summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--changelog.d/7053.feature2
-rw-r--r--docs/sample_config.yaml10
-rw-r--r--synapse/config/registration.py16
-rw-r--r--synapse/handlers/profile.py8
-rw-r--r--synapse/rest/client/v2_alpha/account.py18
-rw-r--r--tests/handlers/test_profile.py6
-rw-r--r--tests/rest/client/v2_alpha/test_account.py17
7 files changed, 40 insertions, 37 deletions
diff --git a/changelog.d/7053.feature b/changelog.d/7053.feature
index 79955b9780..00f47b2a14 100644
--- a/changelog.d/7053.feature
+++ b/changelog.d/7053.feature
@@ -1 +1 @@
-Add options to disable setting profile info for prevent changes.
\ No newline at end of file
+Add options to prevent users from changing their profile or associated 3PIDs.
\ No newline at end of file
diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml
index d3ecffac7d..8333800a10 100644
--- a/docs/sample_config.yaml
+++ b/docs/sample_config.yaml
@@ -1057,18 +1057,18 @@ account_threepid_delegates:
     #email: https://example.com     # Delegate email sending to example.com
     #msisdn: http://localhost:8090  # Delegate SMS sending to this local process
 
-# If enabled, don't let users set their own display names/avatars
+# If disabled, don't let users set their own display names/avatars
 # other than for the very first time (unless they are a server admin).
 # Useful when provisioning users based on the contents of a 3rd party
 # directory and to avoid ambiguities.
 #
-#disable_set_displayname: false
-#disable_set_avatar_url: false
+#enable_set_displayname: true
+#enable_set_avatar_url: true
 
-# If true, stop users from trying to change the 3PIDs associated with
+# If false, stop users from trying to change the 3PIDs associated with
 # their accounts.
 #
-#disable_3pid_changes: false
+#enable_3pid_changes: true
 
 # Users who register on this homeserver will automatically be joined
 # to these rooms
diff --git a/synapse/config/registration.py b/synapse/config/registration.py
index 1abc0a79af..d4897ec9b6 100644
--- a/synapse/config/registration.py
+++ b/synapse/config/registration.py
@@ -129,9 +129,9 @@ class RegistrationConfig(Config):
                 raise ConfigError("Invalid auto_join_rooms entry %s" % (room_alias,))
         self.autocreate_auto_join_rooms = config.get("autocreate_auto_join_rooms", True)
 
-        self.disable_set_displayname = config.get("disable_set_displayname", False)
-        self.disable_set_avatar_url = config.get("disable_set_avatar_url", False)
-        self.disable_3pid_changes = config.get("disable_3pid_changes", False)
+        self.enable_set_displayname = config.get("enable_set_displayname", True)
+        self.enable_set_avatar_url = config.get("enable_set_avatar_url", True)
+        self.enable_3pid_changes = config.get("enable_3pid_changes", True)
 
         self.disable_msisdn_registration = config.get(
             "disable_msisdn_registration", False
@@ -334,18 +334,18 @@ class RegistrationConfig(Config):
             #email: https://example.com     # Delegate email sending to example.com
             #msisdn: http://localhost:8090  # Delegate SMS sending to this local process
 
-        # If enabled, don't let users set their own display names/avatars
+        # If disabled, don't let users set their own display names/avatars
         # other than for the very first time (unless they are a server admin).
         # Useful when provisioning users based on the contents of a 3rd party
         # directory and to avoid ambiguities.
         #
-        #disable_set_displayname: false
-        #disable_set_avatar_url: false
+        #enable_set_displayname: true
+        #enable_set_avatar_url: true
 
-        # If true, stop users from trying to change the 3PIDs associated with
+        # If false, stop users from trying to change the 3PIDs associated with
         # their accounts.
         #
-        #disable_3pid_changes: false
+        #enable_3pid_changes: true
 
         # Users who register on this homeserver will automatically be joined
         # to these rooms
diff --git a/synapse/handlers/profile.py b/synapse/handlers/profile.py
index b049dd8e26..eb85dba015 100644
--- a/synapse/handlers/profile.py
+++ b/synapse/handlers/profile.py
@@ -157,11 +157,11 @@ class BaseProfileHandler(BaseHandler):
         if not by_admin and target_user != requester.user:
             raise AuthError(400, "Cannot set another user's displayname")
 
-        if not by_admin and self.hs.config.disable_set_displayname:
+        if not by_admin and not self.hs.config.enable_set_displayname:
             profile = yield self.store.get_profileinfo(target_user.localpart)
             if profile.display_name:
                 raise SynapseError(
-                    400, "Changing displayname is disabled on this server"
+                    400, "Changing display name is disabled on this server", Codes.FORBIDDEN
                 )
 
         if len(new_displayname) > MAX_DISPLAYNAME_LEN:
@@ -225,11 +225,11 @@ class BaseProfileHandler(BaseHandler):
         if not by_admin and target_user != requester.user:
             raise AuthError(400, "Cannot set another user's avatar_url")
 
-        if not by_admin and self.hs.config.disable_set_avatar_url:
+        if not by_admin and not self.hs.config.enable_set_avatar_url:
             profile = yield self.store.get_profileinfo(target_user.localpart)
             if profile.avatar_url:
                 raise SynapseError(
-                    400, "Changing avatar url is disabled on this server"
+                    400, "Changing avatar is disabled on this server", Codes.FORBIDDEN
                 )
 
         if len(new_avatar_url) > MAX_AVATAR_URL_LEN:
diff --git a/synapse/rest/client/v2_alpha/account.py b/synapse/rest/client/v2_alpha/account.py
index 97bddf36d9..e40136f2f3 100644
--- a/synapse/rest/client/v2_alpha/account.py
+++ b/synapse/rest/client/v2_alpha/account.py
@@ -599,8 +599,10 @@ class ThreepidRestServlet(RestServlet):
         return 200, {"threepids": threepids}
 
     async def on_POST(self, request):
-        if self.hs.config.disable_3pid_changes:
-            raise SynapseError(400, "3PID changes disabled on this server")
+        if not self.hs.config.enable_3pid_changes:
+            raise SynapseError(
+                400, "3PID changes are disabled on this server", Codes.FORBIDDEN
+            )
 
         requester = await self.auth.get_user_by_req(request)
         user_id = requester.user.to_string()
@@ -646,8 +648,10 @@ class ThreepidAddRestServlet(RestServlet):
 
     @interactive_auth_handler
     async def on_POST(self, request):
-        if self.hs.config.disable_3pid_changes:
-            raise SynapseError(400, "3PID changes disabled on this server")
+        if not self.hs.config.enable_3pid_changes:
+            raise SynapseError(
+                400, "3PID changes are disabled on this server", Codes.FORBIDDEN
+            )
 
         requester = await self.auth.get_user_by_req(request)
         user_id = requester.user.to_string()
@@ -749,8 +753,10 @@ class ThreepidDeleteRestServlet(RestServlet):
         self.auth_handler = hs.get_auth_handler()
 
     async def on_POST(self, request):
-        if self.hs.config.disable_3pid_changes:
-            raise SynapseError(400, "3PID changes disabled on this server")
+        if not self.hs.config.enable_3pid_changes:
+            raise SynapseError(
+                400, "3PID changes are disabled on this server", Codes.FORBIDDEN
+            )
 
         body = parse_json_object_from_request(request)
         assert_params_in_dict(body, ["medium", "address"])
diff --git a/tests/handlers/test_profile.py b/tests/handlers/test_profile.py
index f8c0da5ced..e600b9777b 100644
--- a/tests/handlers/test_profile.py
+++ b/tests/handlers/test_profile.py
@@ -93,7 +93,7 @@ class ProfileTestCase(unittest.TestCase):
 
     @defer.inlineCallbacks
     def test_set_my_name_if_disabled(self):
-        self.hs.config.disable_set_displayname = True
+        self.hs.config.enable_set_displayname = False
 
         # Set first displayname is allowed, if displayname is null
         yield self.store.set_profile_displayname(self.frank.localpart, "Frank")
@@ -164,9 +164,9 @@ class ProfileTestCase(unittest.TestCase):
 
     @defer.inlineCallbacks
     def test_set_my_avatar_if_disabled(self):
-        self.hs.config.disable_set_avatar_url = True
+        self.hs.config.enable_set_avatar_url = False
 
-        # Set first time avatar is allowed, if displayname is null
+        # Set first time avatar is allowed, if avatar is null
         yield self.store.set_profile_avatar_url(
             self.frank.localpart, "http://my.server/me.png"
         )
diff --git a/tests/rest/client/v2_alpha/test_account.py b/tests/rest/client/v2_alpha/test_account.py
index e178a53335..34e40a36d0 100644
--- a/tests/rest/client/v2_alpha/test_account.py
+++ b/tests/rest/client/v2_alpha/test_account.py
@@ -24,6 +24,7 @@ import pkg_resources
 
 import synapse.rest.admin
 from synapse.api.constants import LoginType, Membership
+from synapse.api.errors import Codes
 from synapse.rest.client.v1 import login, room
 from synapse.rest.client.v2_alpha import account, register
 
@@ -412,7 +413,7 @@ class ThreepidEmailRestTestCase(unittest.HomeserverTestCase):
     def test_add_email_if_disabled(self):
         """Test add mail to profile if disabled
         """
-        self.hs.config.disable_3pid_changes = True
+        self.hs.config.enable_3pid_changes = True
 
         client_secret = "foobar"
         session_id = self._request_token(self.email, client_secret)
@@ -438,9 +439,7 @@ class ThreepidEmailRestTestCase(unittest.HomeserverTestCase):
         )
         self.render(request)
         self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
-        self.assertEqual(
-            "3PID changes disabled on this server", channel.json_body["error"]
-        )
+        self.assertEqual(Codes.FORBIDDEN, channel.json_body["errcode"])
 
         # Get user
         request, channel = self.make_request(
@@ -486,7 +485,7 @@ class ThreepidEmailRestTestCase(unittest.HomeserverTestCase):
     def test_delete_email_if_disabled(self):
         """Test delete mail from profile if disabled
         """
-        self.hs.config.disable_3pid_changes = True
+        self.hs.config.enable_3pid_changes = True
 
         # Add a threepid
         self.get_success(
@@ -508,9 +507,7 @@ class ThreepidEmailRestTestCase(unittest.HomeserverTestCase):
         self.render(request)
 
         self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
-        self.assertEqual(
-            "3PID changes disabled on this server", channel.json_body["error"]
-        )
+        self.assertEqual(Codes.FORBIDDEN, channel.json_body["errcode"])
 
         # Get user
         request, channel = self.make_request(
@@ -547,7 +544,7 @@ class ThreepidEmailRestTestCase(unittest.HomeserverTestCase):
         )
         self.render(request)
         self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
-        self.assertEqual("No validated 3pid session found", channel.json_body["error"])
+        self.assertEqual(Codes.THREEPID_AUTH_FAILED, channel.json_body["errcode"])
 
         # Get user
         request, channel = self.make_request(
@@ -582,7 +579,7 @@ class ThreepidEmailRestTestCase(unittest.HomeserverTestCase):
         )
         self.render(request)
         self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
-        self.assertEqual("No validated 3pid session found", channel.json_body["error"])
+        self.assertEqual(Codes.THREEPID_AUTH_FAILED, channel.json_body["errcode"])
 
         # Get user
         request, channel = self.make_request(