From f20d064e05b1641162f36303139a611a97b6890e Mon Sep 17 00:00:00 2001
From: Steven Hammerton <steven.hammerton@openmarket.com>
Date: Tue, 17 Nov 2015 10:58:05 +0000
Subject: [PATCH] Always check guest = true in macaroons

---
 synapse/api/auth.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/synapse/api/auth.py b/synapse/api/auth.py
index 7fbbd8917..8111b3442 100644
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@@ -589,7 +589,7 @@ class Auth(object):
             macaroon = pymacaroons.Macaroon.deserialize(macaroon_str)
             self.validate_macaroon(
                 macaroon, "access",
-                [lambda c: c == "guest = true", lambda c: c.startswith("time < ")]
+                [lambda c: c.startswith("time < ")]
             )
 
             user_prefix = "user_id = "
@@ -643,6 +643,7 @@ class Auth(object):
         v.satisfy_exact("gen = 1")
         v.satisfy_exact("type = " + type_string)
         v.satisfy_general(lambda c: c.startswith("user_id = "))
+        v.satisfy_exact("guest = true")
 
         for validation_function in additional_validation_functions:
             v.satisfy_general(validation_function)