don't allow moderators dangerous permissions, fix pl 100 state_default
Signed-off-by: strawberry <strawberry@puppygock.gay>
This commit is contained in:
parent
d1c139de26
commit
527a5cbd73
4 changed files with 18 additions and 8 deletions
|
@ -30,7 +30,7 @@ before_script:
|
|||
# Add upstream Conduit binary cache
|
||||
- if command -v nix > /dev/null; then echo "extra-substituters = https://nix.computer.surgery/conduit" >> /etc/nix/nix.conf; fi
|
||||
- if command -v nix > /dev/null; then echo "extra-trusted-public-keys = conduit:ZGAf6P6LhNvnoJJ3Me3PRg7tlLSrPxcQ2RiE5LIppjo=" >> /etc/nix/nix.conf; fi
|
||||
|
||||
|
||||
# Add alternate binary cache
|
||||
- if command -v nix > /dev/null && [ -n "$ATTIC_ENDPOINT" ]; then echo "extra-substituters = $ATTIC_ENDPOINT" >> /etc/nix/nix.conf; fi
|
||||
- if command -v nix > /dev/null && [ -n "$ATTIC_PUBLIC_KEY" ]; then echo "extra-trusted-public-keys = $ATTIC_PUBLIC_KEY" >> /etc/nix/nix.conf; fi
|
||||
|
@ -129,9 +129,9 @@ artifacts:
|
|||
|
||||
.push-oci-image:
|
||||
stage: publish
|
||||
image: docker:26.0.0
|
||||
image: docker:26.0.1
|
||||
services:
|
||||
- docker:26.0.0-dind
|
||||
- docker:26.0.1-dind
|
||||
variables:
|
||||
IMAGE_SUFFIX_AMD64: amd64
|
||||
IMAGE_SUFFIX_ARM64V8: arm64v8
|
||||
|
|
2
Cargo.lock
generated
2
Cargo.lock
generated
|
@ -459,7 +459,7 @@ checksum = "3d7b894f5411737b7867f4827955924d7c254fc9f4d91a6aad6b097804b1018b"
|
|||
|
||||
[[package]]
|
||||
name = "conduit"
|
||||
version = "0.7.0+conduwuit-0.1.15"
|
||||
version = "0.7.0+conduwuit-0.1.16"
|
||||
dependencies = [
|
||||
"argon2",
|
||||
"async-trait",
|
||||
|
|
|
@ -9,7 +9,7 @@ authors = [
|
|||
homepage = "https://puppygock.gay/conduwuit"
|
||||
repository = "https://github.com/girlbossceo/conduwuit"
|
||||
readme = "README.md"
|
||||
version = "0.7.0+conduwuit-0.1.15"
|
||||
version = "0.7.0+conduwuit-0.1.16"
|
||||
edition = "2021"
|
||||
|
||||
# See also `rust-toolchain.toml`
|
||||
|
@ -217,7 +217,7 @@ default-features = false
|
|||
|
||||
# to support multiple variations of setting a config option
|
||||
[dependencies.either]
|
||||
version = "1.10.0"
|
||||
version = "1.11.0"
|
||||
features = ["serde"]
|
||||
|
||||
# to listen on both HTTP and HTTPS if listening on TLS dierctly from conduwuit for complement or sytest
|
||||
|
|
|
@ -360,13 +360,23 @@ pub async fn create_room_route(body: Ruma<create_room::v3::Request>) -> Result<c
|
|||
|
||||
let mut power_levels_content = serde_json::to_value(RoomPowerLevelsEventContent {
|
||||
users,
|
||||
state_default: int!(100),
|
||||
..Default::default()
|
||||
})
|
||||
.expect("event is valid, we just created it");
|
||||
|
||||
// secure proper defaults of sensitive/dangerous permissions that moderators
|
||||
// (power level 50) should not have easy access to
|
||||
power_levels_content["events"]["m.room.power_levels"] = serde_json::to_value(100).expect("100 is valid Value");
|
||||
power_levels_content["events"]["m.room.server_acl"] = serde_json::to_value(100).expect("100 is valid Value");
|
||||
power_levels_content["events"]["m.room.tombstone"] = serde_json::to_value(100).expect("100 is valid Value");
|
||||
power_levels_content["events"]["m.room.encryption"] = serde_json::to_value(100).expect("100 is valid Value");
|
||||
power_levels_content["events"]["m.room.history_visibility"] =
|
||||
serde_json::to_value(100).expect("100 is valid Value");
|
||||
|
||||
// synapse does this too. clients do not expose these permissions. it prevents
|
||||
// default users from calling public rooms, for obvious reasons.
|
||||
if body.visibility == room::Visibility::Public {
|
||||
power_levels_content["m.call.invite"] = serde_json::to_value(50).expect("50 is valid Value");
|
||||
power_levels_content["events"]["m.call.invite"] = serde_json::to_value(50).expect("50 is valid Value");
|
||||
power_levels_content["events"]["org.matrix.msc3401.call"] =
|
||||
serde_json::to_value(50).expect("50 is valid Value");
|
||||
power_levels_content["events"]["org.matrix.msc3401.call.member"] =
|
||||
|
|
Loading…
Add table
Reference in a new issue