From 8d8fe485b455e3e61b9d894d1d08cb06c99a51d2 Mon Sep 17 00:00:00 2001 From: David Spenler <15622190+DavidSpenler@users.noreply.github.com> Date: Mon, 19 Jul 2021 13:33:05 -0400 Subject: [PATCH] Fix failing ban tests (#1884) * Add room membership and powerlevel checks for func SendBan * Added non-error return to func GetStateEvent when no state events with the specified state key are found * Add passing tests to whitelist * Fixed formatting * Update roomserver/storage/shared/storage.go Co-authored-by: Neil Alexander Co-authored-by: kegsay Co-authored-by: kegsay --- clientapi/routing/membership.go | 31 ++++++++++++++++++++++++++++ roomserver/storage/shared/storage.go | 4 ++++ sytest-whitelist | 2 ++ 3 files changed, 37 insertions(+) diff --git a/clientapi/routing/membership.go b/clientapi/routing/membership.go index bc679631..b85cfde0 100644 --- a/clientapi/routing/membership.go +++ b/clientapi/routing/membership.go @@ -47,6 +47,37 @@ func SendBan( if reqErr != nil { return *reqErr } + + errRes := checkMemberInRoom(req.Context(), rsAPI, device.UserID, roomID) + if errRes != nil { + return *errRes + } + + plEvent := roomserverAPI.GetStateEvent(req.Context(), rsAPI, roomID, gomatrixserverlib.StateKeyTuple{ + EventType: gomatrixserverlib.MRoomPowerLevels, + StateKey: "", + }) + if plEvent == nil { + return util.JSONResponse{ + Code: 403, + JSON: jsonerror.Forbidden("You don't have permission to ban this user, no power_levels event in this room."), + } + } + pl, err := plEvent.PowerLevels() + if err != nil { + return util.JSONResponse{ + Code: 403, + JSON: jsonerror.Forbidden("You don't have permission to ban this user, the power_levels event for this room is malformed so auth checks cannot be performed."), + } + } + allowedToBan := pl.UserLevel(device.UserID) >= pl.Ban + if !allowedToBan { + return util.JSONResponse{ + Code: 403, + JSON: jsonerror.Forbidden("You don't have permission to ban this user, power level too low."), + } + } + return sendMembership(req.Context(), accountDB, device, roomID, "ban", body.Reason, cfg, body.UserID, evTime, roomVer, rsAPI, asAPI) } diff --git a/roomserver/storage/shared/storage.go b/roomserver/storage/shared/storage.go index 9d9434cb..8e787851 100644 --- a/roomserver/storage/shared/storage.go +++ b/roomserver/storage/shared/storage.go @@ -866,6 +866,10 @@ func (d *Database) GetStateEvent(ctx context.Context, roomID, evType, stateKey s return nil, err } stateKeyNID, err := d.EventStateKeysTable.SelectEventStateKeyNID(ctx, nil, stateKey) + if err == sql.ErrNoRows { + // No rooms have a state event with this state key, otherwise we'd have an state key NID + return nil, nil + } if err != nil { return nil, err } diff --git a/sytest-whitelist b/sytest-whitelist index f6a051bd..4d0b9fcf 100644 --- a/sytest-whitelist +++ b/sytest-whitelist @@ -520,6 +520,8 @@ Inviting an AS-hosted user asks the AS server Can generate a openid access_token that can be exchanged for information about a user Invalid openid access tokens are rejected Requests to userinfo without access tokens are rejected +'ban' event respects room powerlevel +Non-present room members cannot ban others POST /_synapse/admin/v1/register with shared secret POST /_synapse/admin/v1/register admin with shared secret POST /_synapse/admin/v1/register with shared secret downcases capitals