mirror of
https://git.anonymousland.org/anonymousland/synapse.git
synced 2024-12-27 05:59:23 -05:00
Add option to allow profile queries without sharing a room (#6523)
This commit is contained in:
parent
6920d88892
commit
bfb95654c9
1
changelog.d/6523.feature
Normal file
1
changelog.d/6523.feature
Normal file
@ -0,0 +1 @@
|
|||||||
|
Add option `limit_profile_requests_to_users_who_share_rooms` to prevent requirement of a local user sharing a room with another user to query their profile information.
|
@ -54,6 +54,13 @@ pid_file: DATADIR/homeserver.pid
|
|||||||
#
|
#
|
||||||
#require_auth_for_profile_requests: true
|
#require_auth_for_profile_requests: true
|
||||||
|
|
||||||
|
# Uncomment to require a user to share a room with another user in order
|
||||||
|
# to retrieve their profile information. Only checked on Client-Server
|
||||||
|
# requests. Profile requests from other servers should be checked by the
|
||||||
|
# requesting server. Defaults to 'false'.
|
||||||
|
#
|
||||||
|
#limit_profile_requests_to_users_who_share_rooms: true
|
||||||
|
|
||||||
# If set to 'true', removes the need for authentication to access the server's
|
# If set to 'true', removes the need for authentication to access the server's
|
||||||
# public rooms directory through the client API, meaning that anyone can
|
# public rooms directory through the client API, meaning that anyone can
|
||||||
# query the room directory. Defaults to 'false'.
|
# query the room directory. Defaults to 'false'.
|
||||||
|
@ -102,6 +102,12 @@ class ServerConfig(Config):
|
|||||||
"require_auth_for_profile_requests", False
|
"require_auth_for_profile_requests", False
|
||||||
)
|
)
|
||||||
|
|
||||||
|
# Whether to require sharing a room with a user to retrieve their
|
||||||
|
# profile data
|
||||||
|
self.limit_profile_requests_to_users_who_share_rooms = config.get(
|
||||||
|
"limit_profile_requests_to_users_who_share_rooms", False,
|
||||||
|
)
|
||||||
|
|
||||||
if "restrict_public_rooms_to_local_users" in config and (
|
if "restrict_public_rooms_to_local_users" in config and (
|
||||||
"allow_public_rooms_without_auth" in config
|
"allow_public_rooms_without_auth" in config
|
||||||
or "allow_public_rooms_over_federation" in config
|
or "allow_public_rooms_over_federation" in config
|
||||||
@ -621,6 +627,13 @@ class ServerConfig(Config):
|
|||||||
#
|
#
|
||||||
#require_auth_for_profile_requests: true
|
#require_auth_for_profile_requests: true
|
||||||
|
|
||||||
|
# Uncomment to require a user to share a room with another user in order
|
||||||
|
# to retrieve their profile information. Only checked on Client-Server
|
||||||
|
# requests. Profile requests from other servers should be checked by the
|
||||||
|
# requesting server. Defaults to 'false'.
|
||||||
|
#
|
||||||
|
#limit_profile_requests_to_users_who_share_rooms: true
|
||||||
|
|
||||||
# If set to 'true', removes the need for authentication to access the server's
|
# If set to 'true', removes the need for authentication to access the server's
|
||||||
# public rooms directory through the client API, meaning that anyone can
|
# public rooms directory through the client API, meaning that anyone can
|
||||||
# query the room directory. Defaults to 'false'.
|
# query the room directory. Defaults to 'false'.
|
||||||
|
@ -295,12 +295,16 @@ class BaseProfileHandler(BaseHandler):
|
|||||||
be found to be in any room the server is in, and therefore the query
|
be found to be in any room the server is in, and therefore the query
|
||||||
is denied.
|
is denied.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
# Implementation of MSC1301: don't allow looking up profiles if the
|
# Implementation of MSC1301: don't allow looking up profiles if the
|
||||||
# requester isn't in the same room as the target. We expect requester to
|
# requester isn't in the same room as the target. We expect requester to
|
||||||
# be None when this function is called outside of a profile query, e.g.
|
# be None when this function is called outside of a profile query, e.g.
|
||||||
# when building a membership event. In this case, we must allow the
|
# when building a membership event. In this case, we must allow the
|
||||||
# lookup.
|
# lookup.
|
||||||
if not self.hs.config.require_auth_for_profile_requests or not requester:
|
if (
|
||||||
|
not self.hs.config.limit_profile_requests_to_users_who_share_rooms
|
||||||
|
or not requester
|
||||||
|
):
|
||||||
return
|
return
|
||||||
|
|
||||||
# Always allow the user to query their own profile.
|
# Always allow the user to query their own profile.
|
||||||
|
@ -237,6 +237,7 @@ class ProfilesRestrictedTestCase(unittest.HomeserverTestCase):
|
|||||||
|
|
||||||
config = self.default_config()
|
config = self.default_config()
|
||||||
config["require_auth_for_profile_requests"] = True
|
config["require_auth_for_profile_requests"] = True
|
||||||
|
config["limit_profile_requests_to_users_who_share_rooms"] = True
|
||||||
self.hs = self.setup_test_homeserver(config=config)
|
self.hs = self.setup_test_homeserver(config=config)
|
||||||
|
|
||||||
return self.hs
|
return self.hs
|
||||||
@ -309,6 +310,7 @@ class OwnProfileUnrestrictedTestCase(unittest.HomeserverTestCase):
|
|||||||
def make_homeserver(self, reactor, clock):
|
def make_homeserver(self, reactor, clock):
|
||||||
config = self.default_config()
|
config = self.default_config()
|
||||||
config["require_auth_for_profile_requests"] = True
|
config["require_auth_for_profile_requests"] = True
|
||||||
|
config["limit_profile_requests_to_users_who_share_rooms"] = True
|
||||||
self.hs = self.setup_test_homeserver(config=config)
|
self.hs = self.setup_test_homeserver(config=config)
|
||||||
|
|
||||||
return self.hs
|
return self.hs
|
||||||
|
Loading…
Reference in New Issue
Block a user