diff options
author | Richard van der Hoff <github@rvanderhoff.org.uk> | 2017-10-27 12:30:10 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-10-27 12:30:10 +0100 |
commit | 4d836320098814b6429583741ac9f8109a1044af (patch) | |
tree | 891a4289bd41068e3cb9abad4e588458ac185cf8 /synapse | |
parent | Merge pull request #2589 from matrix-org/rav/as_deactivate_account (diff) | |
parent | Device deletion: check UI auth matches access token (diff) | |
download | synapse-4d836320098814b6429583741ac9f8109a1044af.tar.xz |
Merge pull request #2591 from matrix-org/rav/device_delete_auth
Device deletion: check UI auth matches access token
Diffstat (limited to 'synapse')
-rw-r--r-- | synapse/rest/client/v2_alpha/devices.py | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/synapse/rest/client/v2_alpha/devices.py b/synapse/rest/client/v2_alpha/devices.py index 2a2438b7dc..5321e5abbb 100644 --- a/synapse/rest/client/v2_alpha/devices.py +++ b/synapse/rest/client/v2_alpha/devices.py @@ -117,6 +117,8 @@ class DeviceRestServlet(servlet.RestServlet): @defer.inlineCallbacks def on_DELETE(self, request, device_id): + requester = yield self.auth.get_user_by_req(request) + try: body = servlet.parse_json_object_from_request(request) @@ -135,11 +137,12 @@ class DeviceRestServlet(servlet.RestServlet): if not authed: defer.returnValue((401, result)) - requester = yield self.auth.get_user_by_req(request) - yield self.device_handler.delete_device( - requester.user.to_string(), - device_id, - ) + # check that the UI auth matched the access token + user_id = result[constants.LoginType.PASSWORD] + if user_id != requester.user.to_string(): + raise errors.AuthError(403, "Invalid auth") + + yield self.device_handler.delete_device(user_id, device_id) defer.returnValue((200, {})) @defer.inlineCallbacks |