diff options
| author | Erik Johnston <erik@matrix.org> | 2015-09-14 18:05:31 +0100 |
|---|---|---|
| committer | Erik Johnston <erik@matrix.org> | 2015-09-14 18:05:31 +0100 |
| commit | d59acb8c5b7ff74b0045b1e4df0c79ce6f645004 (patch) | |
| tree | b7427c8e6cf1d48cab0341fbcbda307707e75338 /synapse/api/auth.py | |
| parent | Also check the domains for membership state_keys (diff) | |
| parent | Merge pull request #265 from matrix-org/erikj/check_room_exists (diff) | |
| download | synapse-d59acb8c5b7ff74b0045b1e4df0c79ce6f645004.tar.xz | |
Merge branch 'develop' of github.com:matrix-org/synapse into erikj/unfederatable
Diffstat (limited to 'synapse/api/auth.py')
| -rw-r--r-- | synapse/api/auth.py | 35 |
1 files changed, 27 insertions, 8 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py index 944fbbf532..a2fa171e3a 100644 --- a/synapse/api/auth.py +++ b/synapse/api/auth.py @@ -20,7 +20,7 @@ from twisted.internet import defer from synapse.api.constants import EventTypes, Membership, JoinRules from synapse.api.errors import AuthError, Codes, SynapseError from synapse.util.logutils import log_function -from synapse.types import RoomID, UserID +from synapse.types import RoomID, UserID, EventID import logging @@ -108,7 +108,7 @@ class Auth(object): self._check_power_levels(event, auth_events) if event.type == EventTypes.Redaction: - self._check_redaction(event, auth_events) + self.check_redaction(event, auth_events) logger.debug("Allowing! %s", event) except AuthError as e: @@ -572,16 +572,35 @@ class Auth(object): return True - def _check_redaction(self, event, auth_events): + def check_redaction(self, event, auth_events): + """Check whether the event sender is allowed to redact the target event. + + Returns: + True if the the sender is allowed to redact the target event if the + target event was created by them. + False if the sender is allowed to redact the target event with no + further checks. + + Raises: + AuthError if the event sender is definitely not allowed to redact + the target event. + """ user_level = self._get_user_power_level(event.user_id, auth_events) redact_level = self._get_named_level(auth_events, "redact", 50) - if user_level < redact_level: - raise AuthError( - 403, - "You don't have permission to redact events" - ) + if user_level > redact_level: + return False + + redacter_domain = EventID.from_string(event.event_id).domain + redactee_domain = EventID.from_string(event.redacts).domain + if redacter_domain == redactee_domain: + return True + + raise AuthError( + 403, + "You don't have permission to redact events" + ) def _check_power_levels(self, event, auth_events): user_list = event.content.get("users", {}) |