summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--changelog.d/18508.bugfix1
-rw-r--r--synapse/storage/databases/main/account_data.py4
-rw-r--r--tests/storage/test_account_data.py15
3 files changed, 20 insertions, 0 deletions
diff --git a/changelog.d/18508.bugfix b/changelog.d/18508.bugfix
new file mode 100644

index 0000000000..e8d5228ac1
--- /dev/null
+++ b/changelog.d/18508.bugfix
@@ -0,0 +1 @@
+Prevent users from adding themselves to their own ignore list.
diff --git a/synapse/storage/databases/main/account_data.py b/synapse/storage/databases/main/account_data.py

index d26de1ad16..715815cc09 100644
--- a/synapse/storage/databases/main/account_data.py
+++ b/synapse/storage/databases/main/account_data.py
@@ -34,6 +34,7 @@ from typing import (
 )
 
 from synapse.api.constants import AccountDataTypes
+from synapse.api.errors import Codes, SynapseError
 from synapse.replication.tcp.streams import AccountDataStream
 from synapse.storage._base import db_to_json
 from synapse.storage.database import (
@@ -780,6 +781,9 @@ class AccountDataWorkerStore(PushRulesWorkerStore, CacheInvalidationWorkerStore)
         else:
             currently_ignored_users = set()
 
+        if user_id in currently_ignored_users:
+            raise SynapseError(400, "You cannot ignore yourself", Codes.INVALID_PARAM)
+
         # If the data has not changed, nothing to do.
         if previously_ignored_users == currently_ignored_users:
             return
diff --git a/tests/storage/test_account_data.py b/tests/storage/test_account_data.py

index 2859bcf4bd..0e52dd26ce 100644
--- a/tests/storage/test_account_data.py
+++ b/tests/storage/test_account_data.py
@@ -24,6 +24,7 @@ from typing import Iterable, Optional, Set
 from twisted.test.proto_helpers import MemoryReactor
 
 from synapse.api.constants import AccountDataTypes
+from synapse.api.errors import Codes, SynapseError
 from synapse.server import HomeServer
 from synapse.util import Clock
 
@@ -93,6 +94,20 @@ class IgnoredUsersTestCase(unittest.HomeserverTestCase):
         # Check the removed user.
         self.assert_ignorers("@another:remote", {self.user})
 
+    def test_ignoring_self_fails(self) -> None:
+        """Ensure users cannot add themselves to the ignored list."""
+
+        f = self.get_failure(
+            self.store.add_account_data_for_user(
+                self.user,
+                AccountDataTypes.IGNORED_USER_LIST,
+                {"ignored_users": {self.user: {}}},
+            ),
+            SynapseError,
+        ).value
+        self.assertEqual(f.code, 400)
+        self.assertEqual(f.errcode, Codes.INVALID_PARAM)
+
     def test_caching(self) -> None:
         """Ensure that caching works properly between different users."""
         # The first user ignores a user.
generated by cgit-magenta 1.5.1 (git 2.48.1) at 2025-08-13 11:08:43 +0000