Fix bug where people could join private rooms

2014-10-17 19:37:41 +01:00 · 2014-10-17 19:37:41 +01:00 · b3b1961496
parent 5ffe5ab43f
commit b3b1961496
3 changed files with 63 additions and 45 deletions
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@ -49,12 +49,12 @@ class Auth(object):
        """
        try:
            if hasattr(event, "room_id"):
-                if not event.old_state_events:
+                if event.old_state_events is None:
                    # Oh, we don't know what the state of the room was, so we
                    # are trusting that this is allowed (at least for now)
                    defer.returnValue(True)

-                if hasattr(event, "outlier") and event.outlier:
+                if hasattr(event, "outlier") and event.outlier is True:
                    # TODO (erikj): Auth for outliers is done differently.
                    defer.returnValue(True)

@ -65,8 +65,12 @@ class Auth(object):
                    defer.returnValue(True)

                if event.type == RoomMemberEvent.TYPE:
-                    yield self._can_replace_state(event)
-                    allowed = yield self.is_membership_change_allowed(event)
+                    self._can_replace_state(event)
+                    allowed = self.is_membership_change_allowed(event)
+                    if allowed:
+                        logger.debug("Allowing! %s", event)
+                    else:
+                        logger.debug("Denying! %s", event)
                    defer.returnValue(allowed)
                    return

@ -77,24 +81,28 @@ class Auth(object):
                    # TODO (erikj): This really only should be called for *new*
                    # state
                    yield self._can_add_state(event)
-                    yield self._can_replace_state(event)
+                    self._can_replace_state(event)
                else:
                    yield self._can_send_event(event)

                if event.type == RoomPowerLevelsEvent.TYPE:
-                    yield self._check_power_levels(event)
+                    self._check_power_levels(event)

                if event.type == RoomRedactionEvent.TYPE:
-                    yield self._check_redaction(event)
+                    self._check_redaction(event)

+
+                logger.debug("Allowing! %s", event)
                defer.returnValue(True)
            else:
                raise AuthError(500, "Unknown event: %s" % event)
        except AuthError as e:
            logger.info("Event auth check failed on event %s with msg: %s",
                        event, e.msg)
+            logger.info("Denying! %s", event)
            if raises:
                raise e
+
        defer.returnValue(False)

    @defer.inlineCallbacks
@ -126,7 +134,7 @@ class Auth(object):
                user_id, room_id, repr(member)
            ))

-    @defer.inlineCallbacks
+    @log_function
    def is_membership_change_allowed(self, event):
        target_user_id = event.state_key

@ -159,11 +167,23 @@ class Auth(object):
        )

        ban_level, kick_level, redact_level = (
-            yield self._get_ops_level_from_event_state(
+            self._get_ops_level_from_event_state(
                event
            )
        )

+        logger.debug(
+            "is_membership_change_allowed: %s",
+            {
+                "caller_in_room": caller_in_room,
+                "target_in_room": target_in_room,
+                "membership": membership,
+                "join_rule": join_rule,
+                "target_user_id": target_user_id,
+                "event.user_id": event.user_id,
+            }
+        )
+
        if Membership.INVITE == membership:
            # TODO (erikj): We should probably handle this more intelligently
            # PRIVATE join rules.
@ -183,10 +203,7 @@ class Auth(object):
            elif join_rule == JoinRules.PUBLIC:
                pass
            elif join_rule == JoinRules.INVITE:
-                if (
-                    not caller or caller.membership not in
-                    [Membership.INVITE, Membership.JOIN]
-                ):
+                if not caller_in_room:
                    raise AuthError(403, "You are not invited to this room.")
            else:
                # TODO (erikj): may_join list
@ -218,7 +235,7 @@ class Auth(object):
        else:
            raise AuthError(500, "Unknown membership %s" % membership)

-        defer.returnValue(True)
+        return True

    def _get_power_level_from_event_state(self, event, user_id):
        key = (RoomPowerLevelsEvent.TYPE, "", )
@ -359,17 +376,7 @@ class Auth(object):

        defer.returnValue(True)

-    @defer.inlineCallbacks
    def _can_replace_state(self, event):
-        current_state = yield self.store.get_current_state(
-            event.room_id,
-            event.type,
-            event.state_key,
-        )
-
-        if current_state:
-            current_state = current_state[0]
-
        user_level = self._get_power_level_from_event_state(
            event,
            event.user_id,
@ -383,6 +390,10 @@ class Auth(object):
        logger.debug(
            "Checking power level for %s, %s", event.user_id, user_level
        )
+
+        key = (event.type, event.state_key, )
+        current_state = event.old_state_events.get(key)
+
        if current_state and hasattr(current_state, "required_power_level"):
            req = current_state.required_power_level

@ -393,19 +404,20 @@ class Auth(object):
                    "You don't have permission to change that state"
                )

-    @defer.inlineCallbacks
    def _check_redaction(self, event):
-        user_level = yield self.store.get_power_level(
-            event.room_id,
-            event.user_id,
-        )
-
        user_level = self._get_power_level_from_event_state(
            event,
            event.user_id,
        )

-        _, _, redact_level  = yield self.store.get_ops_levels(event.room_id)
+        if user_level:
+            user_level = int(user_level)
+        else:
+            user_level = 0
+
+        _, _, redact_level = self.store._get_ops_level_from_event_state(
+            event.room_id
+        )

        if not redact_level:
            redact_level = 50
@ -416,7 +428,6 @@ class Auth(object):
                "You don't have permission to redact events"
            )

-    @defer.inlineCallbacks
    def _check_power_levels(self, event):
        for k, v in event.content.items():
            if k == "default":
@ -436,19 +447,16 @@ class Auth(object):
            except:
                raise SynapseError(400, "Not a valid power level: %s" % (v,))

-        current_state = yield self.store.get_current_state(
-            event.room_id,
-            event.type,
-            event.state_key,
-        )
+        key = (event.type, event.state_key, )
+        current_state = event.old_state_events.get(key)

        if not current_state:
            return
        else:
            current_state = current_state[0]

-        user_level = yield self.store.get_power_level(
-            event.room_id,
+        user_level = self._get_power_level_from_event_state(
+            event,
            event.user_id,
        )

--- a/synapse/handlers/federation.py
+++ b/synapse/handlers/federation.py
@ -269,12 +269,12 @@ class FederationHandler(BaseHandler):
        del self.room_queues[room_id]

        for p in room_queue:
-            p.outlier = True
            yield self.on_receive_pdu(p, backfilled=False)

        defer.returnValue(True)

    @defer.inlineCallbacks
+    @log_function
    def on_make_join_request(self, context, user_id):
        event = self.event_factory.create_event(
            etype=RoomMemberEvent.TYPE,
@ -289,15 +289,21 @@ class FederationHandler(BaseHandler):
        )
        snapshot.fill_out_prev_events(event)

+        yield self.state_handler.annotate_state_groups(event)
+        yield self.auth.check(event, None, raises=True)
+
        pdu = self.pdu_codec.pdu_from_event(event)

        defer.returnValue(pdu)

    @defer.inlineCallbacks
+    @log_function
    def on_send_join_request(self, origin, pdu):
        event = self.pdu_codec.event_from_pdu(pdu)

-        is_new_state= yield self.state_handler.annotate_state_groups(event)
+        event.outlier = False
+
+        is_new_state = yield self.state_handler.annotate_state_groups(event)
        yield self.auth.check(event, None, raises=True)

        # FIXME (erikj):  All this is duplicated above :(
--- a/synapse/state.py
+++ b/synapse/state.py
@ -22,6 +22,7 @@ from synapse.federation.pdu_codec import encode_event_id

 from collections import namedtuple

+import copy
 import logging
 import hashlib

@ -143,13 +144,13 @@ class StateHandler(object):
        if hasattr(event, "outlier") and event.outlier:
            event.state_group = None
            event.old_state_events = None
-            event.state_events = None
+            event.state_events = {}
            defer.returnValue(False)
            return

        new_state = yield self.resolve_state_groups(event.prev_events)

-        event.old_state_events = new_state
+        event.old_state_events = copy.deepcopy(new_state)

        if hasattr(event, "state_key"):
            new_state[(event.type, event.state_key)] = event
@ -164,9 +165,12 @@ class StateHandler(object):
        # FIXME: HACK!
        pdus = yield self.store.get_latest_pdus_in_context(room_id)

-        event_ids = [encode_event_id(p.pdu_id, p.origin) for p in pdus]
+        event_ids = [
+            encode_event_id(pdu_id, origin)
+            for pdu_id, origin, _ in pdus
+        ]

-        res = self.resolve_state_groups(event_ids)
+        res = yield self.resolve_state_groups(event_ids)

        if event_type:
            defer.returnValue(res.get((event_type, state_key)))