aboutsummaryrefslogtreecommitdiff
path: root/clientapi
diff options
context:
space:
mode:
Diffstat (limited to 'clientapi')
-rw-r--r--clientapi/routing/directory.go16
-rw-r--r--clientapi/routing/membership.go36
-rw-r--r--clientapi/routing/profile.go15
-rw-r--r--clientapi/routing/redaction.go27
-rw-r--r--clientapi/routing/sendevent.go21
-rw-r--r--clientapi/threepid/invites.go12
6 files changed, 107 insertions, 20 deletions
diff --git a/clientapi/routing/directory.go b/clientapi/routing/directory.go
index 0c842e6a..034296f4 100644
--- a/clientapi/routing/directory.go
+++ b/clientapi/routing/directory.go
@@ -338,7 +338,21 @@ func SetVisibility(
// NOTSPEC: Check if the user's power is greater than power required to change m.room.canonical_alias event
power, _ := gomatrixserverlib.NewPowerLevelContentFromEvent(queryEventsRes.StateEvents[0].PDU)
- if power.UserLevel(dev.UserID) < power.EventLevel(spec.MRoomCanonicalAlias, true) {
+ fullUserID, err := spec.NewUserID(dev.UserID, true)
+ if err != nil {
+ return util.JSONResponse{
+ Code: http.StatusForbidden,
+ JSON: spec.Forbidden("userID doesn't have power level to change visibility"),
+ }
+ }
+ senderID, err := rsAPI.QuerySenderIDForUser(req.Context(), roomID, *fullUserID)
+ if err != nil {
+ return util.JSONResponse{
+ Code: http.StatusForbidden,
+ JSON: spec.Forbidden("userID doesn't have power level to change visibility"),
+ }
+ }
+ if power.UserLevel(senderID) < power.EventLevel(spec.MRoomCanonicalAlias, true) {
return util.JSONResponse{
Code: http.StatusForbidden,
JSON: spec.Forbidden("userID doesn't have power level to change visibility"),
diff --git a/clientapi/routing/membership.go b/clientapi/routing/membership.go
index 0fe0a4ad..78829bec 100644
--- a/clientapi/routing/membership.go
+++ b/clientapi/routing/membership.go
@@ -66,7 +66,21 @@ func SendBan(
if errRes != nil {
return *errRes
}
- allowedToBan := pl.UserLevel(device.UserID) >= pl.Ban
+ fullUserID, err := spec.NewUserID(device.UserID, true)
+ if err != nil {
+ return util.JSONResponse{
+ Code: http.StatusForbidden,
+ JSON: spec.Forbidden("You don't have permission to ban this user, bad userID"),
+ }
+ }
+ senderID, err := rsAPI.QuerySenderIDForUser(req.Context(), roomID, *fullUserID)
+ if err != nil {
+ return util.JSONResponse{
+ Code: http.StatusForbidden,
+ JSON: spec.Forbidden("You don't have permission to ban this user, unknown senderID"),
+ }
+ }
+ allowedToBan := pl.UserLevel(senderID) >= pl.Ban
if !allowedToBan {
return util.JSONResponse{
Code: http.StatusForbidden,
@@ -142,7 +156,21 @@ func SendKick(
if errRes != nil {
return *errRes
}
- allowedToKick := pl.UserLevel(device.UserID) >= pl.Kick
+ fullUserID, err := spec.NewUserID(device.UserID, true)
+ if err != nil {
+ return util.JSONResponse{
+ Code: http.StatusForbidden,
+ JSON: spec.Forbidden("You don't have permission to kick this user, bad userID"),
+ }
+ }
+ senderID, err := rsAPI.QuerySenderIDForUser(req.Context(), roomID, *fullUserID)
+ if err != nil {
+ return util.JSONResponse{
+ Code: http.StatusForbidden,
+ JSON: spec.Forbidden("You don't have permission to kick this user, unknown senderID"),
+ }
+ }
+ allowedToKick := pl.UserLevel(senderID) >= pl.Kick
if !allowedToKick {
return util.JSONResponse{
Code: http.StatusForbidden,
@@ -151,7 +179,7 @@ func SendKick(
}
var queryRes roomserverAPI.QueryMembershipForUserResponse
- err := rsAPI.QueryMembershipForUser(req.Context(), &roomserverAPI.QueryMembershipForUserRequest{
+ err = rsAPI.QueryMembershipForUser(req.Context(), &roomserverAPI.QueryMembershipForUserRequest{
RoomID: roomID,
UserID: body.UserID,
}, &queryRes)
@@ -319,7 +347,7 @@ func buildMembershipEventDirect(
rsAPI roomserverAPI.ClientRoomserverAPI,
) (*types.HeaderedEvent, error) {
proto := gomatrixserverlib.ProtoEvent{
- Sender: sender,
+ SenderID: sender,
RoomID: roomID,
Type: "m.room.member",
StateKey: &targetUserID,
diff --git a/clientapi/routing/profile.go b/clientapi/routing/profile.go
index 2c9d0cbb..e734e2e4 100644
--- a/clientapi/routing/profile.go
+++ b/clientapi/routing/profile.go
@@ -363,12 +363,21 @@ func buildMembershipEvents(
) ([]*types.HeaderedEvent, error) {
evs := []*types.HeaderedEvent{}
+ fullUserID, err := spec.NewUserID(userID, true)
+ if err != nil {
+ return nil, err
+ }
for _, roomID := range roomIDs {
+ senderID, err := rsAPI.QuerySenderIDForUser(ctx, roomID, *fullUserID)
+ if err != nil {
+ return nil, err
+ }
+ senderIDString := string(senderID)
proto := gomatrixserverlib.ProtoEvent{
- Sender: userID,
+ SenderID: senderIDString,
RoomID: roomID,
Type: "m.room.member",
- StateKey: &userID,
+ StateKey: &senderIDString,
}
content := gomatrixserverlib.MemberContent{
@@ -378,7 +387,7 @@ func buildMembershipEvents(
content.DisplayName = newProfile.DisplayName
content.AvatarURL = newProfile.AvatarURL
- if err := proto.SetContent(content); err != nil {
+ if err = proto.SetContent(content); err != nil {
return nil, err
}
diff --git a/clientapi/routing/redaction.go b/clientapi/routing/redaction.go
index e94c7748..22474fc0 100644
--- a/clientapi/routing/redaction.go
+++ b/clientapi/routing/redaction.go
@@ -73,10 +73,25 @@ func SendRedaction(
}
}
+ fullUserID, userIDErr := spec.NewUserID(device.UserID, true)
+ if userIDErr != nil {
+ return util.JSONResponse{
+ Code: http.StatusForbidden,
+ JSON: spec.Forbidden("userID doesn't have power level to redact"),
+ }
+ }
+ senderID, queryErr := rsAPI.QuerySenderIDForUser(req.Context(), roomID, *fullUserID)
+ if queryErr != nil {
+ return util.JSONResponse{
+ Code: http.StatusForbidden,
+ JSON: spec.Forbidden("userID doesn't have power level to redact"),
+ }
+ }
+
// "Users may redact their own events, and any user with a power level greater than or equal
// to the redact power level of the room may redact events there"
// https://matrix.org/docs/spec/client_server/r0.6.1#put-matrix-client-r0-rooms-roomid-redact-eventid-txnid
- allowedToRedact := ev.SenderID() == device.UserID // TODO: Should replace device.UserID with device...PerRoomKey
+ allowedToRedact := ev.SenderID() == senderID // TODO: Should replace device.UserID with device...PerRoomKey
if !allowedToRedact {
plEvent := roomserverAPI.GetStateEvent(req.Context(), rsAPI, roomID, gomatrixserverlib.StateKeyTuple{
EventType: spec.MRoomPowerLevels,
@@ -97,7 +112,7 @@ func SendRedaction(
),
}
}
- allowedToRedact = pl.UserLevel(device.UserID) >= pl.Redact
+ allowedToRedact = pl.UserLevel(senderID) >= pl.Redact
}
if !allowedToRedact {
return util.JSONResponse{
@@ -114,10 +129,10 @@ func SendRedaction(
// create the new event and set all the fields we can
proto := gomatrixserverlib.ProtoEvent{
- Sender: device.UserID,
- RoomID: roomID,
- Type: spec.MRoomRedaction,
- Redacts: eventID,
+ SenderID: string(senderID),
+ RoomID: roomID,
+ Type: spec.MRoomRedaction,
+ Redacts: eventID,
}
err := proto.SetContent(r)
if err != nil {
diff --git a/clientapi/routing/sendevent.go b/clientapi/routing/sendevent.go
index 8b09f399..4d0a9f24 100644
--- a/clientapi/routing/sendevent.go
+++ b/clientapi/routing/sendevent.go
@@ -266,16 +266,29 @@ func generateSendEvent(
evTime time.Time,
) (gomatrixserverlib.PDU, *util.JSONResponse) {
// parse the incoming http request
- userID := device.UserID
+ fullUserID, err := spec.NewUserID(device.UserID, true)
+ if err != nil {
+ return nil, &util.JSONResponse{
+ Code: http.StatusBadRequest,
+ JSON: spec.BadJSON("Bad userID"),
+ }
+ }
+ senderID, err := rsAPI.QuerySenderIDForUser(ctx, roomID, *fullUserID)
+ if err != nil {
+ return nil, &util.JSONResponse{
+ Code: http.StatusNotFound,
+ JSON: spec.NotFound("Unable to find senderID for user"),
+ }
+ }
// create the new event and set all the fields we can
proto := gomatrixserverlib.ProtoEvent{
- Sender: userID,
+ SenderID: string(senderID),
RoomID: roomID,
Type: eventType,
StateKey: stateKey,
}
- err := proto.SetContent(r)
+ err = proto.SetContent(r)
if err != nil {
util.GetLogger(ctx).WithError(err).Error("proto.SetContent failed")
return nil, &util.JSONResponse{
@@ -331,7 +344,7 @@ func generateSendEvent(
stateEvents[i] = queryRes.StateEvents[i].PDU
}
provider := gomatrixserverlib.NewAuthEvents(gomatrixserverlib.ToPDUs(stateEvents))
- if err = gomatrixserverlib.Allowed(e.PDU, &provider, func(roomID, senderID string) (*spec.UserID, error) {
+ if err = gomatrixserverlib.Allowed(e.PDU, &provider, func(roomID string, senderID spec.SenderID) (*spec.UserID, error) {
return rsAPI.QueryUserIDForSender(ctx, roomID, senderID)
}); err != nil {
return nil, &util.JSONResponse{
diff --git a/clientapi/threepid/invites.go b/clientapi/threepid/invites.go
index 9f4f62e4..e7ffbac2 100644
--- a/clientapi/threepid/invites.go
+++ b/clientapi/threepid/invites.go
@@ -355,8 +355,16 @@ func emit3PIDInviteEvent(
rsAPI api.ClientRoomserverAPI,
evTime time.Time,
) error {
+ userID, err := spec.NewUserID(device.UserID, true)
+ if err != nil {
+ return err
+ }
+ sender, err := rsAPI.QuerySenderIDForUser(ctx, roomID, *userID)
+ if err != nil {
+ return err
+ }
proto := &gomatrixserverlib.ProtoEvent{
- Sender: device.UserID,
+ SenderID: string(sender),
RoomID: roomID,
Type: "m.room.third_party_invite",
StateKey: &res.Token,
@@ -370,7 +378,7 @@ func emit3PIDInviteEvent(
PublicKeys: res.PublicKeys,
}
- if err := proto.SetContent(content); err != nil {
+ if err = proto.SetContent(content); err != nil {
return err
}
generated by cgit v1.2.3 (git 2.26.2) at 2024-11-25 19:48:44 +0000