Sanitize power level checks

2024-11-23 10:05:55 +03:00 · 2015-07-10 13:42:24 +01:00 · 2015-07-10 13:42:24 +01:00 · a5ea22d468
commit a5ea22d468
parent 7e3b14fe78
1 changed files with 21 additions and 15 deletions
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@ -261,12 +261,12 @@ class Auth(object):
            elif target_user_id != event.user_id:
                kick_level = self._get_named_level(auth_events, "kick", 50)

-                if user_level < kick_level or user_level < target_level:
+                if user_level < kick_level or user_level <= target_level:
                    raise AuthError(
                        403, "You cannot kick user %s." % target_user_id
                    )
        elif Membership.BAN == membership:
-            if user_level < ban_level or user_level < target_level:
+            if user_level < ban_level or user_level <= target_level:
                raise AuthError(403, "You don't have permission to ban")
        else:
            raise AuthError(500, "Unknown membership %s" % membership)
@ -576,25 +576,25 @@ class Auth(object):

        # Check other levels:
        levels_to_check = [
-            ("users_default", []),
-            ("events_default", []),
-            ("ban", []),
-            ("redact", []),
-            ("kick", []),
-            ("invite", []),
+            ("users_default", None),
+            ("events_default", None),
+            ("ban", None),
+            ("redact", None),
+            ("kick", None),
+            ("invite", None),
        ]

        old_list = current_state.content.get("users")
        for user in set(old_list.keys() + user_list.keys()):
            levels_to_check.append(
-                (user, ["users"])
+                (user, "users")
            )

        old_list = current_state.content.get("events")
        new_list = event.content.get("events")
        for ev_id in set(old_list.keys() + new_list.keys()):
            levels_to_check.append(
-                (ev_id, ["events"])
+                (ev_id, "events")
            )

        old_state = current_state.content
@ -602,12 +602,10 @@ class Auth(object):

        for level_to_check, dir in levels_to_check:
            old_loc = old_state
-            for d in dir:
-                old_loc = old_loc.get(d, {})
-
            new_loc = new_state
-            for d in dir:
-                new_loc = new_loc.get(d, {})
+            if dir:
+                old_loc = old_loc.get(dir, {})
+                new_loc = new_loc.get(dir, {})

            if level_to_check in old_loc:
                old_level = int(old_loc[level_to_check])
@ -623,6 +621,14 @@ class Auth(object):
                if new_level == old_level:
                    continue

+            if dir == "users" and level_to_check != event.user_id:
+                if old_level == user_level:
+                    raise AuthError(
+                        403,
+                        "You don't have permission to remove ops level equal "
+                        "to your own"
+                    )
+
            if old_level > user_level or new_level > user_level:
                raise AuthError(
                    403,