Hide device displaynames from other users github/anoa/msc3480 anoa/msc3480

Some argument finagling was needed as query_local_devices can be called
from requests of both local and remote users, and in the case of remote
users, without a user ID.

In the end, we have an option 'from_local_user_id' which tells
`query_local_devices` both a) whether the request is from a local or
remote user and b) if a local user, which one.

1 files changed, 24 insertions, 3 deletions

diff --git a/synapse/storage/databases/main/end_to_end_keys.py b/synapse/storage/databases/main/end_to_end_keys.py
index c4ac6c33ba..22460819a4 100644
--- a/synapse/storage/databases/main/end_to_end_keys.py
+++ b/synapse/storage/databases/main/end_to_end_keys.py
@@ -141,13 +141,15 @@ class EndToEndKeyWorkerStore(EndToEndKeyBackgroundStore, CacheInvalidationWorker
     async def get_e2e_device_keys_for_cs_api(
         self,
         query_list: Collection[Tuple[str, Optional[str]]],
-        include_displaynames: bool = True,
+        from_local_user_id: Optional[str],
     ) -> Dict[str, Dict[str, JsonDict]]:
         """Fetch a list of device keys, formatted suitably for the C/S API.
+
         Args:
             query_list: List of pairs of user_ids and device_ids.
-            include_displaynames: Whether to include the displayname of returned devices
-                (if one exists).
+            from_local_user_id: If the request originates from a local user, their
+                User ID should be specified here. Otherwise, this should be None.
+
         Returns:
             Dict mapping from user-id to dict mapping from device_id to
             key data.  The key data will be a dict in the same format as the
@@ -169,6 +171,25 @@ class EndToEndKeyWorkerStore(EndToEndKeyBackgroundStore, CacheInvalidationWorker
                 if r is None:
                     continue
 
+                # Determine whether the displayname of this device should be shared with
+                # the user making the request.
+                include_displaynames = True
+
+                if (
+                    from_local_user_id is not None
+                    and user_id != from_local_user_id
+                    and self.hs.config.experimental.msc3480_enabled is True
+                ):
+                    include_displaynames = False
+
+                # If this is a request from a remote user, and we've disallowed sharing
+                # local user device names over federation, strip the device's displayname.
+                elif (
+                    from_local_user_id is None
+                    and not self._allow_device_name_lookup_over_federation
+                ):
+                    include_displaynames = False
+
                 r["unsigned"] = {}
                 if include_displaynames:
                     # Include the device's display name in the "unsigned" dictionary