From b31d56efacb05f981a398f270297a004aac43cae Mon Sep 17 00:00:00 2001
From: Matthew Hodgson <matthew@matrix.org>
Date: Sun, 21 Apr 2019 00:58:53 +0100
Subject: add option to require an access_token to GET /profile on CS API

---
 synapse/config/server.py          | 8 ++++++++
 synapse/rest/client/v1/profile.py | 6 ++++++
 2 files changed, 14 insertions(+)

diff --git a/synapse/config/server.py b/synapse/config/server.py
index 08e4e45482..8ad42a8a6c 100644
--- a/synapse/config/server.py
+++ b/synapse/config/server.py
@@ -71,6 +71,10 @@ class ServerConfig(Config):
         # master, potentially causing inconsistency.
         self.enable_media_repo = config.get("enable_media_repo", True)
 
+        # whether to require users to authenticate in order to query /profile
+        # endpoints via CS API. this is a workaround in advance of MSC1301 landing
+        self.auth_profile_reqs = config.get("auth_profile_reqs", True)
+
         # whether to enable search. If disabled, new entries will not be inserted
         # into the search tables and they will not be indexed. Users will receive
         # errors when attempting to search for messages.
@@ -318,6 +322,10 @@ class ServerConfig(Config):
         #
         #use_presence: false
 
+        # whether to require users to authenticate in order to query /profile
+        # endpoints via CS API. this is a workaround in advance of MSC1301 landing
+        #auth_profile_reqs: false
+
         # The GC threshold parameters to pass to `gc.set_threshold`, if defined
         #
         #gc_thresholds: [700, 10, 10]
diff --git a/synapse/rest/client/v1/profile.py b/synapse/rest/client/v1/profile.py
index 56679f13f4..125aaecf5b 100644
--- a/synapse/rest/client/v1/profile.py
+++ b/synapse/rest/client/v1/profile.py
@@ -36,6 +36,8 @@ class ProfileDisplaynameRestServlet(ClientV1RestServlet):
 
     @defer.inlineCallbacks
     def on_GET(self, request, user_id):
+        if self.hs.config.auth_profile_reqs:
+            yield self.auth.get_user_by_req(request)
         user = UserID.from_string(user_id)
 
         displayname = yield self.profile_handler.get_displayname(
@@ -99,6 +101,8 @@ class ProfileAvatarURLRestServlet(ClientV1RestServlet):
 
     @defer.inlineCallbacks
     def on_GET(self, request, user_id):
+        if self.hs.config.auth_profile_reqs:
+            yield self.auth.get_user_by_req(request)
         user = UserID.from_string(user_id)
 
         avatar_url = yield self.profile_handler.get_avatar_url(
@@ -160,6 +164,8 @@ class ProfileRestServlet(ClientV1RestServlet):
 
     @defer.inlineCallbacks
     def on_GET(self, request, user_id):
+        if self.hs.config.auth_profile_reqs:
+            yield self.auth.get_user_by_req(request)
         user = UserID.from_string(user_id)
 
         displayname = yield self.profile_handler.get_displayname(
-- 
cgit 1.4.1