Prevent user tokens being used as guest tokens (#1675)

Make sure that a user cannot pretend to be a guest by adding 'guest = True' caveats.
2025-08-03 19:44:13 -04:00 · 2016-12-06 15:31:37 +00:00 · 2016-12-06 15:31:37 +00:00 · 1529c19675
commit 1529c19675
parent 194b6259c5
3 changed files with 116 additions and 32 deletions
--- a/synapse/handlers/register.py
+++ b/synapse/handlers/register.py
@ -81,7 +81,7 @@ class RegistrationHandler(BaseHandler):
                    "User ID already taken.",
                    errcode=Codes.USER_IN_USE,
                )
-            user_data = yield self.auth.get_user_from_macaroon(guest_access_token)
+            user_data = yield self.auth.get_user_by_access_token(guest_access_token)
            if not user_data["is_guest"] or user_data["user"].localpart != localpart:
                raise AuthError(
                    403,