Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Commit

Permalink
MSC2260: Block direct sends of m.room.aliases events (#6794)
Browse files Browse the repository at this point in the history
* commit '184303b86':
  MSC2260: Block direct sends of m.room.aliases events (#6794)
  • Loading branch information
anoadragon453 committed Mar 23, 2020
2 parents b791fc9 + 184303b commit 35b1d78
Show file tree
Hide file tree
Showing 4 changed files with 28 additions and 33 deletions.
1 change: 1 addition & 0 deletions changelog.d/6794.feature
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Implement updated authorization rules for aliases events, from [MSC2260](https://github.com/matrix-org/matrix-doc/pull/2260).
12 changes: 12 additions & 0 deletions synapse/rest/client/v1/room.py
Original file line number Diff line number Diff line change
Expand Up @@ -184,6 +184,12 @@ async def on_PUT(self, request, room_id, event_type, state_key, txn_id=None):

content = parse_json_object_from_request(request)

if event_type == EventTypes.Aliases:
# MSC2260
raise SynapseError(
400, "Cannot send m.room.aliases events via /rooms/{room_id}/state"
)

event_dict = {
"type": event_type,
"content": content,
Expand Down Expand Up @@ -231,6 +237,12 @@ async def on_POST(self, request, room_id, event_type, txn_id=None):
requester = await self.auth.get_user_by_req(request, allow_guest=True)
content = parse_json_object_from_request(request)

if event_type == EventTypes.Aliases:
# MSC2260
raise SynapseError(
400, "Cannot send m.room.aliases events via /rooms/{room_id}/send"
)

event_dict = {
"type": event_type,
"content": content,
Expand Down
7 changes: 0 additions & 7 deletions tests/rest/admin/test_admin.py
Original file line number Diff line number Diff line change
Expand Up @@ -868,13 +868,6 @@ def test_correct_room_attributes(self):
self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])

# Set this new alias as the canonical alias for this room
self.helper.send_state(
room_id,
"m.room.aliases",
{"aliases": [test_alias]},
tok=self.admin_user_tok,
state_key="test",
)
self.helper.send_state(
room_id,
"m.room.canonical_alias",
Expand Down
41 changes: 15 additions & 26 deletions tests/rest/client/v1/test_directory.py
Original file line number Diff line number Diff line change
Expand Up @@ -51,26 +51,30 @@ def prepare(self, reactor, clock, homeserver):
self.user = self.register_user("user", "test")
self.user_tok = self.login("user", "test")

def test_state_event_not_in_room(self):
self.ensure_user_left_room()
self.set_alias_via_state_event(403)
def test_cannot_set_alias_via_state_event(self):
self.ensure_user_joined_room()
url = "/_matrix/client/r0/rooms/%s/state/m.room.aliases/%s" % (
self.room_id,
self.hs.hostname,
)

data = {"aliases": [self.random_alias(5)]}
request_data = json.dumps(data)

request, channel = self.make_request(
"PUT", url, request_data, access_token=self.user_tok
)
self.render(request)
self.assertEqual(channel.code, 400, channel.result)

def test_directory_endpoint_not_in_room(self):
self.ensure_user_left_room()
self.set_alias_via_directory(403)

def test_state_event_in_room_too_long(self):
self.ensure_user_joined_room()
self.set_alias_via_state_event(400, alias_length=256)

def test_directory_in_room_too_long(self):
self.ensure_user_joined_room()
self.set_alias_via_directory(400, alias_length=256)

def test_state_event_in_room(self):
self.ensure_user_joined_room()
self.set_alias_via_state_event(200)

def test_directory_in_room(self):
self.ensure_user_joined_room()
self.set_alias_via_directory(200)
Expand Down Expand Up @@ -102,21 +106,6 @@ def test_room_creation(self):
self.render(request)
self.assertEqual(channel.code, 200, channel.result)

def set_alias_via_state_event(self, expected_code, alias_length=5):
url = "/_matrix/client/r0/rooms/%s/state/m.room.aliases/%s" % (
self.room_id,
self.hs.hostname,
)

data = {"aliases": [self.random_alias(alias_length)]}
request_data = json.dumps(data)

request, channel = self.make_request(
"PUT", url, request_data, access_token=self.user_tok
)
self.render(request)
self.assertEqual(channel.code, expected_code, channel.result)

def set_alias_via_directory(self, expected_code, alias_length=5):
url = "/_matrix/client/r0/directory/room/%s" % self.random_alias(alias_length)
data = {"room_id": self.room_id}
Expand Down

0 comments on commit 35b1d78

Please sign in to comment.