Ensure that non-room-members cannot ban others, even if they do have enough powerlevel (SYN-343)

author: Paul "LeoNerd" Evans <paul@matrix.org> 2015-04-15 18:07:33 +0100
committer: Paul "LeoNerd" Evans <paul@matrix.org> 2015-04-15 18:07:33 +0100
commit: e6e130b9ba702873d1fdf8788abf718e38e64419 (patch)
tree: 9ae8a4bd142784d1ab58a94ad7e643b49a738ce3 /synapse/api/auth.py
parent: Merge pull request #122 from matrix-org/upgrade_syutil_to_0.0.4 (diff)
download: synapse-e6e130b9ba702873d1fdf8788abf718e38e64419.tar.xz
1 files changed, 5 insertions, 0 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py
index 18f3d117b3..97801631f5 100644
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@@ -272,6 +272,11 @@ class Auth(object):
                         403, "You cannot kick user %s." % target_user_id
                     )
         elif Membership.BAN == membership:
+            if not caller_in_room:  # caller isn't joined
+                raise AuthError(
+                    403,
+                    "%s not in room %s." % (event.user_id, event.room_id,)
+                )
             if user_level < ban_level:
                 raise AuthError(403, "You don't have permission to ban")
         else:
author	Paul "LeoNerd" Evans <paul@matrix.org>	2015-04-15 18:07:33 +0100
committer	Paul "LeoNerd" Evans <paul@matrix.org>	2015-04-15 18:07:33 +0100
commit	e6e130b9ba702873d1fdf8788abf718e38e64419 (patch)
tree	9ae8a4bd142784d1ab58a94ad7e643b49a738ce3 /synapse/api/auth.py
parent	Merge pull request #122 from matrix-org/upgrade_syutil_to_0.0.4 (diff)
download	synapse-e6e130b9ba702873d1fdf8788abf718e38e64419.tar.xz