mirror of
https://mau.dev/maunium/synapse.git
synced 2024-10-01 01:36:05 -04:00
Sanitise a user's powerlevel to an int() before numerical comparison, because otherwise Python is "helpful" with it (SYN-351)
This commit is contained in:
parent
6080830bef
commit
3a7d7a3f22
@ -189,6 +189,12 @@ class Auth(object):
|
|||||||
auth_events,
|
auth_events,
|
||||||
)
|
)
|
||||||
|
|
||||||
|
# TODO(paul): There's an awful lot of int()-casting in this code;
|
||||||
|
# surely we should be squashing strings to integers at a higher
|
||||||
|
# level, maybe when we insert?
|
||||||
|
if user_level is not None:
|
||||||
|
user_level = int(user_level)
|
||||||
|
|
||||||
ban_level, kick_level, redact_level = (
|
ban_level, kick_level, redact_level = (
|
||||||
self._get_ops_level_from_event_state(
|
self._get_ops_level_from_event_state(
|
||||||
event,
|
event,
|
||||||
@ -269,6 +275,7 @@ class Auth(object):
|
|||||||
403, "You cannot kick user %s." % target_user_id
|
403, "You cannot kick user %s." % target_user_id
|
||||||
)
|
)
|
||||||
elif Membership.BAN == membership:
|
elif Membership.BAN == membership:
|
||||||
|
print "I wonder how user's level of %r compares to ban level of %r" % (user_level, ban_level)
|
||||||
if user_level < ban_level:
|
if user_level < ban_level:
|
||||||
raise AuthError(403, "You don't have permission to ban")
|
raise AuthError(403, "You don't have permission to ban")
|
||||||
else:
|
else:
|
||||||
|
Loading…
Reference in New Issue
Block a user