diff options
author | Paul "LeoNerd" Evans <paul@matrix.org> | 2015-04-21 20:18:29 +0100 |
---|---|---|
committer | Paul "LeoNerd" Evans <paul@matrix.org> | 2015-04-21 20:18:29 +0100 |
commit | 3a7d7a3f22fe7358b23250e1e8b8d5a9e4559f23 (patch) | |
tree | 75edbff530af270a722651f60f77650dce5a20c5 /synapse | |
parent | Bump syutil version to 0.0.5 (diff) | |
download | synapse-3a7d7a3f22fe7358b23250e1e8b8d5a9e4559f23.tar.xz |
Sanitise a user's powerlevel to an int() before numerical comparison, because otherwise Python is "helpful" with it (SYN-351)
Diffstat (limited to '')
-rw-r--r-- | synapse/api/auth.py | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py index e159e4503f..c1b3ae1734 100644 --- a/synapse/api/auth.py +++ b/synapse/api/auth.py @@ -189,6 +189,12 @@ class Auth(object): auth_events, ) + # TODO(paul): There's an awful lot of int()-casting in this code; + # surely we should be squashing strings to integers at a higher + # level, maybe when we insert? + if user_level is not None: + user_level = int(user_level) + ban_level, kick_level, redact_level = ( self._get_ops_level_from_event_state( event, @@ -269,6 +275,7 @@ class Auth(object): 403, "You cannot kick user %s." % target_user_id ) elif Membership.BAN == membership: + print "I wonder how user's level of %r compares to ban level of %r" % (user_level, ban_level) if user_level < ban_level: raise AuthError(403, "You don't have permission to ban") else: |