Add rules to DomainRuleChecker

2024-12-21 12:14:29 +03:00 · 2019-03-18 15:45:27 +00:00 · 2019-03-18 15:45:27 +00:00 · 68a9d1fc34
commit 68a9d1fc34
parent feae387576
2 changed files with 44 additions and 11 deletions
--- a/synapse/rulecheck/domain_rule_checker.py
+++ b/synapse/rulecheck/domain_rule_checker.py
@ -34,7 +34,17 @@ class DomainRuleChecker(object):
            "inviter_domain": [ "invitee_domain_permitted", "other_domain_permitted" ]
            "other_inviter_domain": [ "invitee_domain_permitted" ]
          default: False
-        }
+
+          # Only let local users join rooms if they were explicitly invited.
+          can_only_join_rooms_with_invite: false
+
+          # Only let local users create rooms if they are inviting only one
+          # other user, and that user matches the rules above.
+          can_only_create_one_to_one_rooms: false
+
+          # Only let local users invite during room creation, regardless of the
+          # domain mapping rules above.
+          can_only_invite_during_room_creation: false

    Don't forget to consider if you can invite users from your own domain.
    """
@ -43,6 +53,16 @@ class DomainRuleChecker(object):
        self.domain_mapping = config["domain_mapping"] or {}
        self.default = config["default"]

+        self.can_only_join_rooms_with_invite = config.get(
+            "can_only_join_rooms_with_invite", False,
+        )
+        self.can_only_create_one_to_one_rooms = config.get(
+            "can_only_create_one_to_one_rooms", False,
+        )
+        self.can_only_invite_during_room_creation = config.get(
+            "can_only_invite_during_room_creation", False,
+        )
+
    def check_event_for_spam(self, event):
        """Implements synapse.events.SpamChecker.check_event_for_spam
        """
@ -52,6 +72,9 @@ class DomainRuleChecker(object):
                        new_room):
        """Implements synapse.events.SpamChecker.user_may_invite
        """
+        if self.can_only_invite_during_room_creation and not new_room:
+            return False
+
        inviter_domain = self._get_domain_from_id(inviter_userid)
        invitee_domain = self._get_domain_from_id(invitee_userid)

@ -63,6 +86,13 @@ class DomainRuleChecker(object):
    def user_may_create_room(self, userid, invite_list, cloning):
        """Implements synapse.events.SpamChecker.user_may_create_room
        """
+
+        if cloning:
+            return True
+
+        if self.can_only_create_one_to_one_rooms and len(invite_list) != 1:
+            return False
+
        return True

    def user_may_create_room_alias(self, userid, room_alias):
@ -75,9 +105,12 @@ class DomainRuleChecker(object):
        """
        return True

-    def user_may_join_room(self, userid, room_id, is_invited, new_room):
+    def user_may_join_room(self, userid, room_id, is_invited):
        """Implements synapse.events.SpamChecker.user_may_join_room
        """
+        if self.can_only_join_rooms_with_invite and not is_invited:
+            return False
+
        return True

    @staticmethod
--- a/tests/rulecheck/test_domainrulecheck.py
+++ b/tests/rulecheck/test_domainrulecheck.py
@ -31,13 +31,13 @@ class DomainRuleCheckerTestCase(unittest.TestCase):
        }
        check = DomainRuleChecker(config)
        self.assertTrue(
-            check.user_may_invite("test:source_one", "test:target_one", "room")
+            check.user_may_invite("test:source_one", "test:target_one", "room", False)
        )
        self.assertTrue(
-            check.user_may_invite("test:source_one", "test:target_two", "room")
+            check.user_may_invite("test:source_one", "test:target_two", "room", False)
        )
        self.assertTrue(
-            check.user_may_invite("test:source_two", "test:target_two", "room")
+            check.user_may_invite("test:source_two", "test:target_two", "room", False)
        )

    def test_disallowed(self):
@ -51,16 +51,16 @@ class DomainRuleCheckerTestCase(unittest.TestCase):
        }
        check = DomainRuleChecker(config)
        self.assertFalse(
-            check.user_may_invite("test:source_one", "test:target_three", "room")
+            check.user_may_invite("test:source_one", "test:target_three", "room", False)
        )
        self.assertFalse(
-            check.user_may_invite("test:source_two", "test:target_three", "room")
+            check.user_may_invite("test:source_two", "test:target_three", "room", False)
        )
        self.assertFalse(
-            check.user_may_invite("test:source_two", "test:target_one", "room")
+            check.user_may_invite("test:source_two", "test:target_one", "room", False)
        )
        self.assertFalse(
-            check.user_may_invite("test:source_four", "test:target_one", "room")
+            check.user_may_invite("test:source_four", "test:target_one", "room", False)
        )

    def test_default_allow(self):
@ -73,7 +73,7 @@ class DomainRuleCheckerTestCase(unittest.TestCase):
        }
        check = DomainRuleChecker(config)
        self.assertTrue(
-            check.user_may_invite("test:source_three", "test:target_one", "room")
+            check.user_may_invite("test:source_three", "test:target_one", "room", False)
        )

    def test_default_deny(self):
@ -86,7 +86,7 @@ class DomainRuleCheckerTestCase(unittest.TestCase):
        }
        check = DomainRuleChecker(config)
        self.assertFalse(
-            check.user_may_invite("test:source_three", "test:target_one", "room")
+            check.user_may_invite("test:source_three", "test:target_one", "room", False)
        )

    def test_config_parse(self):