mirror of
https://git.anonymousland.org/anonymousland/synapse-product.git
synced 2025-01-08 20:17:51 -05:00
Extra validation for rest/client/account_data (#13148)
* Extra validation for rest/client/account_data This is a fairly simple endpoint and we did pretty well here. * Changelog
This commit is contained in:
parent
6da861ae69
commit
d70ff5cc35
1
changelog.d/13148.feature
Normal file
1
changelog.d/13148.feature
Normal file
@ -0,0 +1 @@
|
|||||||
|
Improve validation logic in Synapse's REST endpoints.
|
@ -15,11 +15,11 @@
|
|||||||
import logging
|
import logging
|
||||||
from typing import TYPE_CHECKING, Tuple
|
from typing import TYPE_CHECKING, Tuple
|
||||||
|
|
||||||
from synapse.api.errors import AuthError, NotFoundError, SynapseError
|
from synapse.api.errors import AuthError, Codes, NotFoundError, SynapseError
|
||||||
from synapse.http.server import HttpServer
|
from synapse.http.server import HttpServer
|
||||||
from synapse.http.servlet import RestServlet, parse_json_object_from_request
|
from synapse.http.servlet import RestServlet, parse_json_object_from_request
|
||||||
from synapse.http.site import SynapseRequest
|
from synapse.http.site import SynapseRequest
|
||||||
from synapse.types import JsonDict
|
from synapse.types import JsonDict, RoomID
|
||||||
|
|
||||||
from ._base import client_patterns
|
from ._base import client_patterns
|
||||||
|
|
||||||
@ -104,6 +104,13 @@ class RoomAccountDataServlet(RestServlet):
|
|||||||
if user_id != requester.user.to_string():
|
if user_id != requester.user.to_string():
|
||||||
raise AuthError(403, "Cannot add account data for other users.")
|
raise AuthError(403, "Cannot add account data for other users.")
|
||||||
|
|
||||||
|
if not RoomID.is_valid(room_id):
|
||||||
|
raise SynapseError(
|
||||||
|
400,
|
||||||
|
f"{room_id} is not a valid room ID",
|
||||||
|
Codes.INVALID_PARAM,
|
||||||
|
)
|
||||||
|
|
||||||
body = parse_json_object_from_request(request)
|
body = parse_json_object_from_request(request)
|
||||||
|
|
||||||
if account_data_type == "m.fully_read":
|
if account_data_type == "m.fully_read":
|
||||||
@ -111,6 +118,7 @@ class RoomAccountDataServlet(RestServlet):
|
|||||||
405,
|
405,
|
||||||
"Cannot set m.fully_read through this API."
|
"Cannot set m.fully_read through this API."
|
||||||
" Use /rooms/!roomId:server.name/read_markers",
|
" Use /rooms/!roomId:server.name/read_markers",
|
||||||
|
Codes.BAD_JSON,
|
||||||
)
|
)
|
||||||
|
|
||||||
await self.handler.add_account_data_to_room(
|
await self.handler.add_account_data_to_room(
|
||||||
@ -130,6 +138,13 @@ class RoomAccountDataServlet(RestServlet):
|
|||||||
if user_id != requester.user.to_string():
|
if user_id != requester.user.to_string():
|
||||||
raise AuthError(403, "Cannot get account data for other users.")
|
raise AuthError(403, "Cannot get account data for other users.")
|
||||||
|
|
||||||
|
if not RoomID.is_valid(room_id):
|
||||||
|
raise SynapseError(
|
||||||
|
400,
|
||||||
|
f"{room_id} is not a valid room ID",
|
||||||
|
Codes.INVALID_PARAM,
|
||||||
|
)
|
||||||
|
|
||||||
event = await self.store.get_account_data_for_room_and_type(
|
event = await self.store.get_account_data_for_room_and_type(
|
||||||
user_id, room_id, account_data_type
|
user_id, room_id, account_data_type
|
||||||
)
|
)
|
||||||
|
Loading…
Reference in New Issue
Block a user