diff options
author | Mathieu Velten <mathieuv@matrix.org> | 2023-08-10 11:10:55 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-08-10 09:10:55 +0000 |
commit | dac97642e41f3f4bc0deff0c80b6a3f7acb4dbc0 (patch) | |
tree | d13c5ad7f19ee84223129dd1693331f8866d952c /synapse/api/auth/msc3861_delegated.py | |
parent | Support MSC3814: Dehydrated Devices Part 2 (#16010) (diff) | |
download | synapse-dac97642e41f3f4bc0deff0c80b6a3f7acb4dbc0.tar.xz |
Implements admin API to lock an user (MSC3939) (#15870)
Diffstat (limited to 'synapse/api/auth/msc3861_delegated.py')
-rw-r--r-- | synapse/api/auth/msc3861_delegated.py | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/synapse/api/auth/msc3861_delegated.py b/synapse/api/auth/msc3861_delegated.py index bd4fc9c0ee..9524102a30 100644 --- a/synapse/api/auth/msc3861_delegated.py +++ b/synapse/api/auth/msc3861_delegated.py @@ -27,6 +27,7 @@ from twisted.web.http_headers import Headers from synapse.api.auth.base import BaseAuth from synapse.api.errors import ( AuthError, + Codes, HttpResponseException, InvalidClientTokenError, OAuthInsufficientScopeError, @@ -196,6 +197,7 @@ class MSC3861DelegatedAuth(BaseAuth): request: SynapseRequest, allow_guest: bool = False, allow_expired: bool = False, + allow_locked: bool = False, ) -> Requester: access_token = self.get_access_token_from_request(request) @@ -205,6 +207,17 @@ class MSC3861DelegatedAuth(BaseAuth): # so that we don't provision the user if they don't have enough permission: requester = await self.get_user_by_access_token(access_token, allow_expired) + # Deny the request if the user account is locked. + if not allow_locked and await self.store.get_user_locked_status( + requester.user.to_string() + ): + raise AuthError( + 401, + "User account has been locked", + errcode=Codes.USER_LOCKED, + additional_fields={"soft_logout": True}, + ) + if not allow_guest and requester.is_guest: raise OAuthInsufficientScopeError([SCOPE_MATRIX_API]) |