SYN-12: Implement auth for deletion by adding a 'delete_level' on the ops levels event

SYN-12 # comment Auth has been added.
2025-05-02 21:44:52 -04:00 · 2014-09-23 17:36:17 +01:00 · 2014-09-23 17:36:17 +01:00 · bc250a6afa
commit bc250a6afa
parent 932b376b4e
4 changed files with 43 additions and 6 deletions
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@ -19,7 +19,9 @@ from twisted.internet import defer

 from synapse.api.constants import Membership, JoinRules
 from synapse.api.errors import AuthError, StoreError, Codes, SynapseError
-from synapse.api.events.room import RoomMemberEvent, RoomPowerLevelsEvent
+from synapse.api.events.room import (
+    RoomMemberEvent, RoomPowerLevelsEvent, RoomDeletionEvent,
+)
 from synapse.util.logutils import log_function

 import logging
@ -70,6 +72,9 @@ class Auth(object):
                if event.type == RoomPowerLevelsEvent.TYPE:
                    yield self._check_power_levels(event)

+                if event.type == RoomDeletionEvent.TYPE:
+                    yield self._check_deletion(event)
+
                defer.returnValue(True)
            else:
                raise AuthError(500, "Unknown event: %s" % event)
@ -170,7 +175,7 @@ class Auth(object):
                    event.room_id,
                    event.user_id,
                )
-                _, kick_level = yield self.store.get_ops_levels(event.room_id)
+                _, kick_level, _ = yield self.store.get_ops_levels(event.room_id)

                if kick_level:
                    kick_level = int(kick_level)
@ -187,7 +192,7 @@ class Auth(object):
                event.user_id,
            )

-            ban_level, _ = yield self.store.get_ops_levels(event.room_id)
+            ban_level, _, _  = yield self.store.get_ops_levels(event.room_id)

            if ban_level:
                ban_level = int(ban_level)
@ -321,6 +326,29 @@ class Auth(object):
                    "You don't have permission to change that state"
                )

+    @defer.inlineCallbacks
+    def _check_deletion(self, event):
+        user_level = yield self.store.get_power_level(
+            event.room_id,
+            event.user_id,
+        )
+
+        if user_level:
+            user_level = int(user_level)
+        else:
+            user_level = 0
+
+        _, _, delete_level  = yield self.store.get_ops_levels(event.room_id)
+
+        if not delete_level:
+            delete_level = 50
+
+        if user_level < delete_level:
+            raise AuthError(
+                403,
+                "You don't have permission to delete events"
+            )
+
    @defer.inlineCallbacks
    def _check_power_levels(self, event):
        for k, v in event.content.items():