Merge pull request #202 from matrix-org/erikj/power_level_sanity

Change power level semantics.
2024-10-01 11:49:51 -04:00 · 2015-07-16 18:18:04 +01:00 · 2015-07-16 18:18:04 +01:00 · a2ed7f437c
commit a2ed7f437c
parent 09489499e7 016c089f13
1 changed files with 25 additions and 16 deletions
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@ -187,6 +187,9 @@ class Auth(object):
            join_rule = JoinRules.INVITE

        user_level = self._get_user_power_level(event.user_id, auth_events)
+        target_level = self._get_user_power_level(
+            target_user_id, auth_events
+        )

        # FIXME (erikj): What should we do here as the default?
        ban_level = self._get_named_level(auth_events, "ban", 50)
@ -258,12 +261,12 @@ class Auth(object):
            elif target_user_id != event.user_id:
                kick_level = self._get_named_level(auth_events, "kick", 50)

-                if user_level < kick_level:
+                if user_level < kick_level or user_level <= target_level:
                    raise AuthError(
                        403, "You cannot kick user %s." % target_user_id
                    )
        elif Membership.BAN == membership:
-            if user_level < ban_level:
+            if user_level < ban_level or user_level <= target_level:
                raise AuthError(403, "You don't have permission to ban")
        else:
            raise AuthError(500, "Unknown membership %s" % membership)
@ -573,26 +576,26 @@ class Auth(object):

        # Check other levels:
        levels_to_check = [
-            ("users_default", []),
-            ("events_default", []),
-            ("state_default", []),
-            ("ban", []),
-            ("redact", []),
-            ("kick", []),
-            ("invite", []),
+            ("users_default", None),
+            ("events_default", None),
+            ("state_default", None),
+            ("ban", None),
+            ("redact", None),
+            ("kick", None),
+            ("invite", None),
        ]

        old_list = current_state.content.get("users")
        for user in set(old_list.keys() + user_list.keys()):
            levels_to_check.append(
-                (user, ["users"])
+                (user, "users")
            )

        old_list = current_state.content.get("events")
        new_list = event.content.get("events")
        for ev_id in set(old_list.keys() + new_list.keys()):
            levels_to_check.append(
-                (ev_id, ["events"])
+                (ev_id, "events")
            )

        old_state = current_state.content
@ -600,12 +603,10 @@ class Auth(object):

        for level_to_check, dir in levels_to_check:
            old_loc = old_state
-            for d in dir:
-                old_loc = old_loc.get(d, {})
-
            new_loc = new_state
-            for d in dir:
-                new_loc = new_loc.get(d, {})
+            if dir:
+                old_loc = old_loc.get(dir, {})
+                new_loc = new_loc.get(dir, {})

            if level_to_check in old_loc:
                old_level = int(old_loc[level_to_check])
@ -621,6 +622,14 @@ class Auth(object):
                if new_level == old_level:
                    continue

+            if dir == "users" and level_to_check != event.user_id:
+                if old_level == user_level:
+                    raise AuthError(
+                        403,
+                        "You don't have permission to remove ops level equal "
+                        "to your own"
+                    )
+
            if old_level > user_level or new_level > user_level:
                raise AuthError(
                    403,