summary refs log tree commit diff
path: root/synapse/api/auth
diff options
context:
space:
mode:
authorQuentin Gliech <quenting@element.io>2023-05-26 15:16:34 +0200
committerPatrick Cloke <clokep@users.noreply.github.com>2023-05-30 09:43:06 -0400
commitceb3dd77db0d3ce992d40175c3f53f6b6ddfa168 (patch)
treee60ce0d52da120ac1559a69b6fbb8ca18a198524 /synapse/api/auth
parentMake the config tests spawn the homeserver only when needed (diff)
downloadsynapse-ceb3dd77db0d3ce992d40175c3f53f6b6ddfa168.tar.xz
Enforce that an admin token also has the basic Matrix API scope
Diffstat (limited to 'synapse/api/auth')
-rw-r--r--synapse/api/auth/msc3861_delegated.py7
1 files changed, 2 insertions, 5 deletions
diff --git a/synapse/api/auth/msc3861_delegated.py b/synapse/api/auth/msc3861_delegated.py
index e4b16c0b5c..31c1de0119 100644
--- a/synapse/api/auth/msc3861_delegated.py
+++ b/synapse/api/auth/msc3861_delegated.py
@@ -248,13 +248,10 @@ class MSC3861DelegatedAuth(BaseAuth):
         scope: List[str] = scope_to_list(introspection_result.get("scope", ""))
 
         # Determine type of user based on presence of particular scopes
-        has_admin_scope = SCOPE_SYNAPSE_ADMIN in scope
         has_user_scope = SCOPE_MATRIX_API in scope
         has_guest_scope = SCOPE_MATRIX_GUEST in scope
-        is_user = has_user_scope or has_admin_scope
-        is_guest = has_guest_scope and not is_user
 
-        if not is_user and not is_guest:
+        if not has_user_scope and not has_guest_scope:
             raise InvalidClientTokenError("No scope in token granting user rights")
 
         # Match via the sub claim
@@ -351,5 +348,5 @@ class MSC3861DelegatedAuth(BaseAuth):
             user_id=user_id,
             device_id=device_id,
             scope=scope,
-            is_guest=is_guest,
+            is_guest=(has_guest_scope and not has_user_scope),
         )