diff options
| author | Richard van der Hoff <richard@matrix.org> | 2017-10-27 00:04:31 +0100 |
|---|---|---|
| committer | Richard van der Hoff <richard@matrix.org> | 2017-10-27 00:04:31 +0100 |
| commit | 7a6546228b92723a891758d20c22c11beee0c9f9 (patch) | |
| tree | cacd7fc7b0915ca1d202933b480553e85547701f /synapse/rest | |
| parent | spell out need for libxml2 for lxml to work (diff) | |
| download | synapse-7a6546228b92723a891758d20c22c11beee0c9f9.tar.xz | |
Device deletion: check UI auth matches access token
(otherwise there's no point in the UI auth)
Diffstat (limited to 'synapse/rest')
| -rw-r--r-- | synapse/rest/client/v2_alpha/devices.py | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/synapse/rest/client/v2_alpha/devices.py b/synapse/rest/client/v2_alpha/devices.py index 2a2438b7dc..5321e5abbb 100644 --- a/synapse/rest/client/v2_alpha/devices.py +++ b/synapse/rest/client/v2_alpha/devices.py @@ -117,6 +117,8 @@ class DeviceRestServlet(servlet.RestServlet): @defer.inlineCallbacks def on_DELETE(self, request, device_id): + requester = yield self.auth.get_user_by_req(request) + try: body = servlet.parse_json_object_from_request(request) @@ -135,11 +137,12 @@ class DeviceRestServlet(servlet.RestServlet): if not authed: defer.returnValue((401, result)) - requester = yield self.auth.get_user_by_req(request) - yield self.device_handler.delete_device( - requester.user.to_string(), - device_id, - ) + # check that the UI auth matched the access token + user_id = result[constants.LoginType.PASSWORD] + if user_id != requester.user.to_string(): + raise errors.AuthError(403, "Invalid auth") + + yield self.device_handler.delete_device(user_id, device_id) defer.returnValue((200, {})) @defer.inlineCallbacks |