From 530896d9d224a5a9c43b7fe0af1f9280e2eb8ee5 Mon Sep 17 00:00:00 2001
From: Erik Johnston <erik@matrix.org>
Date: Tue, 1 Sep 2015 15:51:43 +0100
Subject: Only allow people to set the alias list for their own domain.

---
 synapse/api/auth.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/synapse/api/auth.py b/synapse/api/auth.py
index f8ac9d2495..81012f99c1 100644
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@@ -83,7 +83,12 @@ class Auth(object):
 
             # FIXME: Temp hack
             if event.type == EventTypes.Aliases:
-                return True
+                alias_domain = UserID.from_string(event.state_key).domain
+                if alias_domain != originating_domain:
+                    raise AuthError(
+                        403,
+                        "Can only set aliases for own domain"
+                    )
 
             logger.debug(
                 "Auth events: %s",
-- 
cgit 1.5.1