Ensure that non-room-members cannot ban others, even if they do have enough powerlevel (SYN-343)

2024-10-01 11:49:51 -04:00 · 2015-04-15 18:07:33 +01:00 · 2015-04-15 18:07:33 +01:00 · e6e130b9ba
commit e6e130b9ba
parent 4847a9534d
1 changed files with 5 additions and 0 deletions
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@ -272,6 +272,11 @@ class Auth(object):
                        403, "You cannot kick user %s." % target_user_id
                    )
        elif Membership.BAN == membership:
+            if not caller_in_room:  # caller isn't joined
+                raise AuthError(
+                    403,
+                    "%s not in room %s." % (event.user_id, event.room_id,)
+                )
            if user_level < ban_level:
                raise AuthError(403, "You don't have permission to ban")
        else: