the server. Let's be careful with that.
Leaving some snippets from the conversation here:
> My first instinct is this is a bad idea to have out in the open like this.
> But yeah something with writeaccess to the server should not be able to invited this way by random people
> we can add a flag where you whitelist servers / rooms that the bot will join. Easy way to address it.
> nice promiscious pipeline
logbot and whisperbot can be invited by anyone, using their xmpp addresses, enabling write access to the server. Let's be careful with that.
Leaving some snippets from the conversation here:
Extending https://git.vvvvvvaria.org/decentral1se/xbotlib#invitations with whitelisting would be a good idea.