summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--synapse/rest/client/v2_alpha/account_data.py10
1 files changed, 8 insertions, 2 deletions
diff --git a/synapse/rest/client/v2_alpha/account_data.py b/synapse/rest/client/v2_alpha/account_data.py

index 7517e9304e..3fa2d7737c 100644
--- a/synapse/rest/client/v2_alpha/account_data.py
+++ b/synapse/rest/client/v2_alpha/account_data.py
@@ -84,7 +84,10 @@ class RoomAccountDataServlet(RestServlet):
 
     async def on_PUT(self, request, user_id, room_id, account_data_type):
         requester = await self.auth.get_user_by_req(request)
-        if user_id != requester.user.to_string():
+        is_admin = await self.auth.is_server_admin(requester.user)
+
+        # Allow server admins to change other user account data, otherwise raise an AuthError
+        if not is_admin and user_id != requester.user.to_string():
             raise AuthError(403, "Cannot add account data for other users.")
 
         body = parse_json_object_from_request(request)
@@ -104,7 +107,10 @@ class RoomAccountDataServlet(RestServlet):
 
     async def on_GET(self, request, user_id, room_id, account_data_type):
         requester = await self.auth.get_user_by_req(request)
-        if user_id != requester.user.to_string():
+        is_admin = await self.auth.is_server_admin(requester.user)
+
+        # Allow server admins to read other user account data, otherwise raise an AuthError
+        if not is_admin and user_id != requester.user.to_string():
             raise AuthError(403, "Cannot get account data for other users.")
 
         event = await self.store.get_account_data_for_room_and_type(
generated by cgit-magenta 1.5.1 (git 2.48.1) at 2025-05-21 02:11:28 +0000