mirrors/dendrite
1
0
Fork 0
mirror of https://github.com/matrix-org/dendrite.git synced 2026-01-16 18:43:10 -06:00
Code Issues Packages Projects Releases Wiki Activity

implement redact permission (#1491)

Browse source 
- implement redact authorization check on dendrite
- lower power levels for redaction on client because the permission is
enforced on the server
- added tests to verify that a user can redact his / her own messages,
but not others; moderators with the Redact permission can redact
messages of other people
This commit is contained in:
Tak Wai Wong 2023-02-14 16:21:38 -08:00 committed by GitHub
parent a25ca83eb8
commit bb2af96fca
1 changed files with 34 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
clientapi/routing/routing.go
View file

@ -646,6 +646,23 @@ func Setup(
if err != nil { if err != nil {
return util.ErrorResponse(err) return util.ErrorResponse(err)
} }
ev := roomserverAPI.GetEvent(req.Context(), rsAPI, vars["eventID"])
// user is always allowed to redact their own events.
isAllowed := ev.Sender() == device.UserID
if !isAllowed {
// if event is not from the sender, then check with the authz module.
isAllowed, _ = authorization.IsAllowed(authz.AuthorizationArgs{
RoomId: vars["roomID"],
UserId: device.UserID,
Permission: authz.PermissionRedact,
})
}
if !isAllowed {
return util.JSONResponse{
Code: http.StatusUnauthorized,
JSON: jsonerror.Forbidden("Unauthorised"),
}
}
return SendRedaction(req, device, vars["roomID"], vars["eventID"], cfg, rsAPI, nil, nil) return SendRedaction(req, device, vars["roomID"], vars["eventID"], cfg, rsAPI, nil, nil)
}), }),
).Methods(http.MethodPost, http.MethodOptions) ).Methods(http.MethodPost, http.MethodOptions)
@ -655,6 +672,23 @@ func Setup(
if err != nil { if err != nil {
return util.ErrorResponse(err) return util.ErrorResponse(err)
} }
ev := roomserverAPI.GetEvent(req.Context(), rsAPI, vars["eventID"])
// user is always allowed to redact their own events.
isAllowed := ev.Sender() == device.UserID
if !isAllowed {
// if event is not from the sender, then check with the authz module.
isAllowed, _ = authorization.IsAllowed(authz.AuthorizationArgs{
RoomId: vars["roomID"],
UserId: device.UserID,
Permission: authz.PermissionRedact,
})
}
if !isAllowed {
return util.JSONResponse{
Code: http.StatusUnauthorized,
JSON: jsonerror.Forbidden("Unauthorised"),
}
}
txnID := vars["txnId"] txnID := vars["txnId"]
return SendRedaction(req, device, vars["roomID"], vars["eventID"], cfg, rsAPI, &txnID, transactionsCache) return SendRedaction(req, device, vars["roomID"], vars["eventID"], cfg, rsAPI, &txnID, transactionsCache)
}), }),