From 8a24c4eee515b21f3eb5572a62937ec1c04e677b Mon Sep 17 00:00:00 2001
From: Matthew Hodgson <matthew@matrix.org>
Date: Thu, 3 May 2018 02:47:55 +0100
Subject: [PATCH] add option to disable changes to the 3PIDs for an account.

This only considers the /account/3pid API, which should be sufficient
as currently we can't change emails associated with push notifs
(which are provisioned at registration), and we can't directly create
mappings for accounts in an IS other than by answering an invite
---
 synapse/config/registration.py          | 8 ++++++++
 synapse/rest/client/v2_alpha/account.py | 6 ++++++
 2 files changed, 14 insertions(+)

diff --git a/synapse/config/registration.py b/synapse/config/registration.py
index 34326718ad..070b7f0d93 100644
--- a/synapse/config/registration.py
+++ b/synapse/config/registration.py
@@ -37,6 +37,9 @@ class RegistrationConfig(Config):
             "check_is_for_allowed_local_3pids", None
         )
         self.allow_invited_3pids = config.get("allow_invited_3pids", False)
+
+        self.disable_3pid_changes = config.get("disable_3pid_changes", False)
+
         self.registration_shared_secret = config.get("registration_shared_secret")
 
         self.bcrypt_rounds = config.get("bcrypt_rounds", 12)
@@ -89,6 +92,11 @@ class RegistrationConfig(Config):
         #     - medium: msisdn
         #       pattern: "\\+44"
 
+        # If true, stop users from trying to change the 3PIDs associated with
+        # their accounts.
+        #
+        # disable_3pid_changes: True
+
         # If set, allows registration by anyone who also has the shared
         # secret, even if registration is otherwise disabled.
         registration_shared_secret: "%(registration_shared_secret)s"
diff --git a/synapse/rest/client/v2_alpha/account.py b/synapse/rest/client/v2_alpha/account.py
index 7d43a33615..3738ad437e 100644
--- a/synapse/rest/client/v2_alpha/account.py
+++ b/synapse/rest/client/v2_alpha/account.py
@@ -314,6 +314,9 @@ class ThreepidRestServlet(RestServlet):
     def on_POST(self, request):
         yield run_on_reactor()
 
+        if self.hs.config.disable_3pid_changes:
+            raise SynapseError(400, "3PID changes disabled on this server")
+
         body = parse_json_object_from_request(request)
 
         threePidCreds = body.get('threePidCreds')
@@ -367,6 +370,9 @@ class ThreepidDeleteRestServlet(RestServlet):
     def on_POST(self, request):
         yield run_on_reactor()
 
+        if self.hs.config.disable_3pid_changes:
+            raise SynapseError(400, "3PID changes disabled on this server")
+
         body = parse_json_object_from_request(request)
 
         required = ['medium', 'address']