diff options
author | Quentin Gliech <quenting@element.io> | 2023-05-26 15:16:34 +0200 |
---|---|---|
committer | Patrick Cloke <clokep@users.noreply.github.com> | 2023-05-30 09:43:06 -0400 |
commit | ceb3dd77db0d3ce992d40175c3f53f6b6ddfa168 (patch) | |
tree | e60ce0d52da120ac1559a69b6fbb8ca18a198524 /synapse | |
parent | Make the config tests spawn the homeserver only when needed (diff) | |
download | synapse-ceb3dd77db0d3ce992d40175c3f53f6b6ddfa168.tar.xz |
Enforce that an admin token also has the basic Matrix API scope
Diffstat (limited to 'synapse')
-rw-r--r-- | synapse/api/auth/msc3861_delegated.py | 7 |
1 files changed, 2 insertions, 5 deletions
diff --git a/synapse/api/auth/msc3861_delegated.py b/synapse/api/auth/msc3861_delegated.py index e4b16c0b5c..31c1de0119 100644 --- a/synapse/api/auth/msc3861_delegated.py +++ b/synapse/api/auth/msc3861_delegated.py @@ -248,13 +248,10 @@ class MSC3861DelegatedAuth(BaseAuth): scope: List[str] = scope_to_list(introspection_result.get("scope", "")) # Determine type of user based on presence of particular scopes - has_admin_scope = SCOPE_SYNAPSE_ADMIN in scope has_user_scope = SCOPE_MATRIX_API in scope has_guest_scope = SCOPE_MATRIX_GUEST in scope - is_user = has_user_scope or has_admin_scope - is_guest = has_guest_scope and not is_user - if not is_user and not is_guest: + if not has_user_scope and not has_guest_scope: raise InvalidClientTokenError("No scope in token granting user rights") # Match via the sub claim @@ -351,5 +348,5 @@ class MSC3861DelegatedAuth(BaseAuth): user_id=user_id, device_id=device_id, scope=scope, - is_guest=is_guest, + is_guest=(has_guest_scope and not has_user_scope), ) |