watcha
/
watcha-synapse
mirror of https://github.com/watcha-fr/synapse
1
1
Fork 0
Code Issues Projects Releases Wiki Activity

Validate power levels event changes. Change error messages to be more helpful. Fix bug where we checked the wrong power levels

Browse Source
pull/4/merge
Erik Johnston 11 years ago
parent 9dd4570b68
commit 480438eee6
1 changed files with 37 additions and 10 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 47
      synapse/api/auth.py

47
synapse/api/auth.py
Unescape View File

@ -18,7 +18,7 @@
from twisted.internet import defer
from synapse.api.constants import Membership, JoinRules
from synapse.api.errors import AuthError, StoreError, Codes
from synapse.api.errors import AuthError, StoreError, Codes, SynapseError
from synapse.api.events.room import RoomMemberEvent, RoomPowerLevelsEvent
from synapse.util.logutils import log_function
@ -308,7 +308,9 @@ class Auth(object):
else:
user_level = 0
logger.debug("Checking power level for %s, %s", event.user_id, user_level)
logger.debug(
"Checking power level for %s, %s", event.user_id, user_level
)
if current_state and hasattr(current_state, "required_power_level"):
req = current_state.required_power_level
@ -321,6 +323,24 @@ class Auth(object):
@defer.inlineCallbacks
def _check_power_levels(self, event):
for k, v in event.content.items():
if k == "default":
continue
# FIXME (erikj): We don't want hsob_Ts in content.
if k == "hsob_ts":
continue
try:
self.hs.parse_userid(k)
except:
raise SynapseError(400, "Not a valid user_id: %s" % (k,))
try:
int(v)
except:
raise SynapseError(400, "Not a valid power level: %s" % (v,))
current_state = yield self.store.get_current_state(
event.room_id,
event.type,
@ -346,7 +366,10 @@ class Auth(object):
# FIXME (erikj)
old_people = {k: v for k, v in old_list.items() if k.startswith("@")}
new_people = {k: v for k, v in event.content.items() if k.startswith("@")}
new_people = {
k: v for k, v in event.content.items()
if k.startswith("@")
}
removed = set(old_people.keys()) - set(new_people.keys())
added = set(old_people.keys()) - set(new_people.keys())
@ -356,22 +379,24 @@ class Auth(object):
if int(old_list.content[r]) > user_level:
raise AuthError(
403,
"You don't have permission to change that state"
"You don't have permission to remove user: %s" % (r, )
)
for n in new_people:
for n in added:
if int(event.content[n]) > user_level:
raise AuthError(
403,
"You don't have permission to change that state"
"You don't have permission to add ops level greater "
"than your own"
)
for s in same:
if int(event.content[s]) != int(old_list[s]):
if int(old_list[s]) > user_level:
if int(event.content[s]) > user_level:
raise AuthError(
403,
"You don't have permission to change that state"
"You don't have permission to add ops level greater "
"than your own"
)
if "default" in old_list:
@ -380,7 +405,8 @@ class Auth(object):
if old_default > user_level:
raise AuthError(
403,
"You don't have permission to change that state"
"You don't have permission to add ops level greater than "
"your own"
)
if "default" in event.content:
@ -389,5 +415,6 @@ class Auth(object):
if new_default > user_level:
raise AuthError(
403,
"You don't have permission to change that state"
"You don't have permission to add ops level greater "
"than your own"
)

Write Preview
Loading…
Cancel
Save