diff --git a/clientapi/routing/membership.go b/clientapi/routing/membership.go index bc679631a..b85cfde03 100644 --- a/clientapi/routing/membership.go +++ b/clientapi/routing/membership.go @@ -47,6 +47,37 @@ func SendBan( if reqErr != nil { return *reqErr } + + errRes := checkMemberInRoom(req.Context(), rsAPI, device.UserID, roomID) + if errRes != nil { + return *errRes + } + + plEvent := roomserverAPI.GetStateEvent(req.Context(), rsAPI, roomID, gomatrixserverlib.StateKeyTuple{ + EventType: gomatrixserverlib.MRoomPowerLevels, + StateKey: "", + }) + if plEvent == nil { + return util.JSONResponse{ + Code: 403, + JSON: jsonerror.Forbidden("You don't have permission to ban this user, no power_levels event in this room."), + } + } + pl, err := plEvent.PowerLevels() + if err != nil { + return util.JSONResponse{ + Code: 403, + JSON: jsonerror.Forbidden("You don't have permission to ban this user, the power_levels event for this room is malformed so auth checks cannot be performed."), + } + } + allowedToBan := pl.UserLevel(device.UserID) >= pl.Ban + if !allowedToBan { + return util.JSONResponse{ + Code: 403, + JSON: jsonerror.Forbidden("You don't have permission to ban this user, power level too low."), + } + } + return sendMembership(req.Context(), accountDB, device, roomID, "ban", body.Reason, cfg, body.UserID, evTime, roomVer, rsAPI, asAPI) } diff --git a/roomserver/storage/shared/storage.go b/roomserver/storage/shared/storage.go index 9d9434cbb..8e787851b 100644 --- a/roomserver/storage/shared/storage.go +++ b/roomserver/storage/shared/storage.go @@ -866,6 +866,10 @@ func (d *Database) GetStateEvent(ctx context.Context, roomID, evType, stateKey s return nil, err } stateKeyNID, err := d.EventStateKeysTable.SelectEventStateKeyNID(ctx, nil, stateKey) + if err == sql.ErrNoRows { + // No rooms have a state event with this state key, otherwise we'd have an state key NID + return nil, nil + } if err != nil { return nil, err } diff --git a/sytest-whitelist b/sytest-whitelist index f6a051bda..4d0b9fcf5 100644 --- a/sytest-whitelist +++ b/sytest-whitelist @@ -520,6 +520,8 @@ Inviting an AS-hosted user asks the AS server Can generate a openid access_token that can be exchanged for information about a user Invalid openid access tokens are rejected Requests to userinfo without access tokens are rejected +'ban' event respects room powerlevel +Non-present room members cannot ban others POST /_synapse/admin/v1/register with shared secret POST /_synapse/admin/v1/register admin with shared secret POST /_synapse/admin/v1/register with shared secret downcases capitals