implement redact permission (#1491)

- implement redact authorization check on dendrite - lower power levels for redaction on client because the permission is enforced on the server - added tests to verify that a user can redact his / her own messages, but not others; moderators with the Redact permission can redact messages of other people
2026-01-16 18:43:10 -06:00 · 2023-02-14 16:21:38 -08:00 · 2023-02-14 16:21:38 -08:00 · bb2af96fca
parent a25ca83eb8
commit bb2af96fca
1 changed files with 34 additions and 0 deletions
--- a/clientapi/routing/routing.go
+++ b/clientapi/routing/routing.go
@ -646,6 +646,23 @@ func Setup(
 			if err != nil {
 				return util.ErrorResponse(err)
 			}
+			ev := roomserverAPI.GetEvent(req.Context(), rsAPI, vars["eventID"])
+			// user is always allowed to redact their own events.
+			isAllowed := ev.Sender() == device.UserID
+			if !isAllowed {
+				// if event is not from the sender, then check with the authz module.
+				isAllowed, _ = authorization.IsAllowed(authz.AuthorizationArgs{
+					RoomId:     vars["roomID"],
+					UserId:     device.UserID,
+					Permission: authz.PermissionRedact,
+				})
+			}
+			if !isAllowed {
+				return util.JSONResponse{
+					Code: http.StatusUnauthorized,
+					JSON: jsonerror.Forbidden("Unauthorised"),
+				}
+			}
 			return SendRedaction(req, device, vars["roomID"], vars["eventID"], cfg, rsAPI, nil, nil)
 		}),
 	).Methods(http.MethodPost, http.MethodOptions)
@ -655,6 +672,23 @@ func Setup(
 			if err != nil {
 				return util.ErrorResponse(err)
 			}
+			ev := roomserverAPI.GetEvent(req.Context(), rsAPI, vars["eventID"])
+			// user is always allowed to redact their own events.
+			isAllowed := ev.Sender() == device.UserID
+			if !isAllowed {
+				// if event is not from the sender, then check with the authz module.
+				isAllowed, _ = authorization.IsAllowed(authz.AuthorizationArgs{
+					RoomId:     vars["roomID"],
+					UserId:     device.UserID,
+					Permission: authz.PermissionRedact,
+				})
+			}
+			if !isAllowed {
+				return util.JSONResponse{
+					Code: http.StatusUnauthorized,
+					JSON: jsonerror.Forbidden("Unauthorised"),
+				}
+			}
 			txnID := vars["txnId"]
 			return SendRedaction(req, device, vars["roomID"], vars["eventID"], cfg, rsAPI, &txnID, transactionsCache)
 		}),