From 7359617c1c5df8c07ea211a43c18f60a13fe8f39 Mon Sep 17 00:00:00 2001
From: Neil Alexander <neilalexander@users.noreply.github.com>
Date: Thu, 28 Apr 2022 12:33:05 +0100
Subject: [PATCH] Guard endpoint

---
 clientapi/routing/routing.go | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/clientapi/routing/routing.go b/clientapi/routing/routing.go
index 5ab17b9b4..a66e8e9fd 100644
--- a/clientapi/routing/routing.go
+++ b/clientapi/routing/routing.go
@@ -122,6 +122,19 @@ func Setup(
 
 	synapseAdminRouter.Handle("/admin/evacuateRoom",
 		httputil.MakeExternalAPI("admin_evacuate_room", func(req *http.Request) util.JSONResponse {
+			device, err := getSenderDevice(context.Background(), userAPI, cfg)
+			if err != nil {
+				return util.JSONResponse{
+					Code: http.StatusForbidden,
+					JSON: jsonerror.Forbidden("Couldn't determine if you were an admin or not."),
+				}
+			}
+			if device.AccountType != userapi.AccountTypeAdmin {
+				return util.JSONResponse{
+					Code: http.StatusForbidden,
+					JSON: jsonerror.Forbidden("This API can only be used by admin users."),
+				}
+			}
 			vars, err := httputil.URLDecodeMapValues(mux.Vars(req))
 			if err != nil {
 				return util.ErrorResponse(err)