diff options
author | Erik Johnston <erik@matrix.org> | 2015-07-10 13:21:31 +0100 |
---|---|---|
committer | Erik Johnston <erik@matrix.org> | 2015-07-10 14:05:38 +0100 |
commit | 7e3b14fe782eedbe37a0eb8c17da605d2373e594 (patch) | |
tree | 5790d09a3f7ad45a8eab0ed9c99abc90f22a2d1a /synapse/api/auth.py | |
parent | Uniquely name unique constraint (diff) | |
download | synapse-7e3b14fe782eedbe37a0eb8c17da605d2373e594.tar.xz |
You shouldn't be able to ban/kick users with higher power levels
Diffstat (limited to 'synapse/api/auth.py')
-rw-r--r-- | synapse/api/auth.py | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py index 4da62e5d8d..bd2f058e4a 100644 --- a/synapse/api/auth.py +++ b/synapse/api/auth.py @@ -187,6 +187,9 @@ class Auth(object): join_rule = JoinRules.INVITE user_level = self._get_user_power_level(event.user_id, auth_events) + target_level = self._get_user_power_level( + target_user_id, auth_events + ) # FIXME (erikj): What should we do here as the default? ban_level = self._get_named_level(auth_events, "ban", 50) @@ -258,12 +261,12 @@ class Auth(object): elif target_user_id != event.user_id: kick_level = self._get_named_level(auth_events, "kick", 50) - if user_level < kick_level: + if user_level < kick_level or user_level < target_level: raise AuthError( 403, "You cannot kick user %s." % target_user_id ) elif Membership.BAN == membership: - if user_level < ban_level: + if user_level < ban_level or user_level < target_level: raise AuthError(403, "You don't have permission to ban") else: raise AuthError(500, "Unknown membership %s" % membership) |