diff --git a/synapse/api/auth.py b/synapse/api/auth.py
index df61794551..8f32191b57 100644
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@@ -18,7 +18,7 @@
from twisted.internet import defer
from synapse.api.constants import Membership, JoinRules
-from synapse.api.errors import AuthError, StoreError, Codes
+from synapse.api.errors import AuthError, StoreError, Codes, SynapseError
from synapse.api.events.room import RoomMemberEvent, RoomPowerLevelsEvent
from synapse.util.logutils import log_function
@@ -308,7 +308,9 @@ class Auth(object):
else:
user_level = 0
- logger.debug("Checking power level for %s, %s", event.user_id, user_level)
+ logger.debug(
+ "Checking power level for %s, %s", event.user_id, user_level
+ )
if current_state and hasattr(current_state, "required_power_level"):
req = current_state.required_power_level
@@ -321,6 +323,24 @@ class Auth(object):
@defer.inlineCallbacks
def _check_power_levels(self, event):
+ for k, v in event.content.items():
+ if k == "default":
+ continue
+
+ # FIXME (erikj): We don't want hsob_Ts in content.
+ if k == "hsob_ts":
+ continue
+
+ try:
+ self.hs.parse_userid(k)
+ except:
+ raise SynapseError(400, "Not a valid user_id: %s" % (k,))
+
+ try:
+ int(v)
+ except:
+ raise SynapseError(400, "Not a valid power level: %s" % (v,))
+
current_state = yield self.store.get_current_state(
event.room_id,
event.type,
@@ -346,7 +366,10 @@ class Auth(object):
# FIXME (erikj)
old_people = {k: v for k, v in old_list.items() if k.startswith("@")}
- new_people = {k: v for k, v in event.content.items() if k.startswith("@")}
+ new_people = {
+ k: v for k, v in event.content.items()
+ if k.startswith("@")
+ }
removed = set(old_people.keys()) - set(new_people.keys())
added = set(old_people.keys()) - set(new_people.keys())
@@ -356,22 +379,24 @@ class Auth(object):
if int(old_list.content[r]) > user_level:
raise AuthError(
403,
- "You don't have permission to change that state"
+ "You don't have permission to remove user: %s" % (r, )
)
- for n in new_people:
+ for n in added:
if int(event.content[n]) > user_level:
raise AuthError(
403,
- "You don't have permission to change that state"
+ "You don't have permission to add ops level greater "
+ "than your own"
)
for s in same:
if int(event.content[s]) != int(old_list[s]):
- if int(old_list[s]) > user_level:
+ if int(event.content[s]) > user_level:
raise AuthError(
403,
- "You don't have permission to change that state"
+ "You don't have permission to add ops level greater "
+ "than your own"
)
if "default" in old_list:
@@ -380,7 +405,8 @@ class Auth(object):
if old_default > user_level:
raise AuthError(
403,
- "You don't have permission to change that state"
+ "You don't have permission to add ops level greater than "
+ "your own"
)
if "default" in event.content:
@@ -389,5 +415,6 @@ class Auth(object):
if new_default > user_level:
raise AuthError(
403,
- "You don't have permission to change that state"
+ "You don't have permission to add ops level greater "
+ "than your own"
)
|
