summary refs log tree commit diff
path: root/synapse/api/auth.py
diff options
context:
space:
mode:
authorPaul "LeoNerd" Evans <paul@matrix.org>2015-04-21 20:18:29 +0100
committerPaul "LeoNerd" Evans <paul@matrix.org>2015-04-21 20:18:29 +0100
commit3a7d7a3f22fe7358b23250e1e8b8d5a9e4559f23 (patch)
tree75edbff530af270a722651f60f77650dce5a20c5 /synapse/api/auth.py
parentBump syutil version to 0.0.5 (diff)
downloadsynapse-3a7d7a3f22fe7358b23250e1e8b8d5a9e4559f23.tar.xz
Sanitise a user's powerlevel to an int() before numerical comparison, because otherwise Python is "helpful" with it (SYN-351)
Diffstat (limited to '')
-rw-r--r--synapse/api/auth.py7
1 files changed, 7 insertions, 0 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py
index e159e4503f..c1b3ae1734 100644
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@@ -189,6 +189,12 @@ class Auth(object):
             auth_events,
         )
 
+        # TODO(paul): There's an awful lot of int()-casting in this code;
+        #   surely we should be squashing strings to integers at a higher
+        #   level, maybe when we insert?
+        if user_level is not None:
+            user_level = int(user_level)
+
         ban_level, kick_level, redact_level = (
             self._get_ops_level_from_event_state(
                 event,
@@ -269,6 +275,7 @@ class Auth(object):
                         403, "You cannot kick user %s." % target_user_id
                     )
         elif Membership.BAN == membership:
+            print "I wonder how user's level of %r compares to ban level of %r" % (user_level, ban_level)
             if user_level < ban_level:
                 raise AuthError(403, "You don't have permission to ban")
         else: