mirror of
https://github.com/element-hq/synapse
synced 2024-09-28 16:32:40 +00:00
wip access rules modification
This commit is contained in:
parent
2cc498ed6d
commit
f06bd7fd00
3 changed files with 23 additions and 9 deletions
|
@ -89,6 +89,9 @@ class Auth:
|
||||||
auth_events = await self.store.get_events(auth_events_ids)
|
auth_events = await self.store.get_events(auth_events_ids)
|
||||||
auth_events = {(e.type, e.state_key): e for e in auth_events.values()}
|
auth_events = {(e.type, e.state_key): e for e in auth_events.values()}
|
||||||
|
|
||||||
|
# TODO:
|
||||||
|
# Would need to thread original_event everywhere we call event_auth.check
|
||||||
|
# Ask in #synapse-dev about this first...
|
||||||
room_version_obj = KNOWN_ROOM_VERSIONS[room_version]
|
room_version_obj = KNOWN_ROOM_VERSIONS[room_version]
|
||||||
event_auth.check(
|
event_auth.check(
|
||||||
room_version_obj, event, auth_events=auth_events, do_sig_check=do_sig_check
|
room_version_obj, event, auth_events=auth_events, do_sig_check=do_sig_check
|
||||||
|
|
|
@ -161,6 +161,7 @@ def check(
|
||||||
if logger.isEnabledFor(logging.DEBUG):
|
if logger.isEnabledFor(logging.DEBUG):
|
||||||
logger.debug("Auth events: %s", [a.event_id for a in auth_events.values()])
|
logger.debug("Auth events: %s", [a.event_id for a in auth_events.values()])
|
||||||
|
|
||||||
|
# 5. If type if m.room.membership
|
||||||
if event.type == EventTypes.Member:
|
if event.type == EventTypes.Member:
|
||||||
_is_membership_change_allowed(event, auth_events)
|
_is_membership_change_allowed(event, auth_events)
|
||||||
logger.debug("Allowing! %s", event)
|
logger.debug("Allowing! %s", event)
|
||||||
|
@ -267,7 +268,6 @@ def _is_membership_change_allowed(
|
||||||
|
|
||||||
# FIXME (erikj): What should we do here as the default?
|
# FIXME (erikj): What should we do here as the default?
|
||||||
ban_level = _get_named_level(auth_events, "ban", 50)
|
ban_level = _get_named_level(auth_events, "ban", 50)
|
||||||
knock_level = _get_named_level(auth_events, "knock", 0)
|
|
||||||
|
|
||||||
logger.debug(
|
logger.debug(
|
||||||
"_is_membership_change_allowed: %s",
|
"_is_membership_change_allowed: %s",
|
||||||
|
@ -345,13 +345,14 @@ def _is_membership_change_allowed(
|
||||||
if user_level < ban_level or user_level <= target_level:
|
if user_level < ban_level or user_level <= target_level:
|
||||||
raise AuthError(403, "You don't have permission to ban")
|
raise AuthError(403, "You don't have permission to ban")
|
||||||
elif Membership.KNOCK == membership:
|
elif Membership.KNOCK == membership:
|
||||||
# check that we have the leave event
|
if join_rule != JoinRules.KNOCK:
|
||||||
if target and target.membership != Membership.LEAVE:
|
|
||||||
raise AuthError(403, "You don't have permission to knock")
|
|
||||||
elif join_rule != JoinRules.INVITE:
|
|
||||||
raise AuthError(403, "You don't have permission to knock")
|
|
||||||
elif user_level < knock_level:
|
|
||||||
raise AuthError(403, "You don't have permission to knock")
|
raise AuthError(403, "You don't have permission to knock")
|
||||||
|
elif target_user_id != event.user_id:
|
||||||
|
raise AuthError(403, "You cannot knock for other users")
|
||||||
|
elif target_in_room:
|
||||||
|
raise AuthError(403, "You cannot knock on a room you are already in")
|
||||||
|
elif target_banned:
|
||||||
|
raise AuthError(403, "You are banned from this room")
|
||||||
else:
|
else:
|
||||||
raise AuthError(500, "Unknown membership %s" % membership)
|
raise AuthError(500, "Unknown membership %s" % membership)
|
||||||
|
|
||||||
|
@ -432,7 +433,10 @@ def _can_send_event(event: EventBase, auth_events: StateMap[EventBase]) -> bool:
|
||||||
|
|
||||||
|
|
||||||
def check_redaction(
|
def check_redaction(
|
||||||
room_version_obj: RoomVersion, event: EventBase, auth_events: StateMap[EventBase],
|
room_version_obj: RoomVersion,
|
||||||
|
event: EventBase,
|
||||||
|
auth_events: StateMap[EventBase],
|
||||||
|
original_event: EventBase,
|
||||||
) -> bool:
|
) -> bool:
|
||||||
"""Check whether the event sender is allowed to redact the target event.
|
"""Check whether the event sender is allowed to redact the target event.
|
||||||
|
|
||||||
|
@ -464,6 +468,13 @@ def check_redaction(
|
||||||
event.internal_metadata.recheck_redaction = True
|
event.internal_metadata.recheck_redaction = True
|
||||||
return True
|
return True
|
||||||
|
|
||||||
|
if (
|
||||||
|
original_event.type == EventTypes.Member
|
||||||
|
and original_event.content
|
||||||
|
and original_event.content.get("membership", None) == Membership.KNOCK
|
||||||
|
):
|
||||||
|
raise AuthError(403, "It is not possible to redact knocks")
|
||||||
|
|
||||||
raise AuthError(403, "You don't have permission to redact events")
|
raise AuthError(403, "You don't have permission to redact events")
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1116,7 +1116,7 @@ class EventCreationHandler:
|
||||||
room_version_obj = KNOWN_ROOM_VERSIONS[room_version]
|
room_version_obj = KNOWN_ROOM_VERSIONS[room_version]
|
||||||
|
|
||||||
if event_auth.check_redaction(
|
if event_auth.check_redaction(
|
||||||
room_version_obj, event, auth_events=auth_events
|
room_version_obj, event, auth_events=auth_events, original_event=original_event
|
||||||
):
|
):
|
||||||
# this user doesn't have 'redact' rights, so we need to do some more
|
# this user doesn't have 'redact' rights, so we need to do some more
|
||||||
# checks on the original event. Let's start by checking the original
|
# checks on the original event. Let's start by checking the original
|
||||||
|
|
Loading…
Reference in a new issue