Check if user has the power level to edit the room visibility

2025-12-16 11:23:11 -06:00 · 2020-03-11 22:51:34 +05:30 · 2020-03-11 22:51:34 +05:30 · e03e541b48
parent 8bc5084d8d
commit e03e541b48
3 changed files with 49 additions and 5 deletions
--- a/publicroomsapi/directory/directory.go
+++ b/publicroomsapi/directory/directory.go
@ -17,6 +17,9 @@ package directory
 import (
 	"net/http"

+	"github.com/matrix-org/dendrite/clientapi/auth/authtypes"
+	"github.com/matrix-org/dendrite/roomserver/api"
+
 	"github.com/matrix-org/dendrite/clientapi/httputil"
 	"github.com/matrix-org/dendrite/clientapi/jsonerror"
 	"github.com/matrix-org/dendrite/publicroomsapi/storage"
@ -54,11 +57,50 @@ func GetVisibility(
 }

 // SetVisibility implements PUT /directory/list/room/{roomID}
-// TODO: Check if user has the power level to edit the room visibility
 func SetVisibility(
-	req *http.Request, publicRoomsDatabase storage.Database,
+	req *http.Request, publicRoomsDatabase storage.Database, queryAPI api.RoomserverQueryAPI, dev *authtypes.Device,
 	roomID string,
 ) util.JSONResponse {
+	queryMembershipReq := api.QueryMembershipForUserRequest{
+		RoomID: roomID,
+		UserID: dev.UserID,
+	}
+	var queryMembershipRes api.QueryMembershipForUserResponse
+	err := queryAPI.QueryMembershipForUser(req.Context(), &queryMembershipReq, &queryMembershipRes)
+	if err != nil {
+		util.GetLogger(req.Context()).WithError(err).Error("could not query membership for user")
+		return jsonerror.InternalServerError()
+	}
+	// Check if user id is in room
+	if !queryMembershipRes.IsInRoom {
+		return util.JSONResponse{
+			Code: http.StatusForbidden,
+			JSON: jsonerror.Forbidden("user does not belong to room"),
+		}
+	}
+	queryEventsReq := api.QueryLatestEventsAndStateRequest{
+		RoomID: roomID,
+		StateToFetch: []gomatrixserverlib.StateKeyTuple{{
+			EventType: gomatrixserverlib.MRoomPowerLevels,
+			StateKey:  "",
+		}},
+	}
+	var queryEventsRes api.QueryLatestEventsAndStateResponse
+	err = queryAPI.QueryLatestEventsAndState(req.Context(), &queryEventsReq, &queryEventsRes)
+	if err != nil {
+		util.GetLogger(req.Context()).WithError(err).Error("could not query events from room")
+		return jsonerror.InternalServerError()
+	}
+	power, _ := gomatrixserverlib.NewPowerLevelContentFromEvent(queryEventsRes.StateEvents[0])
+
+	//Check if the user's power is greater than power required to change m.room.aliases event
+	if power.UserLevel(dev.UserID) < power.EventLevel(gomatrixserverlib.MRoomAliases, true) {
+		return util.JSONResponse{
+			Code: http.StatusForbidden,
+			JSON: jsonerror.Forbidden("userID doesn't have power level to change visibility"),
+		}
+	}
+
 	var v roomVisibility
 	if reqErr := httputil.UnmarshalJSONRequest(req, &v); reqErr != nil {
 		return *reqErr
--- a/publicroomsapi/publicroomsapi.go
+++ b/publicroomsapi/publicroomsapi.go
@ -43,5 +43,5 @@ func SetupPublicRoomsAPIComponent(
 		logrus.WithError(err).Panic("failed to start public rooms server consumer")
 	}

-	routing.Setup(base.APIMux, deviceDB, publicRoomsDB)
+	routing.Setup(base.APIMux, deviceDB, publicRoomsDB, rsQueryAPI)
 }
--- a/publicroomsapi/routing/routing.go
+++ b/publicroomsapi/routing/routing.go
@ -17,6 +17,8 @@ package routing
 import (
 	"net/http"

+	"github.com/matrix-org/dendrite/roomserver/api"
+
 	"github.com/gorilla/mux"
 	"github.com/matrix-org/dendrite/clientapi/auth"
 	"github.com/matrix-org/dendrite/clientapi/auth/authtypes"
@ -34,7 +36,7 @@ const pathPrefixR0 = "/_matrix/client/r0"
 // Due to Setup being used to call many other functions, a gocyclo nolint is
 // applied:
 // nolint: gocyclo
-func Setup(apiMux *mux.Router, deviceDB devices.Database, publicRoomsDB storage.Database) {
+func Setup(apiMux *mux.Router, deviceDB devices.Database, publicRoomsDB storage.Database, queryAPI api.RoomserverQueryAPI) {
 	r0mux := apiMux.PathPrefix(pathPrefixR0).Subrouter()

 	authData := auth.Data{
@ -59,7 +61,7 @@ func Setup(apiMux *mux.Router, deviceDB devices.Database, publicRoomsDB storage.
 			if err != nil {
 				return util.ErrorResponse(err)
 			}
-			return directory.SetVisibility(req, publicRoomsDB, vars["roomID"])
+			return directory.SetVisibility(req, publicRoomsDB, queryAPI, device, vars["roomID"])
 		}),
 	).Methods(http.MethodPut, http.MethodOptions)
 	r0mux.Handle("/publicRooms",