fix(redaction): use content.redacts when checking v11 events
This commit is contained in:
Matthias Ahouansou
parent
89c1c2109c
commit
1c4ae8d268
2 changed files with 102 additions and 26 deletions
|
|
@ -23,7 +23,10 @@ use ruma::{
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
events::{
|
events::{
|
||||||
room::{create::RoomCreateEventContent, server_acl::RoomServerAclEventContent},
|
room::{
|
||||||
|
create::RoomCreateEventContent, redaction::RoomRedactionEventContent,
|
||||||
|
server_acl::RoomServerAclEventContent,
|
||||||
|
},
|
||||||
StateEventType, TimelineEventType,
|
StateEventType, TimelineEventType,
|
||||||
},
|
},
|
||||||
int,
|
int,
|
||||||
|
|
@ -797,17 +800,50 @@ impl Service {
|
||||||
|k, s| auth_events.get(&(k.clone(), s.to_owned())),
|
|k, s| auth_events.get(&(k.clone(), s.to_owned())),
|
||||||
)
|
)
|
||||||
.map_err(|_e| Error::BadRequest(ErrorKind::InvalidParam, "Auth check failed."))?
|
.map_err(|_e| Error::BadRequest(ErrorKind::InvalidParam, "Auth check failed."))?
|
||||||
|| if let Some(redact_id) = &incoming_pdu.redacts {
|
|| incoming_pdu.kind == TimelineEventType::RoomRedaction
|
||||||
incoming_pdu.kind == TimelineEventType::RoomRedaction
|
&& match room_version_id {
|
||||||
&& !services().rooms.state_accessor.user_can_redact(
|
RoomVersionId::V1
|
||||||
redact_id,
|
| RoomVersionId::V2
|
||||||
&incoming_pdu.sender,
|
| RoomVersionId::V3
|
||||||
&incoming_pdu.room_id,
|
| RoomVersionId::V4
|
||||||
true,
|
| RoomVersionId::V5
|
||||||
)?
|
| RoomVersionId::V6
|
||||||
} else {
|
| RoomVersionId::V7
|
||||||
false
|
| RoomVersionId::V8
|
||||||
};
|
| RoomVersionId::V9
|
||||||
|
| RoomVersionId::V10 => {
|
||||||
|
if let Some(redact_id) = &incoming_pdu.redacts {
|
||||||
|
!services().rooms.state_accessor.user_can_redact(
|
||||||
|
redact_id,
|
||||||
|
&incoming_pdu.sender,
|
||||||
|
&incoming_pdu.room_id,
|
||||||
|
true,
|
||||||
|
)?
|
||||||
|
} else {
|
||||||
|
false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
RoomVersionId::V11 => {
|
||||||
|
let content = serde_json::from_str::<RoomRedactionEventContent>(
|
||||||
|
incoming_pdu.content.get(),
|
||||||
|
)
|
||||||
|
.map_err(|_| Error::bad_database("Invalid content in redaction pdu."))?;
|
||||||
|
|
||||||
|
if let Some(redact_id) = &content.redacts {
|
||||||
|
!services().rooms.state_accessor.user_can_redact(
|
||||||
|
redact_id,
|
||||||
|
&incoming_pdu.sender,
|
||||||
|
&incoming_pdu.room_id,
|
||||||
|
true,
|
||||||
|
)?
|
||||||
|
} else {
|
||||||
|
false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
_ => {
|
||||||
|
unreachable!("Validity of room version already checked")
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
// 13. Use state resolution to find new room state
|
// 13. Use state resolution to find new room state
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -900,21 +900,61 @@ impl Service {
|
||||||
}
|
}
|
||||||
|
|
||||||
// If redaction event is not authorized, do not append it to the timeline
|
// If redaction event is not authorized, do not append it to the timeline
|
||||||
if let Some(redact_id) = &pdu.redacts {
|
if pdu.kind == TimelineEventType::RoomRedaction {
|
||||||
if pdu.kind == TimelineEventType::RoomRedaction
|
match services().rooms.state.get_room_version(&pdu.room_id)? {
|
||||||
&& !services().rooms.state_accessor.user_can_redact(
|
RoomVersionId::V1
|
||||||
redact_id,
|
| RoomVersionId::V2
|
||||||
&pdu.sender,
|
| RoomVersionId::V3
|
||||||
&pdu.room_id,
|
| RoomVersionId::V4
|
||||||
false,
|
| RoomVersionId::V5
|
||||||
)?
|
| RoomVersionId::V6
|
||||||
{
|
| RoomVersionId::V7
|
||||||
return Err(Error::BadRequest(
|
| RoomVersionId::V8
|
||||||
ErrorKind::Forbidden,
|
| RoomVersionId::V9
|
||||||
"User cannot redact this event.",
|
| RoomVersionId::V10 => {
|
||||||
));
|
if let Some(redact_id) = &pdu.redacts {
|
||||||
|
if !services().rooms.state_accessor.user_can_redact(
|
||||||
|
redact_id,
|
||||||
|
&pdu.sender,
|
||||||
|
&pdu.room_id,
|
||||||
|
false,
|
||||||
|
)? {
|
||||||
|
return Err(Error::BadRequest(
|
||||||
|
ErrorKind::Forbidden,
|
||||||
|
"User cannot redact this event.",
|
||||||
|
));
|
||||||
|
}
|
||||||
|
};
|
||||||
|
}
|
||||||
|
RoomVersionId::V11 => {
|
||||||
|
let content =
|
||||||
|
serde_json::from_str::<RoomRedactionEventContent>(pdu.content.get())
|
||||||
|
.map_err(|_| {
|
||||||
|
Error::bad_database("Invalid content in redaction pdu.")
|
||||||
|
})?;
|
||||||
|
|
||||||
|
if let Some(redact_id) = &content.redacts {
|
||||||
|
if !services().rooms.state_accessor.user_can_redact(
|
||||||
|
redact_id,
|
||||||
|
&pdu.sender,
|
||||||
|
&pdu.room_id,
|
||||||
|
false,
|
||||||
|
)? {
|
||||||
|
return Err(Error::BadRequest(
|
||||||
|
ErrorKind::Forbidden,
|
||||||
|
"User cannot redact this event.",
|
||||||
|
));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
_ => {
|
||||||
|
return Err(Error::BadRequest(
|
||||||
|
ErrorKind::UnsupportedRoomVersion,
|
||||||
|
"Unsupported room version",
|
||||||
|
));
|
||||||
|
}
|
||||||
}
|
}
|
||||||
};
|
}
|
||||||
|
|
||||||
// We append to state before appending the pdu, so we don't have a moment in time with the
|
// We append to state before appending the pdu, so we don't have a moment in time with the
|
||||||
// pdu without it's state. This is okay because append_pdu can't fail.
|
// pdu without it's state. This is okay because append_pdu can't fail.
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue