mirror of
https://mau.dev/maunium/synapse.git
synced 2024-10-01 01:36:05 -04:00
Do not return allowed_room_ids from /hierarchy response. (#12175)
This field is only to be used in the Server-Server API, and not the Client-Server API, but was being leaked when a federation response was used in the /hierarchy API.
This commit is contained in:
parent
d8bab6793c
commit
ca9234a9eb
1
changelog.d/12175.bugfix
Normal file
1
changelog.d/12175.bugfix
Normal file
@ -0,0 +1 @@
|
|||||||
|
Fix a bug where non-standard information was returned from the `/hierarchy` API. Introduced in Synapse v1.41.0.
|
@ -295,7 +295,7 @@ class RoomSummaryHandler:
|
|||||||
# inaccessible to the requesting user.
|
# inaccessible to the requesting user.
|
||||||
if room_entry:
|
if room_entry:
|
||||||
# Add the room (including the stripped m.space.child events).
|
# Add the room (including the stripped m.space.child events).
|
||||||
rooms_result.append(room_entry.as_json())
|
rooms_result.append(room_entry.as_json(for_client=True))
|
||||||
|
|
||||||
# If this room is not at the max-depth, check if there are any
|
# If this room is not at the max-depth, check if there are any
|
||||||
# children to process.
|
# children to process.
|
||||||
@ -843,14 +843,25 @@ class _RoomEntry:
|
|||||||
# This may not include all children.
|
# This may not include all children.
|
||||||
children_state_events: Sequence[JsonDict] = ()
|
children_state_events: Sequence[JsonDict] = ()
|
||||||
|
|
||||||
def as_json(self) -> JsonDict:
|
def as_json(self, for_client: bool = False) -> JsonDict:
|
||||||
"""
|
"""
|
||||||
Returns a JSON dictionary suitable for the room hierarchy endpoint.
|
Returns a JSON dictionary suitable for the room hierarchy endpoint.
|
||||||
|
|
||||||
It returns the room summary including the stripped m.space.child events
|
It returns the room summary including the stripped m.space.child events
|
||||||
as a sub-key.
|
as a sub-key.
|
||||||
|
|
||||||
|
Args:
|
||||||
|
for_client: If true, any server-server only fields are stripped from
|
||||||
|
the result.
|
||||||
|
|
||||||
"""
|
"""
|
||||||
result = dict(self.room)
|
result = dict(self.room)
|
||||||
|
|
||||||
|
# Before returning to the client, remove the allowed_room_ids key, if it
|
||||||
|
# exists.
|
||||||
|
if for_client:
|
||||||
|
result.pop("allowed_room_ids", False)
|
||||||
|
|
||||||
result["children_state"] = self.children_state_events
|
result["children_state"] = self.children_state_events
|
||||||
return result
|
return result
|
||||||
|
|
||||||
|
@ -172,6 +172,9 @@ class SpaceSummaryTestCase(unittest.HomeserverTestCase):
|
|||||||
result_room_ids = []
|
result_room_ids = []
|
||||||
result_children_ids = []
|
result_children_ids = []
|
||||||
for result_room in result["rooms"]:
|
for result_room in result["rooms"]:
|
||||||
|
# Ensure federation results are not leaking over the client-server API.
|
||||||
|
self.assertNotIn("allowed_room_ids", result_room)
|
||||||
|
|
||||||
result_room_ids.append(result_room["room_id"])
|
result_room_ids.append(result_room["room_id"])
|
||||||
result_children_ids.append(
|
result_children_ids.append(
|
||||||
[
|
[
|
||||||
|
Loading…
Reference in New Issue
Block a user