From 8e1e62c9e010014cf0d46065de21c82a293cf9a1 Mon Sep 17 00:00:00 2001 From: Patrick Cloke Date: Tue, 21 Nov 2023 15:29:58 -0500 Subject: Update license headers --- synapse/rest/admin/users.py | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) (limited to 'synapse/rest/admin/users.py') diff --git a/synapse/rest/admin/users.py b/synapse/rest/admin/users.py index 9900498fbe..c727d8526c 100644 --- a/synapse/rest/admin/users.py +++ b/synapse/rest/admin/users.py @@ -1,16 +1,22 @@ -# Copyright 2019 The Matrix.org Foundation C.I.C. # -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at +# This file is licensed under the Affero General Public License (AGPL) version 3. +# +# Copyright (C) 2023 New Vector, Ltd +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# See the GNU Affero General Public License for more details: +# . +# +# Originally licensed under the Apache License, Version 2.0: +# . +# +# [This file includes modifications made by New Vector Limited] # -# http://www.apache.org/licenses/LICENSE-2.0 # -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. import hashlib import hmac import logging -- cgit 1.5.1 From 14ed84ac333a7dd7223793bab53fd115ea24a149 Mon Sep 17 00:00:00 2001 From: Dirk Klimpel <5740567+dklimpel@users.noreply.github.com> Date: Tue, 2 Jan 2024 12:52:51 +0100 Subject: Enable user without password (#16770) Closes: - https://github.com/matrix-org/synapse/issues/10397 - #10397 An administrator should know whether he wants to set a password or not. There are many uses cases where a blank password is required. - Use of only some users with SSO. - Use of bots with password, users with SSO --- changelog.d/16770.bugfix | 1 + docs/admin_api/user_admin_api.md | 19 ++++++++++--------- synapse/rest/admin/users.py | 9 --------- tests/rest/admin/test_user.py | 31 +++++++++++++++++++++++-------- 4 files changed, 34 insertions(+), 26 deletions(-) create mode 100644 changelog.d/16770.bugfix (limited to 'synapse/rest/admin/users.py') diff --git a/changelog.d/16770.bugfix b/changelog.d/16770.bugfix new file mode 100644 index 0000000000..c02bd8510d --- /dev/null +++ b/changelog.d/16770.bugfix @@ -0,0 +1 @@ +Allow reactivate user without password with Admin API in some edge cases. diff --git a/docs/admin_api/user_admin_api.md b/docs/admin_api/user_admin_api.md index e8e492d095..9dc600b875 100644 --- a/docs/admin_api/user_admin_api.md +++ b/docs/admin_api/user_admin_api.md @@ -149,10 +149,11 @@ Body parameters: granting them access to the Admin API, among other things. - `deactivated` - **bool**, optional. If unspecified, deactivation state will be left unchanged. - Note: the `password` field must also be set if both of the following are true: - - `deactivated` is set to `false` and the user was previously deactivated (you are reactivating this user) - - Users are allowed to set their password on this homeserver (both `password_config.enabled` and - `password_config.localdb_enabled` config options are set to `true`). + Note: + - For the password field there is no strict check of the necessity for its presence. + It is possible to have active users without a password, e.g. when authenticating with OIDC is configured. + You must check yourself whether a password is required when reactivating a user or not. + - It is not possible to set a password if the config option `password_config.localdb_enabled` is set `false`. Users' passwords are wiped upon account deactivation, hence the need to set a new one here. Note: a user cannot be erased with this API. For more details on @@ -223,7 +224,7 @@ The following parameters should be set in the URL: **or** displaynames that contain this value. - `guests` - string representing a bool - Is optional and if `false` will **exclude** guest users. Defaults to `true` to include guest users. This parameter is not supported when MSC3861 is enabled. [See #15582](https://github.com/matrix-org/synapse/pull/15582) -- `admins` - Optional flag to filter admins. If `true`, only admins are queried. If `false`, admins are excluded from +- `admins` - Optional flag to filter admins. If `true`, only admins are queried. If `false`, admins are excluded from the query. When the flag is absent (the default), **both** admins and non-admins are included in the search results. - `deactivated` - string representing a bool - Is optional and if `true` will **include** deactivated users. Defaults to `false` to exclude deactivated users. @@ -272,7 +273,7 @@ The following fields are returned in the JSON response body: - `is_guest` - bool - Status if that user is a guest account. - `admin` - bool - Status if that user is a server administrator. - `user_type` - string - Type of the user. Normal users are type `None`. - This allows user type specific behaviour. There are also types `support` and `bot`. + This allows user type specific behaviour. There are also types `support` and `bot`. - `deactivated` - bool - Status if that user has been marked as deactivated. - `erased` - bool - Status if that user has been marked as erased. - `shadow_banned` - bool - Status if that user has been marked as shadow banned. @@ -887,7 +888,7 @@ The following fields are returned in the JSON response body: ### Create a device -Creates a new device for a specific `user_id` and `device_id`. Does nothing if the `device_id` +Creates a new device for a specific `user_id` and `device_id`. Does nothing if the `device_id` exists already. The API is: @@ -1254,11 +1255,11 @@ The following parameters should be set in the URL: ## Check username availability -Checks to see if a username is available, and valid, for the server. See [the client-server +Checks to see if a username is available, and valid, for the server. See [the client-server API](https://matrix.org/docs/spec/client_server/r0.6.0#get-matrix-client-r0-register-available) for more information. -This endpoint will work even if registration is disabled on the server, unlike +This endpoint will work even if registration is disabled on the server, unlike `/_matrix/client/r0/register/available`. The API is: diff --git a/synapse/rest/admin/users.py b/synapse/rest/admin/users.py index 4059039bab..a31a268ccc 100644 --- a/synapse/rest/admin/users.py +++ b/synapse/rest/admin/users.py @@ -412,15 +412,6 @@ class UserRestServletV2(RestServlet): target_user.to_string(), False, requester, by_admin=True ) elif not deactivate and user["deactivated"]: - if ( - "password" not in body - and self.auth_handler.can_change_password() - ): - raise SynapseError( - HTTPStatus.BAD_REQUEST, - "Must provide a password to re-activate an account.", - ) - await self.deactivate_account_handler.activate_account( target_user.to_string() ) diff --git a/tests/rest/admin/test_user.py b/tests/rest/admin/test_user.py index 3caca98a35..04604bfc04 100644 --- a/tests/rest/admin/test_user.py +++ b/tests/rest/admin/test_user.py @@ -2747,7 +2747,7 @@ class UserRestTestCase(unittest.HomeserverTestCase): profile = self.get_success(self.store._get_user_in_directory(self.other_user)) self.assertIsNone(profile) - def test_reactivate_user(self) -> None: + def test_reactivate_user_with_password(self) -> None: """ Test reactivating another user. """ @@ -2755,21 +2755,36 @@ class UserRestTestCase(unittest.HomeserverTestCase): # Deactivate the user. self._deactivate_user("@user:test") - # Attempt to reactivate the user (without a password). + # Reactivate the user with password. channel = self.make_request( "PUT", self.url_other_user, access_token=self.admin_user_tok, - content={"deactivated": False}, + content={"deactivated": False, "password": "foo"}, ) - self.assertEqual(400, channel.code, msg=channel.json_body) + self.assertEqual(200, channel.code, msg=channel.json_body) + self.assertEqual("@user:test", channel.json_body["name"]) + self.assertFalse(channel.json_body["deactivated"]) + self._is_erased("@user:test", False) + + # This key was removed intentionally. Ensure it is not accidentally re-included. + self.assertNotIn("password_hash", channel.json_body) - # Reactivate the user. + def test_reactivate_user_without_password(self) -> None: + """ + Test reactivating another user without a password. + This can be using some local users and some user with SSO (password = `null`). + """ + + # Deactivate the user. + self._deactivate_user("@user:test") + + # Reactivate the user without a password. channel = self.make_request( "PUT", self.url_other_user, access_token=self.admin_user_tok, - content={"deactivated": False, "password": "foo"}, + content={"deactivated": False}, ) self.assertEqual(200, channel.code, msg=channel.json_body) self.assertEqual("@user:test", channel.json_body["name"]) @@ -2788,7 +2803,7 @@ class UserRestTestCase(unittest.HomeserverTestCase): # Deactivate the user. self._deactivate_user("@user:test") - # Reactivate the user with a password + # Reactivate the user with a password. channel = self.make_request( "PUT", self.url_other_user, @@ -2822,7 +2837,7 @@ class UserRestTestCase(unittest.HomeserverTestCase): # Deactivate the user. self._deactivate_user("@user:test") - # Reactivate the user with a password + # Reactivate the user with a password. channel = self.make_request( "PUT", self.url_other_user, -- cgit 1.5.1 From c7d0d02be7bf61e58388676e9e31b44004cbf257 Mon Sep 17 00:00:00 2001 From: Adam Jędrzejewski <59581316+adamjedrzejewski@users.noreply.github.com> Date: Thu, 4 Jan 2024 10:36:57 +0100 Subject: Search non ASCII display names using Admin API (#16767) Closes #16370 Signed-off-by: Adam Jedrzejewski --- changelog.d/16767.bugfix | 2 ++ synapse/rest/admin/users.py | 2 +- tests/rest/admin/test_user.py | 23 +++++++++++++++++++++++ 3 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 changelog.d/16767.bugfix (limited to 'synapse/rest/admin/users.py') diff --git a/changelog.d/16767.bugfix b/changelog.d/16767.bugfix new file mode 100644 index 0000000000..b1fa1285ef --- /dev/null +++ b/changelog.d/16767.bugfix @@ -0,0 +1,2 @@ +Fixed a bug that prevented users from being queried by display name if it contains non-ASCII characters. + diff --git a/synapse/rest/admin/users.py b/synapse/rest/admin/users.py index a31a268ccc..ee73f0233d 100644 --- a/synapse/rest/admin/users.py +++ b/synapse/rest/admin/users.py @@ -107,7 +107,7 @@ class UsersRestServletV2(RestServlet): ) user_id = parse_string(request, "user_id") - name = parse_string(request, "name") + name = parse_string(request, "name", encoding="utf-8") guests = parse_boolean(request, "guests", default=True) if self._msc3861_enabled and guests: diff --git a/tests/rest/admin/test_user.py b/tests/rest/admin/test_user.py index 04604bfc04..61cbac2332 100644 --- a/tests/rest/admin/test_user.py +++ b/tests/rest/admin/test_user.py @@ -1638,8 +1638,17 @@ class UserRestTestCase(unittest.HomeserverTestCase): ) ) + self.non_ascii_displayname = "ąćęłńóśżźäöüß中国日本" + self.non_ascii_user = self.register_user( + "nonascii", "nonascii", displayname=self.non_ascii_displayname + ) + self.url_prefix = "/_synapse/admin/v2/users/%s" self.url_other_user = self.url_prefix % self.other_user + self.url_non_ascii_user = ( + "/_synapse/admin/v2/users?name=%s" + % urllib.parse.quote(self.non_ascii_displayname) + ) def test_requester_is_no_admin(self) -> None: """ @@ -1790,6 +1799,20 @@ class UserRestTestCase(unittest.HomeserverTestCase): self.assertEqual("User", channel.json_body["displayname"]) self._check_fields(channel.json_body) + def test_get_user_nonascii_displayname(self) -> None: + """ + Test get user by non-ascii display name + """ + channel = self.make_request( + "GET", + self.url_non_ascii_user, + access_token=self.admin_user_tok, + ) + + users = {user["name"]: user for user in channel.json_body["users"]} + self.assertEqual(200, channel.code, msg=channel.json_body) + self.assertIn(self.non_ascii_user, users, channel.json_body["users"]) + def test_create_server_admin(self) -> None: """ Check that a new admin user is created successfully. -- cgit 1.5.1