Deny redaction of events in a different room.

We already correctly filter out such redactions, but we should also deny them over the CS API.
6 years ago · cf89266b98
parent 72167fb394
commit cf89266b98
1 changed files with 3 additions and 1 deletions
--- a/synapse/handlers/message.py
+++ b/synapse/handlers/message.py
@ -795,7 +795,6 @@ class EventCreationHandler(object):
                get_prev_content=False,
                allow_rejected=False,
                allow_none=True,
-                check_room_id=event.room_id,
            )

            # we can make some additional checks now if we have the original event.
@ -803,6 +802,9 @@ class EventCreationHandler(object):
                if original_event.type == EventTypes.Create:
                    raise AuthError(403, "Redacting create events is not permitted")

+                if original_event.room_id != event.room_id:
+                    raise SynapseError(400, "Cannot redact event from a different room")
+
            prev_state_ids = yield context.get_prev_state_ids(self.store)
            auth_events_ids = yield self.auth.compute_auth_events(
                event, prev_state_ids, for_verification=True