summary refs log tree commit diff
path: root/synapse/handlers/message.py
diff options
context:
space:
mode:
authorErik Johnston <erik@matrix.org>2019-03-20 16:50:23 +0000
committerErik Johnston <erik@matrix.org>2019-03-20 16:50:23 +0000
commit74c46d81fa7c3e4f1cfc3688d9ce3f46d35ee5a5 (patch)
treedfad554d20acef7891e79c10f61c6153f7df459d /synapse/handlers/message.py
parentAllow blocking a room multiple times (diff)
downloadsynapse-74c46d81fa7c3e4f1cfc3688d9ce3f46d35ee5a5.tar.xz
Only require consent for events with an associated request
There are a number of instances where a server or admin may puppet a
user to join/leave rooms, which we don't want to fail if the user has
not consented to the privacy policy. We fix this by adding a check to
test if the requester has an associated access_token, which is used as a
proxy to answer the question of whether the action is being done on
behalf of a real request from the user.
Diffstat (limited to '')
-rw-r--r--synapse/handlers/message.py6
1 files changed, 5 insertions, 1 deletions
diff --git a/synapse/handlers/message.py b/synapse/handlers/message.py
index 55787563c0..ac9d9c1a83 100644
--- a/synapse/handlers/message.py
+++ b/synapse/handlers/message.py
@@ -316,8 +316,12 @@ class EventCreationHandler(object):
                         target, e
                     )
 
+        # Check if the user has accepted the privacy policy. We only do this if
+        # the requester has an associated access_token_id, which indicates that
+        # this action came from a user request rather than an automatice server
+        # or admin action.
         is_exempt = yield self._is_exempt_from_privacy_policy(builder, requester)
-        if not is_exempt:
+        if requester.access_token_id and not is_exempt:
             yield self.assert_accepted_privacy_policy(requester)
 
         if token_id is not None: