Merge 44e4a81624 into 27756c9fdf

Use fewer "not"s
Lint
2024-06-30 10:13:29 +00:00 · 2024-06-27 19:27:10 +00:00 · 2024-06-27 15:26:52 -04:00 · 2024-06-27 15:25:54 -04:00 · 2024-06-27 15:18:57 -04:00
1 changed files with 6 additions and 4 deletions
--- a/synapse/event_auth.py
+++ b/synapse/event_auth.py
@ -808,12 +808,12 @@ def get_send_level(
 def _can_send_event(event: "EventBase", auth_events: StateMap["EventBase"]) -> bool:
    power_levels_event = get_power_level_event(auth_events)

-    uses_owned_state_events = event.room_version is RoomVersions.MSC3779v10
+    use_msc3779 = event.room_version is RoomVersions.MSC3779v10
    send_level = get_send_level(
        event.type,
        event.get("state_key"),
        power_levels_event,
-        event.user_id if uses_owned_state_events else None,
+        event.user_id if use_msc3779 else None,
    )
    user_level = get_user_power_level(event.user_id, auth_events)

@ -827,8 +827,10 @@ def _can_send_event(event: "EventBase", auth_events: StateMap["EventBase"]) -> b

    # Check state_key
    if hasattr(event, "state_key"):
-        if not uses_owned_state_events and event.state_key.startswith("@"):
-            if event.state_key != event.user_id:
+        if event.state_key.startswith("@"):
+            if event.state_key != event.user_id and not (
+                use_msc3779 and event.state_key.startswith(event.user_id + "_")
+            ):
                raise AuthError(403, "You are not allowed to set others state")

    return True
Author	SHA1	Message	Date
Andrew Ferrazzutti	8582f33d73	Merge `44e4a81624` into `27756c9fdf`	2024-06-27 19:27:10 +00:00
Andrew Ferrazzutti	44e4a81624	Use fewer "not"s	2024-06-27 15:26:52 -04:00
Andrew Ferrazzutti	c8aae9832c	Lint	2024-06-27 15:25:54 -04:00
Andrew Ferrazzutti	a949455520	Properly forbid setting other users' state	2024-06-27 15:18:57 -04:00