AUth the contents of power level events

This commit is contained in:
Erik Johnston 2014-09-04 16:40:23 +01:00
parent 95037d8d9d
commit 250ee2ea7d

View File

@ -19,7 +19,7 @@ from twisted.internet import defer
from synapse.api.constants import Membership, JoinRules from synapse.api.constants import Membership, JoinRules
from synapse.api.errors import AuthError, StoreError, Codes from synapse.api.errors import AuthError, StoreError, Codes
from synapse.api.events.room import RoomMemberEvent from synapse.api.events.room import RoomMemberEvent, RoomPowerLevelsEvent
from synapse.util.logutils import log_function from synapse.util.logutils import log_function
import logging import logging
@ -67,6 +67,9 @@ class Auth(object):
else: else:
yield self._can_send_event(event) yield self._can_send_event(event)
if event.type == RoomPowerLevelsEvent.TYPE:
yield self._check_power_levels(event)
defer.returnValue(True) defer.returnValue(True)
else: else:
raise AuthError(500, "Unknown event: %s" % event) raise AuthError(500, "Unknown event: %s" % event)
@ -315,3 +318,71 @@ class Auth(object):
403, 403,
"You don't have permission to change that state" "You don't have permission to change that state"
) )
@defer.inlineCallbacks
def _check_power_levels(self, event):
current_state = yield self.store.get_current_state(
event.room_id,
event.type,
event.state_key,
)
user_level = yield self.store.get_power_level(
event.room_id,
event.user_id,
)
if user_level:
user_level = int(user_level)
else:
user_level = 0
old_list = current_state.content
# FIXME (erikj)
old_people = {k: v for k, v in old_list.items() if k.startswith("@")}
new_people = {k: v for k, v in event.content if k.startswith("@")}
removed = set(old_people.keys()) - set(new_people.keys())
added = set(old_people.keys()) - set(new_people.keys())
same = set(old_people.keys()) & set(new_people.keys())
for r in removed:
if int(old_list.content[r]) > user_level:
raise AuthError(
403,
"You don't have permission to change that state"
)
for n in new_people:
if int(event.content[n]) > user_level:
raise AuthError(
403,
"You don't have permission to change that state"
)
for s in same:
if int(event.content[s]) != int(old_list[s]):
if int(old_list[s]) > user_level:
raise AuthError(
403,
"You don't have permission to change that state"
)
if "default" in old_list:
old_default = int(old_list["default"])
if old_default > user_level:
raise AuthError(
403,
"You don't have permission to change that state"
)
if "default" in event.content:
new_default = int(event.content["default"])
if new_default > user_level:
raise AuthError(
403,
"You don't have permission to change that state"
)