mirror of
https://github.com/element-hq/synapse.git
synced 2024-11-26 19:47:05 +03:00
Neater implementation of membership change auth checks, ensuring we can't forget to check if the calling user is a member of the room
This commit is contained in:
parent
e6e130b9ba
commit
399b5add58
1 changed files with 10 additions and 18 deletions
|
@ -215,17 +215,20 @@ class Auth(object):
|
||||||
else:
|
else:
|
||||||
ban_level = 50 # FIXME (erikj): What should we do here?
|
ban_level = 50 # FIXME (erikj): What should we do here?
|
||||||
|
|
||||||
if Membership.INVITE == membership:
|
if Membership.JOIN != membership:
|
||||||
# TODO (erikj): We should probably handle this more intelligently
|
# JOIN is the only action you can perform if you're not in the room
|
||||||
# PRIVATE join rules.
|
|
||||||
|
|
||||||
# Invites are valid iff caller is in the room and target isn't.
|
|
||||||
if not caller_in_room: # caller isn't joined
|
if not caller_in_room: # caller isn't joined
|
||||||
raise AuthError(
|
raise AuthError(
|
||||||
403,
|
403,
|
||||||
"%s not in room %s." % (event.user_id, event.room_id,)
|
"%s not in room %s." % (event.user_id, event.room_id,)
|
||||||
)
|
)
|
||||||
elif target_banned:
|
|
||||||
|
if Membership.INVITE == membership:
|
||||||
|
# TODO (erikj): We should probably handle this more intelligently
|
||||||
|
# PRIVATE join rules.
|
||||||
|
|
||||||
|
# Invites are valid iff caller is in the room and target isn't.
|
||||||
|
if target_banned:
|
||||||
raise AuthError(
|
raise AuthError(
|
||||||
403, "%s is banned from the room" % (target_user_id,)
|
403, "%s is banned from the room" % (target_user_id,)
|
||||||
)
|
)
|
||||||
|
@ -251,13 +254,7 @@ class Auth(object):
|
||||||
raise AuthError(403, "You are not allowed to join this room")
|
raise AuthError(403, "You are not allowed to join this room")
|
||||||
elif Membership.LEAVE == membership:
|
elif Membership.LEAVE == membership:
|
||||||
# TODO (erikj): Implement kicks.
|
# TODO (erikj): Implement kicks.
|
||||||
|
if target_banned and user_level < ban_level:
|
||||||
if not caller_in_room: # trying to leave a room you aren't joined
|
|
||||||
raise AuthError(
|
|
||||||
403,
|
|
||||||
"%s not in room %s." % (target_user_id, event.room_id,)
|
|
||||||
)
|
|
||||||
elif target_banned and user_level < ban_level:
|
|
||||||
raise AuthError(
|
raise AuthError(
|
||||||
403, "You cannot unban user &s." % (target_user_id,)
|
403, "You cannot unban user &s." % (target_user_id,)
|
||||||
)
|
)
|
||||||
|
@ -272,11 +269,6 @@ class Auth(object):
|
||||||
403, "You cannot kick user %s." % target_user_id
|
403, "You cannot kick user %s." % target_user_id
|
||||||
)
|
)
|
||||||
elif Membership.BAN == membership:
|
elif Membership.BAN == membership:
|
||||||
if not caller_in_room: # caller isn't joined
|
|
||||||
raise AuthError(
|
|
||||||
403,
|
|
||||||
"%s not in room %s." % (event.user_id, event.room_id,)
|
|
||||||
)
|
|
||||||
if user_level < ban_level:
|
if user_level < ban_level:
|
||||||
raise AuthError(403, "You don't have permission to ban")
|
raise AuthError(403, "You don't have permission to ban")
|
||||||
else:
|
else:
|
||||||
|
|
Loading…
Reference in a new issue