From dc7f068d9ce9d2be775565f5f1eb964d30a64bb3 Mon Sep 17 00:00:00 2001 From: reivilibre Date: Thu, 9 Nov 2023 20:18:25 +0000 Subject: [PATCH] Fix a long-standing bug where Synapse would not unbind third-party identifiers for Application Service users when deactivated and would not emit a compliant response. (#16617) * Don't skip unbinding 3PIDs and returning success status when deactivating AS user Fixes #16608 * Newsfile Signed-off-by: Olivier Wilkinson (reivilibre) --------- Signed-off-by: Olivier Wilkinson (reivilibre) --- changelog.d/16617.bugfix | 1 + synapse/rest/client/account.py | 19 ++++++++----------- 2 files changed, 9 insertions(+), 11 deletions(-) create mode 100644 changelog.d/16617.bugfix diff --git a/changelog.d/16617.bugfix b/changelog.d/16617.bugfix new file mode 100644 index 0000000000..7e66799a6c --- /dev/null +++ b/changelog.d/16617.bugfix @@ -0,0 +1 @@ +Fix a long-standing bug where Synapse would not unbind third-party identifiers for Application Service users when deactivated and would not emit a compliant response. \ No newline at end of file diff --git a/synapse/rest/client/account.py b/synapse/rest/client/account.py index 641390cb30..0c0e82627d 100644 --- a/synapse/rest/client/account.py +++ b/synapse/rest/client/account.py @@ -299,19 +299,16 @@ class DeactivateAccountRestServlet(RestServlet): requester = await self.auth.get_user_by_req(request) - # allow ASes to deactivate their own users - if requester.app_service: - await self._deactivate_account_handler.deactivate_account( - requester.user.to_string(), body.erase, requester + # allow ASes to deactivate their own users: + # ASes don't need user-interactive auth + if not requester.app_service: + await self.auth_handler.validate_user_via_ui_auth( + requester, + request, + body.dict(exclude_unset=True), + "deactivate your account", ) - return 200, {} - await self.auth_handler.validate_user_via_ui_auth( - requester, - request, - body.dict(exclude_unset=True), - "deactivate your account", - ) result = await self._deactivate_account_handler.deactivate_account( requester.user.to_string(), body.erase, requester, id_server=body.id_server )