From 512993b57f3755d4416002667bc6a568fa6c3334 Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Wed, 19 Nov 2014 17:21:40 +0000 Subject: Only users can set state events which have their own user_id --- synapse/api/auth.py | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) (limited to 'synapse/api') diff --git a/synapse/api/auth.py b/synapse/api/auth.py index 1a8785e890..6d8a9e4df7 100644 --- a/synapse/api/auth.py +++ b/synapse/api/auth.py @@ -446,6 +446,26 @@ class Auth(object): "user_level (%d) < send_level (%d)" % (user_level, send_level) ) + # Check state_key + if hasattr(event, "state_key"): + if not event.state_key.startswith("_"): + if event.state_key.startswith("@"): + if event.state_key != event.user_id: + raise AuthError( + 403, + "You are not allowed to set others state" + ) + else: + sender_domain = self.hs.parse_userid( + event.user_id + ).domain + + if sender_domain != event.state_key: + raise AuthError( + 403, + "You are not allowed to set others state" + ) + return True def _check_redaction(self, event): -- cgit 1.4.1