diff --git a/synapse/api/auth.py b/synapse/api/auth.py index 3d1ce4e09e..be67ab4f4d 100644 --- a/synapse/api/auth.py +++ b/synapse/api/auth.py @@ -121,6 +121,11 @@ class Auth(object): # FIXME: Temp hack if event.type == EventTypes.Aliases: + if not event.is_state(): + raise AuthError( + 403, + "Alias event must be a state event", + ) if not event.state_key: raise AuthError( 403,