Skip to content
This repository was archived by the owner on Apr 26, 2024. It is now read-only.

Commit 8c205e5

Browse files
committed
Validate that the app service can actually control the given user
See #10276 (comment) Conflicts: synapse/rest/client/v1/room.py
1 parent b703962 commit 8c205e5

File tree

1 file changed

+47
-7
lines changed

1 file changed

+47
-7
lines changed

synapse/rest/client/v1/room.py

Lines changed: 47 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,9 @@
2929
SynapseError,
3030
)
3131
from synapse.api.filtering import Filter
32+
33+
34+
from synapse.appservice import ApplicationService
3235
from synapse.events.utils import format_event_for_client_v2
3336
from synapse.http.servlet import (
3437
RestServlet,
@@ -47,6 +50,7 @@
4750
from synapse.streams.config import PaginationConfig
4851
from synapse.types import (
4952
JsonDict,
53+
Requester,
5054
RoomAlias,
5155
RoomID,
5256
StreamToken,
@@ -379,6 +383,35 @@ def _create_insertion_event_dict(
379383

380384
return insertion_event
381385

386+
async def _create_requester_from_app_service(
387+
self, user_id: str, app_service: ApplicationService
388+
) -> Requester:
389+
"""Creates a new requester for the given user_id
390+
and validates that the app service is allowed to control
391+
the given user.
392+
393+
Args:
394+
user_id: The author MXID that the app service is controlling
395+
app_service: The app service that controls the user
396+
397+
Returns:
398+
Requester object
399+
"""
400+
401+
if app_service.sender == user_id:
402+
pass
403+
elif not app_service.is_interested_in_user(user_id):
404+
raise AuthError(
405+
403,
406+
"Application service cannot masquerade as this user (%s)." % user_id,
407+
)
408+
elif not (await self.store.get_user_by_id(user_id)):
409+
raise AuthError(
410+
403, "Application service has not registered this user (%s)" % user_id
411+
)
412+
413+
return create_requester(user_id, app_service=app_service)
414+
382415
async def on_POST(self, request, room_id):
383416
requester = await self.auth.get_user_by_req(request, allow_guest=False)
384417

@@ -444,8 +477,8 @@ async def on_POST(self, request, room_id):
444477
if event_dict["type"] == EventTypes.Member:
445478
membership = event_dict["content"].get("membership", None)
446479
event_id, _ = await self.room_member_handler.update_membership(
447-
create_requester(
448-
state_event["sender"], app_service=requester.app_service
480+
await self._create_requester_from_app_service(
481+
state_event["sender"], requester.app_service
449482
),
450483
target=UserID.from_string(event_dict["state_key"]),
451484
room_id=room_id,
@@ -466,8 +499,8 @@ async def on_POST(self, request, room_id):
466499
event,
467500
_,
468501
) = await self.event_creation_handler.create_and_send_nonmember_event(
469-
create_requester(
470-
state_event["sender"], app_service=requester.app_service
502+
await self._create_requester_from_app_service(
503+
state_event["sender"], requester.app_service
471504
),
472505
event_dict,
473506
outlier=True,
@@ -516,7 +549,10 @@ async def on_POST(self, request, room_id):
516549
base_insertion_event,
517550
_,
518551
) = await self.event_creation_handler.create_and_send_nonmember_event(
519-
requester,
552+
await self._create_requester_from_app_service(
553+
base_insertion_event_dict["sender"],
554+
requester.app_service,
555+
),
520556
base_insertion_event_dict,
521557
prev_event_ids=base_insertion_event_dict.get("prev_events"),
522558
auth_event_ids=auth_event_ids,
@@ -565,7 +601,9 @@ async def on_POST(self, request, room_id):
565601
}
566602

567603
event, context = await self.event_creation_handler.create_event(
568-
create_requester(ev["sender"], app_service=requester.app_service),
604+
await self._create_requester_from_app_service(
605+
ev["sender"], requester.app_service
606+
),
569607
event_dict,
570608
prev_event_ids=event_dict.get("prev_events"),
571609
auth_event_ids=auth_event_ids,
@@ -595,7 +633,9 @@ async def on_POST(self, request, room_id):
595633
# where topological_ordering is just depth.
596634
for (event, context) in reversed(events_to_persist):
597635
ev = await self.event_creation_handler.handle_new_client_event(
598-
create_requester(event["sender"], app_service=requester.app_service),
636+
await self._create_requester_from_app_service(
637+
event["sender"], requester.app_service
638+
),
599639
event=event,
600640
context=context,
601641
)

0 commit comments

Comments
 (0)