Only allow people to set the alias list for their own domain.

2024-06-30 19:33:30 +00:00 · 2015-09-01 15:51:43 +01:00 · 2015-09-01 15:51:43 +01:00 · 530896d9d2
parent 24a5a8a118
commit 530896d9d2
1 changed files with 6 additions and 1 deletions
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@ -83,7 +83,12 @@ class Auth(object):

            # FIXME: Temp hack
            if event.type == EventTypes.Aliases:
-                return True
+                alias_domain = UserID.from_string(event.state_key).domain
+                if alias_domain != originating_domain:
+                    raise AuthError(
+                        403,
+                        "Can only set aliases for own domain"
+                    )

            logger.debug(
                "Auth events: %s",