mirror of
https://git.anonymousland.org/anonymousland/synapse-product.git
synced 2024-12-29 23:36:10 -05:00
4f4f27e57f
Previously, when creating a join event in /make_join, we would decide whether to include additional fields to satisfy restricted room checks based on the current state of the room. Then, when building the event, we would capture the forward extremities of the room to use as prev events. This is subject to race conditions. For example, when leaving and rejoining a room, the following sequence of events leads to a misleading 403 response: 1. /make_join reads the current state of the room and sees that the user is still in the room. It decides to omit the field required for restricted room joins. 2. The leave event is persisted and the room's forward extremities are updated. 3. /make_join builds the event, using the post-leave forward extremities. The event then fails the restricted room checks. To mitigate the race, we move the read of the forward extremities closer to the read of the current state. Ideally, we would compute the state based off the chosen prev events, but that can involve state resolution, which is expensive. Signed-off-by: Sean Quah <seanq@matrix.org> |
||
---|---|---|
.. | ||
_scripts | ||
api | ||
app | ||
appservice | ||
config | ||
crypto | ||
events | ||
federation | ||
handlers | ||
http | ||
logging | ||
metrics | ||
module_api | ||
push | ||
replication | ||
res | ||
rest | ||
server_notices | ||
spam_checker_api | ||
state | ||
static | ||
storage | ||
streams | ||
types | ||
util | ||
__init__.py | ||
event_auth.py | ||
notifier.py | ||
py.typed | ||
server.py | ||
visibility.py |