diff options
author | Erik Johnston <erik@matrix.org> | 2014-11-19 17:21:40 +0000 |
---|---|---|
committer | Erik Johnston <erik@matrix.org> | 2014-11-19 17:22:37 +0000 |
commit | 512993b57f3755d4416002667bc6a568fa6c3334 (patch) | |
tree | 1842831b2cdc4027776c1d0df4a427b84d909b84 /synapse/api/auth.py | |
parent | Sometimes there isn't a current logging context (diff) | |
download | synapse-512993b57f3755d4416002667bc6a568fa6c3334.tar.xz |
Only users can set state events which have their own user_id
Diffstat (limited to 'synapse/api/auth.py')
-rw-r--r-- | synapse/api/auth.py | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py index 1a8785e890..6d8a9e4df7 100644 --- a/synapse/api/auth.py +++ b/synapse/api/auth.py @@ -446,6 +446,26 @@ class Auth(object): "user_level (%d) < send_level (%d)" % (user_level, send_level) ) + # Check state_key + if hasattr(event, "state_key"): + if not event.state_key.startswith("_"): + if event.state_key.startswith("@"): + if event.state_key != event.user_id: + raise AuthError( + 403, + "You are not allowed to set others state" + ) + else: + sender_domain = self.hs.parse_userid( + event.user_id + ).domain + + if sender_domain != event.state_key: + raise AuthError( + 403, + "You are not allowed to set others state" + ) + return True def _check_redaction(self, event): |