Only allow people to set the alias list for their own domain.

author: Erik Johnston <erik@matrix.org> 2015-09-01 15:51:43 +0100
committer: Erik Johnston <erik@matrix.org> 2015-09-01 15:51:43 +0100
commit: 530896d9d224a5a9c43b7fe0af1f9280e2eb8ee5 (patch)
tree: 5f02ca95984a1b19740c064b45417218e6ba0cd6
parent: Merge branch 'erikj/unfederatable' into erikj/check_alias (diff)
download: synapse-530896d9d224a5a9c43b7fe0af1f9280e2eb8ee5.tar.xz
1 files changed, 6 insertions, 1 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py
index f8ac9d2495..81012f99c1 100644
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@@ -83,7 +83,12 @@ class Auth(object):
 
             # FIXME: Temp hack
             if event.type == EventTypes.Aliases:
-                return True
+                alias_domain = UserID.from_string(event.state_key).domain
+                if alias_domain != originating_domain:
+                    raise AuthError(
+                        403,
+                        "Can only set aliases for own domain"
+                    )
 
             logger.debug(
                 "Auth events: %s",
author	Erik Johnston <erik@matrix.org>	2015-09-01 15:51:43 +0100
committer	Erik Johnston <erik@matrix.org>	2015-09-01 15:51:43 +0100
commit	530896d9d224a5a9c43b7fe0af1f9280e2eb8ee5 (patch)
tree	5f02ca95984a1b19740c064b45417218e6ba0cd6
parent	Merge branch 'erikj/unfederatable' into erikj/check_alias (diff)
download	synapse-530896d9d224a5a9c43b7fe0af1f9280e2eb8ee5.tar.xz