From b6aef593347924d39b4ff8b07e375eb656001545 Mon Sep 17 00:00:00 2001 From: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com> Date: Tue, 21 Mar 2023 13:23:47 +0000 Subject: [PATCH 1/5] Make `EventHandler.get_event` return `None` when the requested event is not found (#15298) --- changelog.d/15298.bugfix | 1 + synapse/handlers/events.py | 9 +++++---- tests/rest/client/test_report_event.py | 5 +++++ 3 files changed, 11 insertions(+), 4 deletions(-) create mode 100644 changelog.d/15298.bugfix diff --git a/changelog.d/15298.bugfix b/changelog.d/15298.bugfix new file mode 100644 index 000000000..8f29b0844 --- /dev/null +++ b/changelog.d/15298.bugfix @@ -0,0 +1 @@ +Fix a bug in which the [`POST /_matrix/client/v3/rooms/{roomId}/report/{eventId}`](https://spec.matrix.org/v1.6/client-server-api/#post_matrixclientv3roomsroomidreporteventid) endpoint would return the wrong error if the user did not have permission to view the event. This aligns Synapse's implementation with [MSC2249](https://github.com/matrix-org/matrix-spec-proposals/pull/2249). \ No newline at end of file diff --git a/synapse/handlers/events.py b/synapse/handlers/events.py index 68c07f026..33359f6ed 100644 --- a/synapse/handlers/events.py +++ b/synapse/handlers/events.py @@ -159,15 +159,16 @@ class EventHandler: Returns: An event, or None if there is no event matching this ID. Raises: - SynapseError if there was a problem retrieving this event, or - AuthError if the user does not have the rights to inspect this - event. + AuthError: if the user does not have the rights to inspect this event. """ redact_behaviour = ( EventRedactBehaviour.as_is if show_redacted else EventRedactBehaviour.redact ) event = await self.store.get_event( - event_id, check_room_id=room_id, redact_behaviour=redact_behaviour + event_id, + check_room_id=room_id, + redact_behaviour=redact_behaviour, + allow_none=True, ) if not event: diff --git a/tests/rest/client/test_report_event.py b/tests/rest/client/test_report_event.py index 1250685d3..1a8ab067a 100644 --- a/tests/rest/client/test_report_event.py +++ b/tests/rest/client/test_report_event.py @@ -84,6 +84,11 @@ class ReportEventTestCase(unittest.HomeserverTestCase): access_token=self.other_user_tok, ) self.assertEqual(404, channel.code, msg=channel.result["body"]) + self.assertEqual( + "Unable to report event: it does not exist or you aren't able to see it.", + channel.json_body["error"], + msg=channel.result["body"], + ) def _assert_status(self, response_status: int, data: JsonDict) -> None: channel = self.make_request( From ec9224bf9a7bebb6c429ef45e0d1a293f0986836 Mon Sep 17 00:00:00 2001 From: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com> Date: Tue, 21 Mar 2023 13:24:03 +0000 Subject: [PATCH 2/5] Make `POST /_matrix/client/v3/rooms/{roomId}/report/{eventId}` endpoint return 404 if event exists, but the user lacks access (#15300) --- changelog.d/15300.bugfix | 1 + docs/upgrade.md | 12 ++++++ synapse/rest/client/report_event.py | 16 +++++--- .../storage/databases/main/events_worker.py | 1 - tests/rest/client/test_report_event.py | 37 +++++++++++++++++++ 5 files changed, 61 insertions(+), 6 deletions(-) create mode 100644 changelog.d/15300.bugfix diff --git a/changelog.d/15300.bugfix b/changelog.d/15300.bugfix new file mode 100644 index 000000000..8f29b0844 --- /dev/null +++ b/changelog.d/15300.bugfix @@ -0,0 +1 @@ +Fix a bug in which the [`POST /_matrix/client/v3/rooms/{roomId}/report/{eventId}`](https://spec.matrix.org/v1.6/client-server-api/#post_matrixclientv3roomsroomidreporteventid) endpoint would return the wrong error if the user did not have permission to view the event. This aligns Synapse's implementation with [MSC2249](https://github.com/matrix-org/matrix-spec-proposals/pull/2249). \ No newline at end of file diff --git a/docs/upgrade.md b/docs/upgrade.md index f06e87405..f14444a40 100644 --- a/docs/upgrade.md +++ b/docs/upgrade.md @@ -88,6 +88,18 @@ process, for example: dpkg -i matrix-synapse-py3_1.3.0+stretch1_amd64.deb ``` +# Upgrading to v1.80.0 + +## Reporting events error code change + +Before this update, the +[`POST /_matrix/client/v3/rooms/{roomId}/report/{eventId}`](https://spec.matrix.org/v1.6/client-server-api/#post_matrixclientv3roomsroomidreporteventid) +endpoint would return a `403` if a user attempted to report an event that they did not have access to. +This endpoint will now return a `404` in this case instead. + +Clients that implement event reporting should check that their error handling code will handle this +change. + # Upgrading to v1.79.0 ## The `on_threepid_bind` module callback method has been deprecated diff --git a/synapse/rest/client/report_event.py b/synapse/rest/client/report_event.py index 9be586022..ac1a63ca2 100644 --- a/synapse/rest/client/report_event.py +++ b/synapse/rest/client/report_event.py @@ -16,7 +16,7 @@ import logging from http import HTTPStatus from typing import TYPE_CHECKING, Tuple -from synapse.api.errors import Codes, NotFoundError, SynapseError +from synapse.api.errors import AuthError, Codes, NotFoundError, SynapseError from synapse.http.server import HttpServer from synapse.http.servlet import RestServlet, parse_json_object_from_request from synapse.http.site import SynapseRequest @@ -62,12 +62,18 @@ class ReportEventRestServlet(RestServlet): Codes.BAD_JSON, ) - event = await self._event_handler.get_event( - requester.user, room_id, event_id, show_redacted=False - ) + try: + event = await self._event_handler.get_event( + requester.user, room_id, event_id, show_redacted=False + ) + except AuthError: + # The event exists, but this user is not allowed to access this event. + event = None + if event is None: raise NotFoundError( - "Unable to report event: it does not exist or you aren't able to see it." + "Unable to report event: " + "it does not exist or you aren't able to see it." ) await self.store.add_event_report( diff --git a/synapse/storage/databases/main/events_worker.py b/synapse/storage/databases/main/events_worker.py index 20b7a6836..0cf46626d 100644 --- a/synapse/storage/databases/main/events_worker.py +++ b/synapse/storage/databases/main/events_worker.py @@ -805,7 +805,6 @@ class EventsWorkerStore(SQLBaseStore): # the events have been redacted, and if so pulling the redaction event # out of the database to check it. # - missing_events = {} try: # Try to fetch from any external cache. We already checked the # in-memory cache above. diff --git a/tests/rest/client/test_report_event.py b/tests/rest/client/test_report_event.py index 1a8ab067a..b88f1d61a 100644 --- a/tests/rest/client/test_report_event.py +++ b/tests/rest/client/test_report_event.py @@ -90,6 +90,43 @@ class ReportEventTestCase(unittest.HomeserverTestCase): msg=channel.result["body"], ) + def test_cannot_report_event_if_not_in_room(self) -> None: + """ + Tests that we don't accept event reports for events that exist, but for which + the reporter should not be able to view (because they are not in the room). + """ + # Have the admin user create a room (the "other" user will not join this room). + new_room_id = self.helper.create_room_as(tok=self.admin_user_tok) + + # Have the admin user send an event in this room. + response = self.helper.send_event( + new_room_id, + "m.room.message", + content={ + "msgtype": "m.text", + "body": "This event has some bad words in it! Flip!", + }, + tok=self.admin_user_tok, + ) + event_id = response["event_id"] + + # Have the "other" user attempt to report it. Perhaps they found the event ID + # in a screenshot or something... + channel = self.make_request( + "POST", + f"rooms/{new_room_id}/report/{event_id}", + {"reason": "I'm not in this room but I have opinions anyways!"}, + access_token=self.other_user_tok, + ) + + # The "other" user is not in the room, so their report should be rejected. + self.assertEqual(404, channel.code, msg=channel.result["body"]) + self.assertEqual( + "Unable to report event: it does not exist or you aren't able to see it.", + channel.json_body["error"], + msg=channel.result["body"], + ) + def _assert_status(self, response_status: int, data: JsonDict) -> None: channel = self.make_request( "POST", self.report_path, data, access_token=self.other_user_tok From 96bcc5d9028e745df2f708c92b15e4e5bfc91328 Mon Sep 17 00:00:00 2001 From: Shay Date: Tue, 21 Mar 2023 10:49:25 -0700 Subject: [PATCH 3/5] Revert "check sqlite database file exists before porting/#14692" (#15301) --- changelog.d/15301.bugfix | 3 +++ synapse/_scripts/synapse_port_db.py | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) create mode 100644 changelog.d/15301.bugfix diff --git a/changelog.d/15301.bugfix b/changelog.d/15301.bugfix new file mode 100644 index 000000000..c8f3628d3 --- /dev/null +++ b/changelog.d/15301.bugfix @@ -0,0 +1,3 @@ +Fix a bug introduced in Synapse 1.75.0rc1 where the [SQLite port_db script](https://matrix-org.github.io/synapse/latest/postgres.html#porting-from-sqlite) +would fail to open the SQLite database. + diff --git a/synapse/_scripts/synapse_port_db.py b/synapse/_scripts/synapse_port_db.py index 2c9cbf8b2..78d76d38a 100755 --- a/synapse/_scripts/synapse_port_db.py +++ b/synapse/_scripts/synapse_port_db.py @@ -1329,7 +1329,7 @@ def main() -> None: sqlite_config = { "name": "sqlite3", "args": { - "database": "file:{}?mode=rw".format(args.sqlite_database), + "database": args.sqlite_database, "cp_min": 1, "cp_max": 1, "check_same_thread": False, From 7655bc054296ced0810d0a649ac7993c9443658b Mon Sep 17 00:00:00 2001 From: "H. Shay" Date: Wed, 22 Mar 2023 08:30:23 -0700 Subject: [PATCH 4/5] 1.80.0rc2 --- CHANGES.md | 11 +++++++++++ changelog.d/15298.bugfix | 1 - changelog.d/15300.bugfix | 1 - changelog.d/15301.bugfix | 3 --- debian/changelog | 6 ++++++ pyproject.toml | 2 +- 6 files changed, 18 insertions(+), 6 deletions(-) delete mode 100644 changelog.d/15298.bugfix delete mode 100644 changelog.d/15300.bugfix delete mode 100644 changelog.d/15301.bugfix diff --git a/CHANGES.md b/CHANGES.md index 1d15bacb9..88cb2bdf2 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,3 +1,14 @@ +Synapse 1.80.0rc2 (2023-03-22) +============================== + +Bugfixes +-------- + +- Fix a bug in which the [`POST /_matrix/client/v3/rooms/{roomId}/report/{eventId}`](https://spec.matrix.org/v1.6/client-server-api/#post_matrixclientv3roomsroomidreporteventid) endpoint would return the wrong error if the user did not have permission to view the event. This aligns Synapse's implementation with [MSC2249](https://github.com/matrix-org/matrix-spec-proposals/pull/2249). ([\#15298](https://github.com/matrix-org/synapse/issues/15298), [\#15300](https://github.com/matrix-org/synapse/issues/15300)) +- Fix a bug introduced in Synapse 1.75.0rc1 where the [SQLite port_db script](https://matrix-org.github.io/synapse/latest/postgres.html#porting-from-sqlite) + would fail to open the SQLite database. ([\#15301](https://github.com/matrix-org/synapse/issues/15301)) + + Synapse 1.80.0rc1 (2023-03-21) ============================== diff --git a/changelog.d/15298.bugfix b/changelog.d/15298.bugfix deleted file mode 100644 index 8f29b0844..000000000 --- a/changelog.d/15298.bugfix +++ /dev/null @@ -1 +0,0 @@ -Fix a bug in which the [`POST /_matrix/client/v3/rooms/{roomId}/report/{eventId}`](https://spec.matrix.org/v1.6/client-server-api/#post_matrixclientv3roomsroomidreporteventid) endpoint would return the wrong error if the user did not have permission to view the event. This aligns Synapse's implementation with [MSC2249](https://github.com/matrix-org/matrix-spec-proposals/pull/2249). \ No newline at end of file diff --git a/changelog.d/15300.bugfix b/changelog.d/15300.bugfix deleted file mode 100644 index 8f29b0844..000000000 --- a/changelog.d/15300.bugfix +++ /dev/null @@ -1 +0,0 @@ -Fix a bug in which the [`POST /_matrix/client/v3/rooms/{roomId}/report/{eventId}`](https://spec.matrix.org/v1.6/client-server-api/#post_matrixclientv3roomsroomidreporteventid) endpoint would return the wrong error if the user did not have permission to view the event. This aligns Synapse's implementation with [MSC2249](https://github.com/matrix-org/matrix-spec-proposals/pull/2249). \ No newline at end of file diff --git a/changelog.d/15301.bugfix b/changelog.d/15301.bugfix deleted file mode 100644 index c8f3628d3..000000000 --- a/changelog.d/15301.bugfix +++ /dev/null @@ -1,3 +0,0 @@ -Fix a bug introduced in Synapse 1.75.0rc1 where the [SQLite port_db script](https://matrix-org.github.io/synapse/latest/postgres.html#porting-from-sqlite) -would fail to open the SQLite database. - diff --git a/debian/changelog b/debian/changelog index 32df14add..ca2316030 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +matrix-synapse-py3 (1.80.0~rc2) stable; urgency=medium + + * New Synapse release 1.80.0rc2. + + -- Synapse Packaging team Wed, 22 Mar 2023 08:30:16 -0700 + matrix-synapse-py3 (1.80.0~rc1) stable; urgency=medium * New Synapse release 1.80.0rc1. diff --git a/pyproject.toml b/pyproject.toml index 0ba5c9480..19dc7c153 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -89,7 +89,7 @@ manifest-path = "rust/Cargo.toml" [tool.poetry] name = "matrix-synapse" -version = "1.80.0rc1" +version = "1.80.0rc2" description = "Homeserver for the Matrix decentralised comms protocol" authors = ["Matrix.org Team and Contributors "] license = "Apache-2.0" From 9f7d6c6bc1b414d8f6591cc1d312a9c6b3a28980 Mon Sep 17 00:00:00 2001 From: Sean Quah Date: Tue, 28 Mar 2023 11:10:59 +0100 Subject: [PATCH 5/5] 1.80.0 --- CHANGES.md | 6 ++++++ debian/changelog | 6 ++++++ pyproject.toml | 2 +- 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/CHANGES.md b/CHANGES.md index 88cb2bdf2..5f2a4a41e 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,3 +1,9 @@ +Synapse 1.80.0 (2023-03-28) +=========================== + +No significant changes since 1.80.0rc2. + + Synapse 1.80.0rc2 (2023-03-22) ============================== diff --git a/debian/changelog b/debian/changelog index ca2316030..98366d491 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +matrix-synapse-py3 (1.80.0) stable; urgency=medium + + * New Synapse release 1.80.0. + + -- Synapse Packaging team Tue, 28 Mar 2023 11:10:33 +0100 + matrix-synapse-py3 (1.80.0~rc2) stable; urgency=medium * New Synapse release 1.80.0rc2. diff --git a/pyproject.toml b/pyproject.toml index 19dc7c153..05bf59970 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -89,7 +89,7 @@ manifest-path = "rust/Cargo.toml" [tool.poetry] name = "matrix-synapse" -version = "1.80.0rc2" +version = "1.80.0" description = "Homeserver for the Matrix decentralised comms protocol" authors = ["Matrix.org Team and Contributors "] license = "Apache-2.0"