diff options
author | David Teller <d.o.teller+github@gmail.com> | 2021-01-28 12:18:07 +0100 |
---|---|---|
committer | David Teller <d.o.teller+github@gmail.com> | 2021-01-28 12:31:07 +0100 |
commit | b859919acc3ad6c61ba26a3c9b1e36c75a30c3fe (patch) | |
tree | 96fffaa67839992091581e50c76ef8d48ec5d50e | |
parent | FIXUP: Don't filter events at all for admin/v1/rooms/.../context/... (diff) | |
download | synapse-b859919acc3ad6c61ba26a3c9b1e36c75a30c3fe.tar.xz |
FIXUP: Now testing that the user is admin!
-rw-r--r-- | changelog.d/9150.feature | 5 | ||||
-rw-r--r-- | synapse/rest/admin/rooms.py | 3 | ||||
-rw-r--r-- | tests/rest/admin/test_room.py | 36 |
3 files changed, 38 insertions, 6 deletions
diff --git a/changelog.d/9150.feature b/changelog.d/9150.feature index 86c4fd3d72..48a8148dee 100644 --- a/changelog.d/9150.feature +++ b/changelog.d/9150.feature @@ -1,4 +1 @@ -New API /_synapse/admin/rooms/{roomId}/context/{eventId} - -This API mirrors /_matrix/client/r0/rooms/{roomId}/context/{eventId} but lets administrators -inspect rooms. Designed to annotate abuse reports with context. +New API /_synapse/admin/rooms/{roomId}/context/{eventId}. diff --git a/synapse/rest/admin/rooms.py b/synapse/rest/admin/rooms.py index 6539655289..4393197549 100644 --- a/synapse/rest/admin/rooms.py +++ b/synapse/rest/admin/rooms.py @@ -578,7 +578,8 @@ class RoomEventContextServlet(RestServlet): self.auth = hs.get_auth() async def on_GET(self, request, room_id, event_id): - requester = await self.auth.get_user_by_req(request, allow_guest=True) + requester = await self.auth.get_user_by_req(request, allow_guest=False) + await assert_user_is_admin(self.auth, requester.user) limit = parse_integer(request, "limit", default=10) diff --git a/tests/rest/admin/test_room.py b/tests/rest/admin/test_room.py index 7e89eb4793..fd201993d3 100644 --- a/tests/rest/admin/test_room.py +++ b/tests/rest/admin/test_room.py @@ -1430,7 +1430,41 @@ class JoinAliasRoomTestCase(unittest.HomeserverTestCase): self.assertEquals(200, int(channel.result["code"]), msg=channel.result["body"]) self.assertEqual(private_room_id, channel.json_body["joined_rooms"][0]) - def test_context(self): + def test_context_as_non_admin(self): + """ + Test that, without being admin, one cannot use the context admin API + """ + # Create a room. + user_id = self.register_user("test", "test") + user_tok = self.login("test", "test") + + self.register_user("test_2", "test") + user_tok_2 = self.login("test_2", "test") + + room_id = self.helper.create_room_as(user_id, tok=user_tok) + + # Populate the room with events. + events = [] + for i in range(30): + events.append( + self.helper.send_event( + room_id, "com.example.test", content={"index": i}, tok=user_tok + ) + ) + + # Now attempt to find the context using the admin API without being admin. + midway = (len(events) - 1) // 2 + for tok in [user_tok, user_tok_2]: + channel = self.make_request( + "GET", + "/_synapse/admin/v1/rooms/%s/context/%s" + % (room_id, events[midway]["event_id"]), + access_token=tok, + ) + self.assertEquals(403, int(channel.result["code"]), msg=channel.result["body"]) + self.assertEqual(Codes.FORBIDDEN, channel.json_body["errcode"]) + + def test_context_as_admin(self): """ Test that, as admin, we can find the context of an event without having joined the room. """ |