Synapse doesn't accept m.room.power_level events with string values even though it sends them

[t3chguy]

Description

Synapse will happily send clients malformed m.room.power_level events with string power levels yet will not accept them, causing stuck PLs in a room where the client shouldn't be expected to have to sanitise the event which it was sent.

Steps to reproduce

• Have a room with a power level event giving someone PL "0"
• Try to update the power level of someone else

More context element-hq/element-web#19751 (comment)
Related #12537 (same cause)

Version information

• Homeserver: matrix.org

[richvdh]

I'm not really sure what we should do about this, tbh.

Obviously it's caused by the validation in #10232. On the one hand, it seems obvious that we shouldn't allow clients to send malformed PL events. On the other, if the PL event is malformed to start with, it's maybe not reasonable to require clients to "fix" it.

But attempting to "fix" the event before we pass it on to clients doesn't feel good either.

Maybe we should allow clients to send malformed PL events if the original PL event is malformed?

[richvdh]

(Maybe we should just fix #12537 and then tell everyone they have to upgrade to a modern room version...)

[dom96]

While you all resolve this, is there any workaround we can use for our channel? I need to be able to give mod rights to others as it's currently just me and I am not always online to moderate.

[richvdh]

While you all resolve this, is there any workaround we can use for our channel?

use the /devtools to replace the strings in the PL event.

[erciccione]

use the /devtools to replace the strings in the PL event.

Worked for me. Was unable to give mod powers until i changed all strings into integers.

[sheerluck]

--- a/synapse/events/validator.py
+++ b/synapse/events/validator.py
@@ -94,6 +94,11 @@ class EventValidator:
                 )
 
         if event.type == EventTypes.PowerLevels:
+            users = event.content.get("users")
+            if users:
+                for key, val in users.items():
+                    if type(val) is str:
+                        users[key] = int(val)
             try:
                 jsonschema.validate(
                     instance=event.content,

[sheerluck]

Richard gave me "thumbs down" but 2 days ago in #12537 he wanted to pass them through int() himself :)

[dom96]

use the /devtools to replace the strings in the PL event.

Worked for me. Was unable to give mod powers until i changed all strings into integers.

After figuring out what /devtools meant it also worked for me, thanks! (for those that don't know and want to workaround as well: just type in /devtools into the Matrix chat box)

[richvdh]

Richard gave me "thumbs down" but 2 days ago in #12537 he wanted to pass them through int() himself :)

In room upgrades. Not where you suggest.

[richvdh]

(Maybe we should just fix #12537 and then tell everyone they have to upgrade to a modern room version...)

We'll wait until #12537 is fixed, but this is our current preferred approach

[MadLittleMods]

#12537 was closed via #12657

Can we close this if our preferred approach is to force people to upgrade to a modern room version and that works now?

[DMRobertson]

Let's do so.