summary refs log tree commit diff
path: root/synapse/api
diff options
context:
space:
mode:
Diffstat (limited to 'synapse/api')
-rw-r--r--synapse/api/auth.py52
-rw-r--r--synapse/api/events/__init__.py7
-rw-r--r--synapse/api/events/factory.py5
-rw-r--r--synapse/api/events/room.py7
4 files changed, 59 insertions, 12 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py
index 5d7c607702..8f32191b57 100644
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@@ -18,7 +18,7 @@
 from twisted.internet import defer
 
 from synapse.api.constants import Membership, JoinRules
-from synapse.api.errors import AuthError, StoreError, Codes
+from synapse.api.errors import AuthError, StoreError, Codes, SynapseError
 from synapse.api.events.room import RoomMemberEvent, RoomPowerLevelsEvent
 from synapse.util.logutils import log_function
 
@@ -308,7 +308,9 @@ class Auth(object):
         else:
             user_level = 0
 
-        logger.debug("Checking power level for %s, %s", event.user_id, user_level)
+        logger.debug(
+            "Checking power level for %s, %s", event.user_id, user_level
+        )
         if current_state and hasattr(current_state, "required_power_level"):
             req = current_state.required_power_level
 
@@ -321,12 +323,35 @@ class Auth(object):
 
     @defer.inlineCallbacks
     def _check_power_levels(self, event):
+        for k, v in event.content.items():
+            if k == "default":
+                continue
+
+            # FIXME (erikj): We don't want hsob_Ts in content.
+            if k == "hsob_ts":
+                continue
+
+            try:
+                self.hs.parse_userid(k)
+            except:
+                raise SynapseError(400, "Not a valid user_id: %s" % (k,))
+
+            try:
+                int(v)
+            except:
+                raise SynapseError(400, "Not a valid power level: %s" % (v,))
+
         current_state = yield self.store.get_current_state(
             event.room_id,
             event.type,
             event.state_key,
         )
 
+        if not current_state:
+            return
+        else:
+            current_state = current_state[0]
+
         user_level = yield self.store.get_power_level(
             event.room_id,
             event.user_id,
@@ -341,7 +366,10 @@ class Auth(object):
 
         # FIXME (erikj)
         old_people = {k: v for k, v in old_list.items() if k.startswith("@")}
-        new_people = {k: v for k, v in event.content if k.startswith("@")}
+        new_people = {
+            k: v for k, v in event.content.items()
+            if k.startswith("@")
+        }
 
         removed = set(old_people.keys()) - set(new_people.keys())
         added = set(old_people.keys()) - set(new_people.keys())
@@ -351,22 +379,24 @@ class Auth(object):
             if int(old_list.content[r]) > user_level:
                 raise AuthError(
                     403,
-                    "You don't have permission to change that state"
+                    "You don't have permission to remove user: %s" % (r, )
                 )
 
-        for n in new_people:
+        for n in added:
             if int(event.content[n]) > user_level:
                 raise AuthError(
                     403,
-                    "You don't have permission to change that state"
+                    "You don't have permission to add ops level greater "
+                    "than your own"
                 )
 
         for s in same:
             if int(event.content[s]) != int(old_list[s]):
-                if int(old_list[s]) > user_level:
+                if int(event.content[s]) > user_level:
                     raise AuthError(
                         403,
-                        "You don't have permission to change that state"
+                        "You don't have permission to add ops level greater "
+                        "than your own"
                     )
 
         if "default" in old_list:
@@ -375,7 +405,8 @@ class Auth(object):
             if old_default > user_level:
                 raise AuthError(
                     403,
-                    "You don't have permission to change that state"
+                    "You don't have permission to add ops level greater than "
+                    "your own"
                 )
 
             if "default" in event.content:
@@ -384,5 +415,6 @@ class Auth(object):
                 if new_default > user_level:
                     raise AuthError(
                         403,
-                        "You don't have permission to change that state"
+                        "You don't have permission to add ops level greater "
+                        "than your own"
                     )
diff --git a/synapse/api/events/__init__.py b/synapse/api/events/__init__.py
index f95468fc65..5f300de108 100644
--- a/synapse/api/events/__init__.py
+++ b/synapse/api/events/__init__.py
@@ -157,7 +157,12 @@ class SynapseEvent(JsonEncodedObject):
 
 
 class SynapseStateEvent(SynapseEvent):
-     def __init__(self, **kwargs):
+
+    valid_keys = SynapseEvent.valid_keys + [
+        "prev_content",
+    ]
+
+    def __init__(self, **kwargs):
         if "state_key" not in kwargs:
             kwargs["state_key"] = ""
         super(SynapseStateEvent, self).__init__(**kwargs)
diff --git a/synapse/api/events/factory.py b/synapse/api/events/factory.py
index a3b293e024..5e38cdbc44 100644
--- a/synapse/api/events/factory.py
+++ b/synapse/api/events/factory.py
@@ -47,11 +47,14 @@ class EventFactory(object):
             self._event_list[event_class.TYPE] = event_class
 
         self.clock = hs.get_clock()
+        self.hs = hs
 
     def create_event(self, etype=None, **kwargs):
         kwargs["type"] = etype
         if "event_id" not in kwargs:
-            kwargs["event_id"] = random_string(10)
+            kwargs["event_id"] = "%s@%s" % (
+                random_string(10), self.hs.hostname
+            )
 
         if "ts" not in kwargs:
             kwargs["ts"] = int(self.clock.time_msec())
diff --git a/synapse/api/events/room.py b/synapse/api/events/room.py
index 33f0f0cb99..3a4dbc58ce 100644
--- a/synapse/api/events/room.py
+++ b/synapse/api/events/room.py
@@ -173,3 +173,10 @@ class RoomOpsPowerLevelsEvent(SynapseStateEvent):
 
     def get_content_template(self):
         return {}
+
+
+class RoomAliasesEvent(SynapseStateEvent):
+    TYPE = "m.room.aliases"
+
+    def get_content_template(self):
+        return {}
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-11-17 14:49:56 +0000