From 182147195b707ce10af165ccd72a5bb2f3ecab38 Mon Sep 17 00:00:00 2001
From: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com>
Date: Mon, 21 Jun 2021 11:57:09 +0100
Subject: Check third party rules before persisting knocks over federation
 (#10212)

An accidental mis-ordering of operations during #6739 technically allowed an incoming knock event over federation in before checking it against any configured Third Party Access Rules modules.

This PR corrects that by performing the TPAR check *before* persisting the event.
---
 synapse/handlers/federation.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'synapse')

diff --git a/synapse/handlers/federation.py b/synapse/handlers/federation.py
index 0bfb25802a..1b566dbf2d 100644
--- a/synapse/handlers/federation.py
+++ b/synapse/handlers/federation.py
@@ -2086,8 +2086,6 @@ class FederationHandler(BaseHandler):
 
         context = await self.state_handler.compute_event_context(event)
 
-        await self._auth_and_persist_event(origin, event, context)
-
         event_allowed = await self.third_party_event_rules.check_event_allowed(
             event, context
         )
@@ -2097,6 +2095,8 @@ class FederationHandler(BaseHandler):
                 403, "This event is not allowed in this context", Codes.FORBIDDEN
             )
 
+        await self._auth_and_persist_event(origin, event, context)
+
         return context
 
     async def get_state_for_pdu(self, room_id: str, event_id: str) -> List[EventBase]:
-- 
cgit 1.4.1