diff options
author | Erik Johnston <erik@matrix.org> | 2019-03-20 16:50:23 +0000 |
---|---|---|
committer | Erik Johnston <erik@matrix.org> | 2019-03-20 16:50:23 +0000 |
commit | 74c46d81fa7c3e4f1cfc3688d9ce3f46d35ee5a5 (patch) | |
tree | dfad554d20acef7891e79c10f61c6153f7df459d | |
parent | Allow blocking a room multiple times (diff) | |
download | synapse-74c46d81fa7c3e4f1cfc3688d9ce3f46d35ee5a5.tar.xz |
Only require consent for events with an associated request
There are a number of instances where a server or admin may puppet a user to join/leave rooms, which we don't want to fail if the user has not consented to the privacy policy. We fix this by adding a check to test if the requester has an associated access_token, which is used as a proxy to answer the question of whether the action is being done on behalf of a real request from the user.
-rw-r--r-- | synapse/handlers/message.py | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/synapse/handlers/message.py b/synapse/handlers/message.py index 55787563c0..ac9d9c1a83 100644 --- a/synapse/handlers/message.py +++ b/synapse/handlers/message.py @@ -316,8 +316,12 @@ class EventCreationHandler(object): target, e ) + # Check if the user has accepted the privacy policy. We only do this if + # the requester has an associated access_token_id, which indicates that + # this action came from a user request rather than an automatice server + # or admin action. is_exempt = yield self._is_exempt_from_privacy_policy(builder, requester) - if not is_exempt: + if requester.access_token_id and not is_exempt: yield self.assert_accepted_privacy_policy(requester) if token_id is not None: |