From 512993b57f3755d4416002667bc6a568fa6c3334 Mon Sep 17 00:00:00 2001
From: Erik Johnston <erik@matrix.org>
Date: Wed, 19 Nov 2014 17:21:40 +0000
Subject: [PATCH] Only users can set state events which have their own user_id

---
 synapse/api/auth.py | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/synapse/api/auth.py b/synapse/api/auth.py
index 1a8785e890..6d8a9e4df7 100644
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@@ -446,6 +446,26 @@ class Auth(object):
                 "user_level (%d) < send_level (%d)" % (user_level, send_level)
             )
 
+        # Check state_key
+        if hasattr(event, "state_key"):
+            if not event.state_key.startswith("_"):
+                if event.state_key.startswith("@"):
+                    if event.state_key != event.user_id:
+                        raise AuthError(
+                            403,
+                            "You are not allowed to set others state"
+                        )
+                    else:
+                        sender_domain = self.hs.parse_userid(
+                            event.user_id
+                        ).domain
+
+                        if sender_domain != event.state_key:
+                            raise AuthError(
+                                403,
+                                "You are not allowed to set others state"
+                            )
+
         return True
 
     def _check_redaction(self, event):