diff options
author | Erik Johnston <erik@matrix.org> | 2019-07-31 16:03:14 +0100 |
---|---|---|
committer | Erik Johnston <erik@matrix.org> | 2019-07-31 16:12:27 +0100 |
commit | cf89266b980b62a6d8547f8e1ae9394359a05fc8 (patch) | |
tree | a2711395a6a0076232e7392e98c59665a674f6af | |
parent | Change user deactivated errcode to USER_DEACTIVATED and use it (#5686) (diff) | |
download | synapse-cf89266b980b62a6d8547f8e1ae9394359a05fc8.tar.xz |
Deny redaction of events in a different room.
We already correctly filter out such redactions, but we should also deny them over the CS API.
-rw-r--r-- | synapse/handlers/message.py | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/synapse/handlers/message.py b/synapse/handlers/message.py index e951c39fa7..a5e23c4caf 100644 --- a/synapse/handlers/message.py +++ b/synapse/handlers/message.py @@ -795,7 +795,6 @@ class EventCreationHandler(object): get_prev_content=False, allow_rejected=False, allow_none=True, - check_room_id=event.room_id, ) # we can make some additional checks now if we have the original event. @@ -803,6 +802,9 @@ class EventCreationHandler(object): if original_event.type == EventTypes.Create: raise AuthError(403, "Redacting create events is not permitted") + if original_event.room_id != event.room_id: + raise SynapseError(400, "Cannot redact event from a different room") + prev_state_ids = yield context.get_prev_state_ids(self.store) auth_events_ids = yield self.auth.compute_auth_events( event, prev_state_ids, for_verification=True |