From 68a9d1fc34beead269f715538298bef1114569b3 Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Mon, 18 Mar 2019 15:45:27 +0000 Subject: [PATCH] Add rules to DomainRuleChecker --- synapse/rulecheck/domain_rule_checker.py | 37 ++++++++++++++++++++++-- tests/rulecheck/test_domainrulecheck.py | 18 ++++++------ 2 files changed, 44 insertions(+), 11 deletions(-) diff --git a/synapse/rulecheck/domain_rule_checker.py b/synapse/rulecheck/domain_rule_checker.py index 9addfd1c1c..410757041b 100644 --- a/synapse/rulecheck/domain_rule_checker.py +++ b/synapse/rulecheck/domain_rule_checker.py @@ -34,7 +34,17 @@ class DomainRuleChecker(object): "inviter_domain": [ "invitee_domain_permitted", "other_domain_permitted" ] "other_inviter_domain": [ "invitee_domain_permitted" ] default: False - } + + # Only let local users join rooms if they were explicitly invited. + can_only_join_rooms_with_invite: false + + # Only let local users create rooms if they are inviting only one + # other user, and that user matches the rules above. + can_only_create_one_to_one_rooms: false + + # Only let local users invite during room creation, regardless of the + # domain mapping rules above. + can_only_invite_during_room_creation: false Don't forget to consider if you can invite users from your own domain. """ @@ -43,6 +53,16 @@ class DomainRuleChecker(object): self.domain_mapping = config["domain_mapping"] or {} self.default = config["default"] + self.can_only_join_rooms_with_invite = config.get( + "can_only_join_rooms_with_invite", False, + ) + self.can_only_create_one_to_one_rooms = config.get( + "can_only_create_one_to_one_rooms", False, + ) + self.can_only_invite_during_room_creation = config.get( + "can_only_invite_during_room_creation", False, + ) + def check_event_for_spam(self, event): """Implements synapse.events.SpamChecker.check_event_for_spam """ @@ -52,6 +72,9 @@ class DomainRuleChecker(object): new_room): """Implements synapse.events.SpamChecker.user_may_invite """ + if self.can_only_invite_during_room_creation and not new_room: + return False + inviter_domain = self._get_domain_from_id(inviter_userid) invitee_domain = self._get_domain_from_id(invitee_userid) @@ -63,6 +86,13 @@ class DomainRuleChecker(object): def user_may_create_room(self, userid, invite_list, cloning): """Implements synapse.events.SpamChecker.user_may_create_room """ + + if cloning: + return True + + if self.can_only_create_one_to_one_rooms and len(invite_list) != 1: + return False + return True def user_may_create_room_alias(self, userid, room_alias): @@ -75,9 +105,12 @@ class DomainRuleChecker(object): """ return True - def user_may_join_room(self, userid, room_id, is_invited, new_room): + def user_may_join_room(self, userid, room_id, is_invited): """Implements synapse.events.SpamChecker.user_may_join_room """ + if self.can_only_join_rooms_with_invite and not is_invited: + return False + return True @staticmethod diff --git a/tests/rulecheck/test_domainrulecheck.py b/tests/rulecheck/test_domainrulecheck.py index ebcf5ca44e..055fd49915 100644 --- a/tests/rulecheck/test_domainrulecheck.py +++ b/tests/rulecheck/test_domainrulecheck.py @@ -31,13 +31,13 @@ class DomainRuleCheckerTestCase(unittest.TestCase): } check = DomainRuleChecker(config) self.assertTrue( - check.user_may_invite("test:source_one", "test:target_one", "room") + check.user_may_invite("test:source_one", "test:target_one", "room", False) ) self.assertTrue( - check.user_may_invite("test:source_one", "test:target_two", "room") + check.user_may_invite("test:source_one", "test:target_two", "room", False) ) self.assertTrue( - check.user_may_invite("test:source_two", "test:target_two", "room") + check.user_may_invite("test:source_two", "test:target_two", "room", False) ) def test_disallowed(self): @@ -51,16 +51,16 @@ class DomainRuleCheckerTestCase(unittest.TestCase): } check = DomainRuleChecker(config) self.assertFalse( - check.user_may_invite("test:source_one", "test:target_three", "room") + check.user_may_invite("test:source_one", "test:target_three", "room", False) ) self.assertFalse( - check.user_may_invite("test:source_two", "test:target_three", "room") + check.user_may_invite("test:source_two", "test:target_three", "room", False) ) self.assertFalse( - check.user_may_invite("test:source_two", "test:target_one", "room") + check.user_may_invite("test:source_two", "test:target_one", "room", False) ) self.assertFalse( - check.user_may_invite("test:source_four", "test:target_one", "room") + check.user_may_invite("test:source_four", "test:target_one", "room", False) ) def test_default_allow(self): @@ -73,7 +73,7 @@ class DomainRuleCheckerTestCase(unittest.TestCase): } check = DomainRuleChecker(config) self.assertTrue( - check.user_may_invite("test:source_three", "test:target_one", "room") + check.user_may_invite("test:source_three", "test:target_one", "room", False) ) def test_default_deny(self): @@ -86,7 +86,7 @@ class DomainRuleCheckerTestCase(unittest.TestCase): } check = DomainRuleChecker(config) self.assertFalse( - check.user_may_invite("test:source_three", "test:target_one", "room") + check.user_may_invite("test:source_three", "test:target_one", "room", False) ) def test_config_parse(self):