Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

MSC2260: Block direct sends of m.room.aliases events #6794

Merged
merged 2 commits into from
Jan 30, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/6794.feature
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Implement updated authorization rules for aliases events, from [MSC2260](https://github.com/matrix-org/matrix-doc/pull/2260).
12 changes: 12 additions & 0 deletions synapse/rest/client/v1/room.py
Original file line number Diff line number Diff line change
Expand Up @@ -184,6 +184,12 @@ async def on_PUT(self, request, room_id, event_type, state_key, txn_id=None):

content = parse_json_object_from_request(request)

if event_type == EventTypes.Aliases:
# MSC2260
raise SynapseError(
400, "Cannot send m.room.aliases events via /rooms/{room_id}/state"
)

event_dict = {
"type": event_type,
"content": content,
Expand Down Expand Up @@ -231,6 +237,12 @@ async def on_POST(self, request, room_id, event_type, txn_id=None):
requester = await self.auth.get_user_by_req(request, allow_guest=True)
content = parse_json_object_from_request(request)

if event_type == EventTypes.Aliases:
# MSC2260
raise SynapseError(
400, "Cannot send m.room.aliases events via /rooms/{room_id}/send"
)

event_dict = {
"type": event_type,
"content": content,
Expand Down
7 changes: 0 additions & 7 deletions tests/rest/admin/test_admin.py
Original file line number Diff line number Diff line change
Expand Up @@ -868,13 +868,6 @@ def test_correct_room_attributes(self):
self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])

# Set this new alias as the canonical alias for this room
self.helper.send_state(
room_id,
"m.room.aliases",
{"aliases": [test_alias]},
tok=self.admin_user_tok,
state_key="test",
)
self.helper.send_state(
room_id,
"m.room.canonical_alias",
Expand Down
41 changes: 15 additions & 26 deletions tests/rest/client/v1/test_directory.py
Original file line number Diff line number Diff line change
Expand Up @@ -51,26 +51,30 @@ def prepare(self, reactor, clock, homeserver):
self.user = self.register_user("user", "test")
self.user_tok = self.login("user", "test")

def test_state_event_not_in_room(self):
self.ensure_user_left_room()
self.set_alias_via_state_event(403)
def test_cannot_set_alias_via_state_event(self):
self.ensure_user_joined_room()
url = "/_matrix/client/r0/rooms/%s/state/m.room.aliases/%s" % (
self.room_id,
self.hs.hostname,
)

data = {"aliases": [self.random_alias(5)]}
request_data = json.dumps(data)

request, channel = self.make_request(
"PUT", url, request_data, access_token=self.user_tok
)
self.render(request)
self.assertEqual(channel.code, 400, channel.result)

def test_directory_endpoint_not_in_room(self):
self.ensure_user_left_room()
self.set_alias_via_directory(403)

def test_state_event_in_room_too_long(self):
self.ensure_user_joined_room()
self.set_alias_via_state_event(400, alias_length=256)

def test_directory_in_room_too_long(self):
self.ensure_user_joined_room()
self.set_alias_via_directory(400, alias_length=256)

def test_state_event_in_room(self):
self.ensure_user_joined_room()
self.set_alias_via_state_event(200)

def test_directory_in_room(self):
self.ensure_user_joined_room()
self.set_alias_via_directory(200)
Expand Down Expand Up @@ -102,21 +106,6 @@ def test_room_creation(self):
self.render(request)
self.assertEqual(channel.code, 200, channel.result)

def set_alias_via_state_event(self, expected_code, alias_length=5):
url = "/_matrix/client/r0/rooms/%s/state/m.room.aliases/%s" % (
self.room_id,
self.hs.hostname,
)

data = {"aliases": [self.random_alias(alias_length)]}
request_data = json.dumps(data)

request, channel = self.make_request(
"PUT", url, request_data, access_token=self.user_tok
)
self.render(request)
self.assertEqual(channel.code, expected_code, channel.result)

def set_alias_via_directory(self, expected_code, alias_length=5):
url = "/_matrix/client/r0/directory/room/%s" % self.random_alias(alias_length)
data = {"room_id": self.room_id}
Expand Down