summary refs log tree commit diff
path: root/synapse
diff options
context:
space:
mode:
authorRichard van der Hoff <github@rvanderhoff.org.uk>2017-10-27 12:30:10 +0100
committerGitHub <noreply@github.com>2017-10-27 12:30:10 +0100
commit4d836320098814b6429583741ac9f8109a1044af (patch)
tree891a4289bd41068e3cb9abad4e588458ac185cf8 /synapse
parentMerge pull request #2589 from matrix-org/rav/as_deactivate_account (diff)
parentDevice deletion: check UI auth matches access token (diff)
downloadsynapse-4d836320098814b6429583741ac9f8109a1044af.tar.xz
Merge pull request #2591 from matrix-org/rav/device_delete_auth
Device deletion: check UI auth matches access token
Diffstat (limited to 'synapse')
-rw-r--r--synapse/rest/client/v2_alpha/devices.py13
1 files changed, 8 insertions, 5 deletions
diff --git a/synapse/rest/client/v2_alpha/devices.py b/synapse/rest/client/v2_alpha/devices.py
index 2a2438b7dc..5321e5abbb 100644
--- a/synapse/rest/client/v2_alpha/devices.py
+++ b/synapse/rest/client/v2_alpha/devices.py
@@ -117,6 +117,8 @@ class DeviceRestServlet(servlet.RestServlet):
 
     @defer.inlineCallbacks
     def on_DELETE(self, request, device_id):
+        requester = yield self.auth.get_user_by_req(request)
+
         try:
             body = servlet.parse_json_object_from_request(request)
 
@@ -135,11 +137,12 @@ class DeviceRestServlet(servlet.RestServlet):
         if not authed:
             defer.returnValue((401, result))
 
-        requester = yield self.auth.get_user_by_req(request)
-        yield self.device_handler.delete_device(
-            requester.user.to_string(),
-            device_id,
-        )
+        # check that the UI auth matched the access token
+        user_id = result[constants.LoginType.PASSWORD]
+        if user_id != requester.user.to_string():
+            raise errors.AuthError(403, "Invalid auth")
+
+        yield self.device_handler.delete_device(user_id, device_id)
         defer.returnValue((200, {}))
 
     @defer.inlineCallbacks