Allow reading state if history_visibility is world readable

See https://matrix.org/docs/spec/client_server/r0.6.1#id87
This commit is contained in:
Timo Kösters 2020-10-18 16:19:14 +02:00
parent 9f487dd93a
commit 243126d393
No known key found for this signature in database
GPG key ID: 24DA7517711A2BA4

View file

@ -8,7 +8,11 @@ use ruma::{
send_state_event_for_empty_key, send_state_event_for_key,
},
},
events::{AnyStateEventContent, EventContent},
events::{
room::history_visibility::HistoryVisibility,
room::history_visibility::HistoryVisibilityEventContent, AnyStateEventContent,
EventContent, EventType,
},
EventId, RoomId, UserId,
};
@ -97,12 +101,29 @@ pub fn get_state_events_route(
) -> ConduitResult<get_state_events::Response> {
let sender_id = body.sender_id.as_ref().expect("user is authenticated");
// Users not in the room should not be able to access the state unless history_visibility is
// WorldReadable
if !db.rooms.is_joined(sender_id, &body.room_id)? {
if !matches!(
db.rooms
.room_state_get(&body.room_id, &EventType::RoomHistoryVisibility, "")?
.map(|event| {
serde_json::from_value::<HistoryVisibilityEventContent>(event.content)
.map_err(|_| {
Error::bad_database(
"Invalid room history visibility event in database.",
)
})
.map(|e| e.history_visibility)
}),
Some(Ok(HistoryVisibility::WorldReadable))
) {
return Err(Error::BadRequest(
ErrorKind::Forbidden,
"You don't have permission to view the room state.",
));
}
}
Ok(get_state_events::Response {
room_state: db
@ -125,12 +146,29 @@ pub fn get_state_events_for_key_route(
) -> ConduitResult<get_state_events_for_key::Response> {
let sender_id = body.sender_id.as_ref().expect("user is authenticated");
// Users not in the room should not be able to access the state unless history_visibility is
// WorldReadable
if !db.rooms.is_joined(sender_id, &body.room_id)? {
if !matches!(
db.rooms
.room_state_get(&body.room_id, &EventType::RoomHistoryVisibility, "")?
.map(|event| {
serde_json::from_value::<HistoryVisibilityEventContent>(event.content)
.map_err(|_| {
Error::bad_database(
"Invalid room history visibility event in database.",
)
})
.map(|e| e.history_visibility)
}),
Some(Ok(HistoryVisibility::WorldReadable))
) {
return Err(Error::BadRequest(
ErrorKind::Forbidden,
"You don't have permission to view the room state.",
));
}
}
let event = db
.rooms
@ -157,12 +195,29 @@ pub fn get_state_events_for_empty_key_route(
) -> ConduitResult<get_state_events_for_empty_key::Response> {
let sender_id = body.sender_id.as_ref().expect("user is authenticated");
// Users not in the room should not be able to access the state unless history_visibility is
// WorldReadable
if !db.rooms.is_joined(sender_id, &body.room_id)? {
if !matches!(
db.rooms
.room_state_get(&body.room_id, &EventType::RoomHistoryVisibility, "")?
.map(|event| {
serde_json::from_value::<HistoryVisibilityEventContent>(event.content)
.map_err(|_| {
Error::bad_database(
"Invalid room history visibility event in database.",
)
})
.map(|e| e.history_visibility)
}),
Some(Ok(HistoryVisibility::WorldReadable))
) {
return Err(Error::BadRequest(
ErrorKind::Forbidden,
"You don't have permission to view the room state.",
));
}
}
let event = db
.rooms