diff options
| author | Matthew Hodgson <matthew@matrix.org> | 2016-06-01 22:13:47 +0100 |
|---|---|---|
| committer | Matthew Hodgson <matthew@matrix.org> | 2016-06-01 22:13:47 +0100 |
| commit | aaa70e26a2eb37fbdf728393148e003dc9866afd (patch) | |
| tree | 53edccb1ff684370e88f482011dfef98236b4a29 | |
| parent | Merge pull request #807 from matrix-org/erikj/push_rules_cache (diff) | |
| download | synapse-aaa70e26a2eb37fbdf728393148e003dc9866afd.tar.xz | |
special case m.room.third_party_invite event auth to match invites, otherwise they get out of sync and you get https://github.com/vector-im/vector-web/issues/1208
| -rw-r--r-- | synapse/api/auth.py | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py index 2474a1453b..007a0998a7 100644 --- a/synapse/api/auth.py +++ b/synapse/api/auth.py @@ -120,6 +120,24 @@ class Auth(object): return allowed self.check_event_sender_in_room(event, auth_events) + + # Special case to allow m.room.third_party_invite events wherever + # a user is allowed to issue invites. Fixes + # https://github.com/vector-im/vector-web/issues/1208 hopefully + if event.type == EventTypes.ThirdPartyInvite: + user_level = self._get_user_power_level(event.user_id, auth_events) + invite_level = self._get_named_level(auth_events, "invite", 0) + + if user_level < invite_level: + raise AuthError( + 403, ( + "You cannot issue a third party invite for %s." % + (event.content.display_name,) + ) + ) + else: + return True + self._can_send_event(event, auth_events) if event.type == EventTypes.PowerLevels: |