diff options
| author | Kegsay <kegan@matrix.org> | 2020-06-23 11:47:48 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-06-23 11:47:48 +0100 |
| commit | 4220a374cabbc1a885d9c79037fcf42e14fef677 (patch) | |
| tree | 86ee3e324e1447a0fbfd561c7108835051f5de8b /federationapi/routing/events.go | |
| parent | 02565c37aa2a03b31b3bd7447c9a8ab90a6cd9e7 (diff) | |
Fix room checks for /state and /state_ids (#1155)
We would return a 403 first (as the server would not be allowed to
see this event) and only then return a 404 if the event is not in
the given room. We now invert those checks for /state and /state_ids
to make the tests pass.
Diffstat (limited to 'federationapi/routing/events.go')
| -rw-r--r-- | federationapi/routing/events.go | 27 |
1 files changed, 18 insertions, 9 deletions
diff --git a/federationapi/routing/events.go b/federationapi/routing/events.go index ced9e3d5..6fa28f69 100644 --- a/federationapi/routing/events.go +++ b/federationapi/routing/events.go @@ -33,7 +33,11 @@ func GetEvent( eventID string, origin gomatrixserverlib.ServerName, ) util.JSONResponse { - event, err := getEvent(ctx, request, rsAPI, eventID) + err := allowedToSeeEvent(ctx, request.Origin(), rsAPI, eventID) + if err != nil { + return *err + } + event, err := fetchEvent(ctx, rsAPI, eventID) if err != nil { return *err } @@ -47,35 +51,40 @@ func GetEvent( }} } -// getEvent returns the requested event, +// allowedToSeeEvent returns no error if the server is allowed to see this event, // otherwise it returns an error response which can be sent to the client. -func getEvent( +func allowedToSeeEvent( ctx context.Context, - request *gomatrixserverlib.FederationRequest, + origin gomatrixserverlib.ServerName, rsAPI api.RoomserverInternalAPI, eventID string, -) (*gomatrixserverlib.Event, *util.JSONResponse) { +) *util.JSONResponse { var authResponse api.QueryServerAllowedToSeeEventResponse err := rsAPI.QueryServerAllowedToSeeEvent( ctx, &api.QueryServerAllowedToSeeEventRequest{ EventID: eventID, - ServerName: request.Origin(), + ServerName: origin, }, &authResponse, ) if err != nil { resErr := util.ErrorResponse(err) - return nil, &resErr + return &resErr } if !authResponse.AllowedToSeeEvent { resErr := util.MessageResponse(http.StatusForbidden, "server not allowed to see event") - return nil, &resErr + return &resErr } + return nil +} + +// fetchEvent fetches the event without auth checks. Returns an error if the event cannot be found. +func fetchEvent(ctx context.Context, rsAPI api.RoomserverInternalAPI, eventID string) (*gomatrixserverlib.Event, *util.JSONResponse) { var eventsResponse api.QueryEventsByIDResponse - err = rsAPI.QueryEventsByID( + err := rsAPI.QueryEventsByID( ctx, &api.QueryEventsByIDRequest{EventIDs: []string{eventID}}, &eventsResponse, |