Merge branch 'develop' of github.com:matrix-org/synapse into erikj/unfederatable

2025-05-02 09:56:05 -04:00 · 2015-09-14 18:05:31 +01:00 · 2015-09-14 18:05:31 +01:00 · d59acb8c5b
commit d59acb8c5b
parent 9b05ef6f39 91cb3b630d
15 changed files with 120 additions and 36 deletions
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@ -20,7 +20,7 @@ from twisted.internet import defer
 from synapse.api.constants import EventTypes, Membership, JoinRules
 from synapse.api.errors import AuthError, Codes, SynapseError
 from synapse.util.logutils import log_function
-from synapse.types import RoomID, UserID
+from synapse.types import RoomID, UserID, EventID

 import logging

@ -108,7 +108,7 @@ class Auth(object):
                self._check_power_levels(event, auth_events)

            if event.type == EventTypes.Redaction:
-                self._check_redaction(event, auth_events)
+                self.check_redaction(event, auth_events)

            logger.debug("Allowing! %s", event)
        except AuthError as e:
@ -572,16 +572,35 @@ class Auth(object):

        return True

-    def _check_redaction(self, event, auth_events):
+    def check_redaction(self, event, auth_events):
+        """Check whether the event sender is allowed to redact the target event.
+
+        Returns:
+            True if the the sender is allowed to redact the target event if the
+            target event was created by them.
+            False if the sender is allowed to redact the target event with no
+            further checks.
+
+        Raises:
+            AuthError if the event sender is definitely not allowed to redact
+            the target event.
+        """
        user_level = self._get_user_power_level(event.user_id, auth_events)

        redact_level = self._get_named_level(auth_events, "redact", 50)

-        if user_level < redact_level:
-            raise AuthError(
-                403,
-                "You don't have permission to redact events"
-            )
+        if user_level > redact_level:
+            return False
+
+        redacter_domain = EventID.from_string(event.event_id).domain
+        redactee_domain = EventID.from_string(event.redacts).domain
+        if redacter_domain == redactee_domain:
+            return True
+
+        raise AuthError(
+            403,
+            "You don't have permission to redact events"
+        )

    def _check_power_levels(self, event, auth_events):
        user_list = event.content.get("users", {})