Implements admin API to lock an user (MSC3939) (#15870)

author: Mathieu Velten <mathieuv@matrix.org> 2023-08-10 11:10:55 +0200
committer: GitHub <noreply@github.com> 2023-08-10 09:10:55 +0000
commit: dac97642e41f3f4bc0deff0c80b6a3f7acb4dbc0 (patch)
tree: d13c5ad7f19ee84223129dd1693331f8866d952c /synapse/rest
parent: Support MSC3814: Dehydrated Devices Part 2 (#16010) (diff)
download: synapse-dac97642e41f3f4bc0deff0c80b6a3f7acb4dbc0.tar.xz
2 files changed, 23 insertions, 2 deletions
diff --git a/synapse/rest/admin/users.py b/synapse/rest/admin/users.py
index e0257daa75..04d9ef25b7 100644
--- a/synapse/rest/admin/users.py
+++ b/synapse/rest/admin/users.py
@@ -280,6 +280,17 @@ class UserRestServletV2(RestServlet):
                 HTTPStatus.BAD_REQUEST, "'deactivated' parameter is not of type boolean"
             )
 
+        lock = body.get("locked", False)
+        if not isinstance(lock, bool):
+            raise SynapseError(
+                HTTPStatus.BAD_REQUEST, "'locked' parameter is not of type boolean"
+            )
+
+        if deactivate and lock:
+            raise SynapseError(
+                HTTPStatus.BAD_REQUEST, "An user can't be deactivated and locked"
+            )
+
         approved: Optional[bool] = None
         if "approved" in body and self._msc3866_enabled:
             approved = body["approved"]
@@ -397,6 +408,12 @@ class UserRestServletV2(RestServlet):
                         target_user.to_string()
                     )
 
+            if "locked" in body:
+                if lock and not user["locked"]:
+                    await self.store.set_user_locked_status(user_id, True)
+                elif not lock and user["locked"]:
+                    await self.store.set_user_locked_status(user_id, False)
+
             if "user_type" in body:
                 await self.store.set_user_type(target_user, user_type)
 
diff --git a/synapse/rest/client/logout.py b/synapse/rest/client/logout.py
index 94ad90942f..2e104d4888 100644
--- a/synapse/rest/client/logout.py
+++ b/synapse/rest/client/logout.py
@@ -40,7 +40,9 @@ class LogoutRestServlet(RestServlet):
         self._device_handler = handler
 
     async def on_POST(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
-        requester = await self.auth.get_user_by_req(request, allow_expired=True)
+        requester = await self.auth.get_user_by_req(
+            request, allow_expired=True, allow_locked=True
+        )
 
         if requester.device_id is None:
             # The access token wasn't associated with a device.
@@ -67,7 +69,9 @@ class LogoutAllRestServlet(RestServlet):
         self._device_handler = handler
 
     async def on_POST(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
-        requester = await self.auth.get_user_by_req(request, allow_expired=True)
+        requester = await self.auth.get_user_by_req(
+            request, allow_expired=True, allow_locked=True
+        )
         user_id = requester.user.to_string()
 
         # first delete all of the user's devices
author	Mathieu Velten <mathieuv@matrix.org>	2023-08-10 11:10:55 +0200
committer	GitHub <noreply@github.com>	2023-08-10 09:10:55 +0000
commit	dac97642e41f3f4bc0deff0c80b6a3f7acb4dbc0 (patch)
tree	d13c5ad7f19ee84223129dd1693331f8866d952c /synapse/rest
parent	Support MSC3814: Dehydrated Devices Part 2 (#16010) (diff)
download	synapse-dac97642e41f3f4bc0deff0c80b6a3f7acb4dbc0.tar.xz