Only users can set state events which have their own user_id

author: Erik Johnston <erik@matrix.org> 2014-11-19 17:21:40 +0000
committer: Erik Johnston <erik@matrix.org> 2014-11-19 17:22:37 +0000
commit: 512993b57f3755d4416002667bc6a568fa6c3334 (patch)
tree: 1842831b2cdc4027776c1d0df4a427b84d909b84 /synapse/api
parent: Sometimes there isn't a current logging context (diff)
download: synapse-512993b57f3755d4416002667bc6a568fa6c3334.tar.xz
1 files changed, 20 insertions, 0 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py
index 1a8785e890..6d8a9e4df7 100644
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@@ -446,6 +446,26 @@ class Auth(object):
                 "user_level (%d) < send_level (%d)" % (user_level, send_level)
             )
 
+        # Check state_key
+        if hasattr(event, "state_key"):
+            if not event.state_key.startswith("_"):
+                if event.state_key.startswith("@"):
+                    if event.state_key != event.user_id:
+                        raise AuthError(
+                            403,
+                            "You are not allowed to set others state"
+                        )
+                    else:
+                        sender_domain = self.hs.parse_userid(
+                            event.user_id
+                        ).domain
+
+                        if sender_domain != event.state_key:
+                            raise AuthError(
+                                403,
+                                "You are not allowed to set others state"
+                            )
+
         return True
 
     def _check_redaction(self, event):
author	Erik Johnston <erik@matrix.org>	2014-11-19 17:21:40 +0000
committer	Erik Johnston <erik@matrix.org>	2014-11-19 17:22:37 +0000
commit	512993b57f3755d4416002667bc6a568fa6c3334 (patch)
tree	1842831b2cdc4027776c1d0df4a427b84d909b84 /synapse/api
parent	Sometimes there isn't a current logging context (diff)
download	synapse-512993b57f3755d4416002667bc6a568fa6c3334.tar.xz