summary refs log tree commit diff
path: root/synapse/api/auth.py
diff options
context:
space:
mode:
authorErik Johnston <erik@matrix.org>2015-07-10 13:21:31 +0100
committerErik Johnston <erik@matrix.org>2015-07-10 14:05:38 +0100
commit7e3b14fe782eedbe37a0eb8c17da605d2373e594 (patch)
tree5790d09a3f7ad45a8eab0ed9c99abc90f22a2d1a /synapse/api/auth.py
parentUniquely name unique constraint (diff)
downloadsynapse-7e3b14fe782eedbe37a0eb8c17da605d2373e594.tar.xz
You shouldn't be able to ban/kick users with higher power levels
Diffstat (limited to 'synapse/api/auth.py')
-rw-r--r--synapse/api/auth.py7
1 files changed, 5 insertions, 2 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py
index 4da62e5d8d..bd2f058e4a 100644
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@@ -187,6 +187,9 @@ class Auth(object):
             join_rule = JoinRules.INVITE
 
         user_level = self._get_user_power_level(event.user_id, auth_events)
+        target_level = self._get_user_power_level(
+            target_user_id, auth_events
+        )
 
         # FIXME (erikj): What should we do here as the default?
         ban_level = self._get_named_level(auth_events, "ban", 50)
@@ -258,12 +261,12 @@ class Auth(object):
             elif target_user_id != event.user_id:
                 kick_level = self._get_named_level(auth_events, "kick", 50)
 
-                if user_level < kick_level:
+                if user_level < kick_level or user_level < target_level:
                     raise AuthError(
                         403, "You cannot kick user %s." % target_user_id
                     )
         elif Membership.BAN == membership:
-            if user_level < ban_level:
+            if user_level < ban_level or user_level < target_level:
                 raise AuthError(403, "You don't have permission to ban")
         else:
             raise AuthError(500, "Unknown membership %s" % membership)