Add third_party module callbacks to check if a user can delete a room and deactivate a user (#12028)

* Add check_can_deactivate_user * Add check_can_shutdown_rooms * Documentation * callbacks, not functions * Various suggested tweaks * Add tests for test_check_can_shutdown_room and test_check_can_deactivate_user * Update check_can_deactivate_user to not take a Requester * Fix check_can_shutdown_room docs * Renegade and use `by_admin` instead of `admin_user_id` * fix lint * Update docs/modules/third_party_rules_callbacks.md Co-authored-by: Brendan Abolivier <babolivier@matrix.org> * Update docs/modules/third_party_rules_callbacks.md Co-authored-by: Brendan Abolivier <babolivier@matrix.org> * Update docs/modules/third_party_rules_callbacks.md Co-authored-by: Brendan Abolivier <babolivier@matrix.org> * Update docs/modules/third_party_rules_callbacks.md Co-authored-by: Brendan Abolivier <babolivier@matrix.org> Co-authored-by: Brendan Abolivier <babolivier@matrix.org>
2025-05-04 23:15:02 -04:00 · 2022-03-09 18:23:57 +00:00 · 2022-03-09 18:23:57 +00:00 · 15382b1afa
commit 15382b1afa
parent 690cb4f3b3
8 changed files with 254 additions and 1 deletions
--- a/synapse/handlers/deactivate_account.py
+++ b/synapse/handlers/deactivate_account.py
@ -17,7 +17,7 @@ from typing import TYPE_CHECKING, Optional

 from synapse.api.errors import SynapseError
 from synapse.metrics.background_process_metrics import run_as_background_process
-from synapse.types import Requester, UserID, create_requester
+from synapse.types import Codes, Requester, UserID, create_requester

 if TYPE_CHECKING:
    from synapse.server import HomeServer
@ -42,6 +42,7 @@ class DeactivateAccountHandler:

        # Flag that indicates whether the process to part users from rooms is running
        self._user_parter_running = False
+        self._third_party_rules = hs.get_third_party_event_rules()

        # Start the user parter loop so it can resume parting users from rooms where
        # it left off (if it has work left to do).
@ -74,6 +75,15 @@ class DeactivateAccountHandler:
        Returns:
            True if identity server supports removing threepids, otherwise False.
        """
+
+        # Check if this user can be deactivated
+        if not await self._third_party_rules.check_can_deactivate_user(
+            user_id, by_admin
+        ):
+            raise SynapseError(
+                403, "Deactivation of this user is forbidden", Codes.FORBIDDEN
+            )
+
        # FIXME: Theoretically there is a race here wherein user resets
        # password using threepid.