diff options
-rw-r--r-- | synapse/api/auth.py | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py index f8ac9d2495..81012f99c1 100644 --- a/synapse/api/auth.py +++ b/synapse/api/auth.py @@ -83,7 +83,12 @@ class Auth(object): # FIXME: Temp hack if event.type == EventTypes.Aliases: - return True + alias_domain = UserID.from_string(event.state_key).domain + if alias_domain != originating_domain: + raise AuthError( + 403, + "Can only set aliases for own domain" + ) logger.debug( "Auth events: %s", |