diff options
author | Paul "LeoNerd" Evans <paul@matrix.org> | 2015-04-15 18:07:33 +0100 |
---|---|---|
committer | Paul "LeoNerd" Evans <paul@matrix.org> | 2015-04-15 18:07:33 +0100 |
commit | e6e130b9ba702873d1fdf8788abf718e38e64419 (patch) | |
tree | 9ae8a4bd142784d1ab58a94ad7e643b49a738ce3 | |
parent | Merge pull request #122 from matrix-org/upgrade_syutil_to_0.0.4 (diff) | |
download | synapse-e6e130b9ba702873d1fdf8788abf718e38e64419.tar.xz |
Ensure that non-room-members cannot ban others, even if they do have enough powerlevel (SYN-343)
-rw-r--r-- | synapse/api/auth.py | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py index 18f3d117b3..97801631f5 100644 --- a/synapse/api/auth.py +++ b/synapse/api/auth.py @@ -272,6 +272,11 @@ class Auth(object): 403, "You cannot kick user %s." % target_user_id ) elif Membership.BAN == membership: + if not caller_in_room: # caller isn't joined + raise AuthError( + 403, + "%s not in room %s." % (event.user_id, event.room_id,) + ) if user_level < ban_level: raise AuthError(403, "You don't have permission to ban") else: |