From 869187ce569b5e3a3129abb46fc1d810d8a5d126 Mon Sep 17 00:00:00 2001
From: Andrew Morgan <andrew@amorgan.xyz>
Date: Thu, 1 Jul 2021 11:49:29 +0100
Subject: Allow server admins to read/write room account data for any user

---
 synapse/rest/client/v2_alpha/account_data.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'synapse')

diff --git a/synapse/rest/client/v2_alpha/account_data.py b/synapse/rest/client/v2_alpha/account_data.py
index 7517e9304e..3fa2d7737c 100644
--- a/synapse/rest/client/v2_alpha/account_data.py
+++ b/synapse/rest/client/v2_alpha/account_data.py
@@ -84,7 +84,10 @@ class RoomAccountDataServlet(RestServlet):
 
     async def on_PUT(self, request, user_id, room_id, account_data_type):
         requester = await self.auth.get_user_by_req(request)
-        if user_id != requester.user.to_string():
+        is_admin = await self.auth.is_server_admin(requester.user)
+
+        # Allow server admins to change other user account data, otherwise raise an AuthError
+        if not is_admin and user_id != requester.user.to_string():
             raise AuthError(403, "Cannot add account data for other users.")
 
         body = parse_json_object_from_request(request)
@@ -104,7 +107,10 @@ class RoomAccountDataServlet(RestServlet):
 
     async def on_GET(self, request, user_id, room_id, account_data_type):
         requester = await self.auth.get_user_by_req(request)
-        if user_id != requester.user.to_string():
+        is_admin = await self.auth.is_server_admin(requester.user)
+
+        # Allow server admins to read other user account data, otherwise raise an AuthError
+        if not is_admin and user_id != requester.user.to_string():
             raise AuthError(403, "Cannot get account data for other users.")
 
         event = await self.store.get_account_data_for_room_and_type(
-- 
cgit 1.5.1