Matrix-Mirrors/forked-synapse
1
0
Fork 0
mirror of https://mau.dev/maunium/synapse.git synced 2024-07-17 08:32:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

Device deletion: check UI auth matches access token

Browse Source 
(otherwise there's no point in the UI auth)
This commit is contained in:
Richard van der Hoff 2017-10-27 00:04:31 +01:00
parent 92f680889d
commit 7a6546228b
1 changed files with 8 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
synapse/rest/client/v2_alpha/devices.py
View File

@ -117,6 +117,8 @@ class DeviceRestServlet(servlet.RestServlet):
@defer.inlineCallbacks @defer.inlineCallbacks
def on_DELETE(self, request, device_id): def on_DELETE(self, request, device_id):
requester = yield self.auth.get_user_by_req(request)
try: try:
body = servlet.parse_json_object_from_request(request) body = servlet.parse_json_object_from_request(request)
@ -135,11 +137,12 @@ class DeviceRestServlet(servlet.RestServlet):
if not authed: if not authed:
defer.returnValue((401, result)) defer.returnValue((401, result))
requester = yield self.auth.get_user_by_req(request) # check that the UI auth matched the access token
yield self.device_handler.delete_device( user_id = result[constants.LoginType.PASSWORD]
requester.user.to_string(), if user_id != requester.user.to_string():
device_id, raise errors.AuthError(403, "Invalid auth")
)
yield self.device_handler.delete_device(user_id, device_id)
defer.returnValue((200, {})) defer.returnValue((200, {}))
@defer.inlineCallbacks @defer.inlineCallbacks