mirror of
https://git.anonymousland.org/anonymousland/synapse.git
synced 2024-10-01 11:49:51 -04:00
Make POST /_matrix/client/v3/rooms/{roomId}/report/{eventId}
endpoint return 404 if event exists, but the user lacks access (#15300)
This commit is contained in:
parent
b6aef59334
commit
ec9224bf9a
1
changelog.d/15300.bugfix
Normal file
1
changelog.d/15300.bugfix
Normal file
@ -0,0 +1 @@
|
|||||||
|
Fix a bug in which the [`POST /_matrix/client/v3/rooms/{roomId}/report/{eventId}`](https://spec.matrix.org/v1.6/client-server-api/#post_matrixclientv3roomsroomidreporteventid) endpoint would return the wrong error if the user did not have permission to view the event. This aligns Synapse's implementation with [MSC2249](https://github.com/matrix-org/matrix-spec-proposals/pull/2249).
|
@ -88,6 +88,18 @@ process, for example:
|
|||||||
dpkg -i matrix-synapse-py3_1.3.0+stretch1_amd64.deb
|
dpkg -i matrix-synapse-py3_1.3.0+stretch1_amd64.deb
|
||||||
```
|
```
|
||||||
|
|
||||||
|
# Upgrading to v1.80.0
|
||||||
|
|
||||||
|
## Reporting events error code change
|
||||||
|
|
||||||
|
Before this update, the
|
||||||
|
[`POST /_matrix/client/v3/rooms/{roomId}/report/{eventId}`](https://spec.matrix.org/v1.6/client-server-api/#post_matrixclientv3roomsroomidreporteventid)
|
||||||
|
endpoint would return a `403` if a user attempted to report an event that they did not have access to.
|
||||||
|
This endpoint will now return a `404` in this case instead.
|
||||||
|
|
||||||
|
Clients that implement event reporting should check that their error handling code will handle this
|
||||||
|
change.
|
||||||
|
|
||||||
# Upgrading to v1.79.0
|
# Upgrading to v1.79.0
|
||||||
|
|
||||||
## The `on_threepid_bind` module callback method has been deprecated
|
## The `on_threepid_bind` module callback method has been deprecated
|
||||||
|
@ -16,7 +16,7 @@ import logging
|
|||||||
from http import HTTPStatus
|
from http import HTTPStatus
|
||||||
from typing import TYPE_CHECKING, Tuple
|
from typing import TYPE_CHECKING, Tuple
|
||||||
|
|
||||||
from synapse.api.errors import Codes, NotFoundError, SynapseError
|
from synapse.api.errors import AuthError, Codes, NotFoundError, SynapseError
|
||||||
from synapse.http.server import HttpServer
|
from synapse.http.server import HttpServer
|
||||||
from synapse.http.servlet import RestServlet, parse_json_object_from_request
|
from synapse.http.servlet import RestServlet, parse_json_object_from_request
|
||||||
from synapse.http.site import SynapseRequest
|
from synapse.http.site import SynapseRequest
|
||||||
@ -62,12 +62,18 @@ class ReportEventRestServlet(RestServlet):
|
|||||||
Codes.BAD_JSON,
|
Codes.BAD_JSON,
|
||||||
)
|
)
|
||||||
|
|
||||||
event = await self._event_handler.get_event(
|
try:
|
||||||
requester.user, room_id, event_id, show_redacted=False
|
event = await self._event_handler.get_event(
|
||||||
)
|
requester.user, room_id, event_id, show_redacted=False
|
||||||
|
)
|
||||||
|
except AuthError:
|
||||||
|
# The event exists, but this user is not allowed to access this event.
|
||||||
|
event = None
|
||||||
|
|
||||||
if event is None:
|
if event is None:
|
||||||
raise NotFoundError(
|
raise NotFoundError(
|
||||||
"Unable to report event: it does not exist or you aren't able to see it."
|
"Unable to report event: "
|
||||||
|
"it does not exist or you aren't able to see it."
|
||||||
)
|
)
|
||||||
|
|
||||||
await self.store.add_event_report(
|
await self.store.add_event_report(
|
||||||
|
@ -805,7 +805,6 @@ class EventsWorkerStore(SQLBaseStore):
|
|||||||
# the events have been redacted, and if so pulling the redaction event
|
# the events have been redacted, and if so pulling the redaction event
|
||||||
# out of the database to check it.
|
# out of the database to check it.
|
||||||
#
|
#
|
||||||
missing_events = {}
|
|
||||||
try:
|
try:
|
||||||
# Try to fetch from any external cache. We already checked the
|
# Try to fetch from any external cache. We already checked the
|
||||||
# in-memory cache above.
|
# in-memory cache above.
|
||||||
|
@ -90,6 +90,43 @@ class ReportEventTestCase(unittest.HomeserverTestCase):
|
|||||||
msg=channel.result["body"],
|
msg=channel.result["body"],
|
||||||
)
|
)
|
||||||
|
|
||||||
|
def test_cannot_report_event_if_not_in_room(self) -> None:
|
||||||
|
"""
|
||||||
|
Tests that we don't accept event reports for events that exist, but for which
|
||||||
|
the reporter should not be able to view (because they are not in the room).
|
||||||
|
"""
|
||||||
|
# Have the admin user create a room (the "other" user will not join this room).
|
||||||
|
new_room_id = self.helper.create_room_as(tok=self.admin_user_tok)
|
||||||
|
|
||||||
|
# Have the admin user send an event in this room.
|
||||||
|
response = self.helper.send_event(
|
||||||
|
new_room_id,
|
||||||
|
"m.room.message",
|
||||||
|
content={
|
||||||
|
"msgtype": "m.text",
|
||||||
|
"body": "This event has some bad words in it! Flip!",
|
||||||
|
},
|
||||||
|
tok=self.admin_user_tok,
|
||||||
|
)
|
||||||
|
event_id = response["event_id"]
|
||||||
|
|
||||||
|
# Have the "other" user attempt to report it. Perhaps they found the event ID
|
||||||
|
# in a screenshot or something...
|
||||||
|
channel = self.make_request(
|
||||||
|
"POST",
|
||||||
|
f"rooms/{new_room_id}/report/{event_id}",
|
||||||
|
{"reason": "I'm not in this room but I have opinions anyways!"},
|
||||||
|
access_token=self.other_user_tok,
|
||||||
|
)
|
||||||
|
|
||||||
|
# The "other" user is not in the room, so their report should be rejected.
|
||||||
|
self.assertEqual(404, channel.code, msg=channel.result["body"])
|
||||||
|
self.assertEqual(
|
||||||
|
"Unable to report event: it does not exist or you aren't able to see it.",
|
||||||
|
channel.json_body["error"],
|
||||||
|
msg=channel.result["body"],
|
||||||
|
)
|
||||||
|
|
||||||
def _assert_status(self, response_status: int, data: JsonDict) -> None:
|
def _assert_status(self, response_status: int, data: JsonDict) -> None:
|
||||||
channel = self.make_request(
|
channel = self.make_request(
|
||||||
"POST", self.report_path, data, access_token=self.other_user_tok
|
"POST", self.report_path, data, access_token=self.other_user_tok
|
||||||
|
Loading…
Reference in New Issue
Block a user