From f93cb7410d7c8d6c708f7edf8c8fb545fa55406d Mon Sep 17 00:00:00 2001 From: Matthew Hodgson Date: Thu, 3 May 2018 01:29:04 +0100 Subject: options to disable setting profile info --- synapse/config/registration.py | 12 ++++++++++++ synapse/handlers/profile.py | 10 ++++++++++ 2 files changed, 22 insertions(+) (limited to 'synapse') diff --git a/synapse/config/registration.py b/synapse/config/registration.py index 34326718ad..cbc1d3d00e 100644 --- a/synapse/config/registration.py +++ b/synapse/config/registration.py @@ -49,6 +49,9 @@ class RegistrationConfig(Config): self.auto_join_rooms = config.get("auto_join_rooms", []) + self.disable_set_displayname = config.get("disable_set_displayname", False) + self.disable_set_avatar_url = config.get("disable_set_avatar_url", False) + self.replicate_user_profiles_to = config.get("replicate_user_profiles_to", []) if not isinstance(self.replicate_user_profiles_to, list): self.replicate_user_profiles_to = [self.replicate_user_profiles_to, ] @@ -118,10 +121,19 @@ class RegistrationConfig(Config): # cross-homeserver user directories. # replicate_user_profiles_to: example.com + # If enabled, don't let users set their own display names/avatars + # other than for the very first time (unless they are a server admin). + # Useful when provisioning users based on the contents of a 3rd party + # directory and to avoid ambiguities. + # + # disable_set_displayname: True + # disable_set_avatar_url: True + # Users who register on this homeserver will automatically be joined # to these rooms #auto_join_rooms: # - "#example:example.com" + """ % locals() def add_arguments(self, parser): diff --git a/synapse/handlers/profile.py b/synapse/handlers/profile.py index 7c5591056d..1a79004d57 100644 --- a/synapse/handlers/profile.py +++ b/synapse/handlers/profile.py @@ -215,6 +215,11 @@ class ProfileHandler(BaseHandler): if not by_admin and target_user != requester.user: raise AuthError(400, "Cannot set another user's displayname") + if not by_admin and self.hs.config.disable_set_displayname: + profile = yield self.store.get_profileinfo(target_user.localpart) + if profile.display_name: + raise SynapseError(400, "Changing displayname is disabled on this server") + if new_displayname == '': new_displayname = None @@ -277,6 +282,11 @@ class ProfileHandler(BaseHandler): if not by_admin and target_user != requester.user: raise AuthError(400, "Cannot set another user's avatar_url") + if not by_admin and self.hs.config.disable_set_avatar_url: + profile = yield self.store.get_profileinfo(target_user.localpart) + if profile.avatar_url: + raise SynapseError(400, "Changing avatar url is disabled on this server") + if len(self.hs.config.replicate_user_profiles_to) > 0: cur_batchnum = yield self.store.get_latest_profile_replication_batch_number() new_batchnum = 0 if cur_batchnum is None else cur_batchnum + 1 -- cgit 1.5.1 From 8a24c4eee515b21f3eb5572a62937ec1c04e677b Mon Sep 17 00:00:00 2001 From: Matthew Hodgson Date: Thu, 3 May 2018 02:47:55 +0100 Subject: add option to disable changes to the 3PIDs for an account. This only considers the /account/3pid API, which should be sufficient as currently we can't change emails associated with push notifs (which are provisioned at registration), and we can't directly create mappings for accounts in an IS other than by answering an invite --- synapse/config/registration.py | 8 ++++++++ synapse/rest/client/v2_alpha/account.py | 6 ++++++ 2 files changed, 14 insertions(+) (limited to 'synapse') diff --git a/synapse/config/registration.py b/synapse/config/registration.py index 34326718ad..070b7f0d93 100644 --- a/synapse/config/registration.py +++ b/synapse/config/registration.py @@ -37,6 +37,9 @@ class RegistrationConfig(Config): "check_is_for_allowed_local_3pids", None ) self.allow_invited_3pids = config.get("allow_invited_3pids", False) + + self.disable_3pid_changes = config.get("disable_3pid_changes", False) + self.registration_shared_secret = config.get("registration_shared_secret") self.bcrypt_rounds = config.get("bcrypt_rounds", 12) @@ -89,6 +92,11 @@ class RegistrationConfig(Config): # - medium: msisdn # pattern: "\\+44" + # If true, stop users from trying to change the 3PIDs associated with + # their accounts. + # + # disable_3pid_changes: True + # If set, allows registration by anyone who also has the shared # secret, even if registration is otherwise disabled. registration_shared_secret: "%(registration_shared_secret)s" diff --git a/synapse/rest/client/v2_alpha/account.py b/synapse/rest/client/v2_alpha/account.py index 7d43a33615..3738ad437e 100644 --- a/synapse/rest/client/v2_alpha/account.py +++ b/synapse/rest/client/v2_alpha/account.py @@ -314,6 +314,9 @@ class ThreepidRestServlet(RestServlet): def on_POST(self, request): yield run_on_reactor() + if self.hs.config.disable_3pid_changes: + raise SynapseError(400, "3PID changes disabled on this server") + body = parse_json_object_from_request(request) threePidCreds = body.get('threePidCreds') @@ -367,6 +370,9 @@ class ThreepidDeleteRestServlet(RestServlet): def on_POST(self, request): yield run_on_reactor() + if self.hs.config.disable_3pid_changes: + raise SynapseError(400, "3PID changes disabled on this server") + body = parse_json_object_from_request(request) required = ['medium', 'address'] -- cgit 1.5.1 From 76fca1730eff408877a6028185f0f696c96a1968 Mon Sep 17 00:00:00 2001 From: Matthew Hodgson Date: Thu, 3 May 2018 11:46:11 +0100 Subject: fix defaults in example config --- synapse/config/registration.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'synapse') diff --git a/synapse/config/registration.py b/synapse/config/registration.py index cbc1d3d00e..4a4de661e7 100644 --- a/synapse/config/registration.py +++ b/synapse/config/registration.py @@ -126,8 +126,8 @@ class RegistrationConfig(Config): # Useful when provisioning users based on the contents of a 3rd party # directory and to avoid ambiguities. # - # disable_set_displayname: True - # disable_set_avatar_url: True + # disable_set_displayname: False + # disable_set_avatar_url: False # Users who register on this homeserver will automatically be joined # to these rooms -- cgit 1.5.1 From 25e471dac3c9f4e8b593c9e23b1e917a10305481 Mon Sep 17 00:00:00 2001 From: Matthew Hodgson Date: Thu, 3 May 2018 11:46:56 +0100 Subject: fix defaults in config example --- synapse/config/registration.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'synapse') diff --git a/synapse/config/registration.py b/synapse/config/registration.py index 070b7f0d93..c87bea736b 100644 --- a/synapse/config/registration.py +++ b/synapse/config/registration.py @@ -95,7 +95,7 @@ class RegistrationConfig(Config): # If true, stop users from trying to change the 3PIDs associated with # their accounts. # - # disable_3pid_changes: True + # disable_3pid_changes: False # If set, allows registration by anyone who also has the shared # secret, even if registration is otherwise disabled. -- cgit 1.5.1 From 53d6245529c888df086420db7c0ec66e8dc72bca Mon Sep 17 00:00:00 2001 From: David Baker Date: Thu, 3 May 2018 14:55:40 +0100 Subject: Change profile replication URI --- synapse/handlers/profile.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'synapse') diff --git a/synapse/handlers/profile.py b/synapse/handlers/profile.py index 7c5591056d..195684c88c 100644 --- a/synapse/handlers/profile.py +++ b/synapse/handlers/profile.py @@ -105,7 +105,7 @@ class ProfileHandler(BaseHandler): } for r in batch_rows } - url = "https://%s/_matrix/federation/v1/replicate_profiles" % (host,) + url = "https://%s/_matrix/identity/api/v1/replicate_profiles" % (host,) body = { "batchnum": batchnum, "batch": batch, -- cgit 1.5.1