Allow reading state if history_visibility is world readable
See https://matrix.org/docs/spec/client_server/r0.6.1#id87next
parent
9f487dd93a
commit
243126d393
|
@ -8,7 +8,11 @@ use ruma::{
|
||||||
send_state_event_for_empty_key, send_state_event_for_key,
|
send_state_event_for_empty_key, send_state_event_for_key,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
events::{AnyStateEventContent, EventContent},
|
events::{
|
||||||
|
room::history_visibility::HistoryVisibility,
|
||||||
|
room::history_visibility::HistoryVisibilityEventContent, AnyStateEventContent,
|
||||||
|
EventContent, EventType,
|
||||||
|
},
|
||||||
EventId, RoomId, UserId,
|
EventId, RoomId, UserId,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -97,12 +101,29 @@ pub fn get_state_events_route(
|
||||||
) -> ConduitResult<get_state_events::Response> {
|
) -> ConduitResult<get_state_events::Response> {
|
||||||
let sender_id = body.sender_id.as_ref().expect("user is authenticated");
|
let sender_id = body.sender_id.as_ref().expect("user is authenticated");
|
||||||
|
|
||||||
|
// Users not in the room should not be able to access the state unless history_visibility is
|
||||||
|
// WorldReadable
|
||||||
if !db.rooms.is_joined(sender_id, &body.room_id)? {
|
if !db.rooms.is_joined(sender_id, &body.room_id)? {
|
||||||
|
if !matches!(
|
||||||
|
db.rooms
|
||||||
|
.room_state_get(&body.room_id, &EventType::RoomHistoryVisibility, "")?
|
||||||
|
.map(|event| {
|
||||||
|
serde_json::from_value::<HistoryVisibilityEventContent>(event.content)
|
||||||
|
.map_err(|_| {
|
||||||
|
Error::bad_database(
|
||||||
|
"Invalid room history visibility event in database.",
|
||||||
|
)
|
||||||
|
})
|
||||||
|
.map(|e| e.history_visibility)
|
||||||
|
}),
|
||||||
|
Some(Ok(HistoryVisibility::WorldReadable))
|
||||||
|
) {
|
||||||
return Err(Error::BadRequest(
|
return Err(Error::BadRequest(
|
||||||
ErrorKind::Forbidden,
|
ErrorKind::Forbidden,
|
||||||
"You don't have permission to view the room state.",
|
"You don't have permission to view the room state.",
|
||||||
));
|
));
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
Ok(get_state_events::Response {
|
Ok(get_state_events::Response {
|
||||||
room_state: db
|
room_state: db
|
||||||
|
@ -125,12 +146,29 @@ pub fn get_state_events_for_key_route(
|
||||||
) -> ConduitResult<get_state_events_for_key::Response> {
|
) -> ConduitResult<get_state_events_for_key::Response> {
|
||||||
let sender_id = body.sender_id.as_ref().expect("user is authenticated");
|
let sender_id = body.sender_id.as_ref().expect("user is authenticated");
|
||||||
|
|
||||||
|
// Users not in the room should not be able to access the state unless history_visibility is
|
||||||
|
// WorldReadable
|
||||||
if !db.rooms.is_joined(sender_id, &body.room_id)? {
|
if !db.rooms.is_joined(sender_id, &body.room_id)? {
|
||||||
|
if !matches!(
|
||||||
|
db.rooms
|
||||||
|
.room_state_get(&body.room_id, &EventType::RoomHistoryVisibility, "")?
|
||||||
|
.map(|event| {
|
||||||
|
serde_json::from_value::<HistoryVisibilityEventContent>(event.content)
|
||||||
|
.map_err(|_| {
|
||||||
|
Error::bad_database(
|
||||||
|
"Invalid room history visibility event in database.",
|
||||||
|
)
|
||||||
|
})
|
||||||
|
.map(|e| e.history_visibility)
|
||||||
|
}),
|
||||||
|
Some(Ok(HistoryVisibility::WorldReadable))
|
||||||
|
) {
|
||||||
return Err(Error::BadRequest(
|
return Err(Error::BadRequest(
|
||||||
ErrorKind::Forbidden,
|
ErrorKind::Forbidden,
|
||||||
"You don't have permission to view the room state.",
|
"You don't have permission to view the room state.",
|
||||||
));
|
));
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
let event = db
|
let event = db
|
||||||
.rooms
|
.rooms
|
||||||
|
@ -157,12 +195,29 @@ pub fn get_state_events_for_empty_key_route(
|
||||||
) -> ConduitResult<get_state_events_for_empty_key::Response> {
|
) -> ConduitResult<get_state_events_for_empty_key::Response> {
|
||||||
let sender_id = body.sender_id.as_ref().expect("user is authenticated");
|
let sender_id = body.sender_id.as_ref().expect("user is authenticated");
|
||||||
|
|
||||||
|
// Users not in the room should not be able to access the state unless history_visibility is
|
||||||
|
// WorldReadable
|
||||||
if !db.rooms.is_joined(sender_id, &body.room_id)? {
|
if !db.rooms.is_joined(sender_id, &body.room_id)? {
|
||||||
|
if !matches!(
|
||||||
|
db.rooms
|
||||||
|
.room_state_get(&body.room_id, &EventType::RoomHistoryVisibility, "")?
|
||||||
|
.map(|event| {
|
||||||
|
serde_json::from_value::<HistoryVisibilityEventContent>(event.content)
|
||||||
|
.map_err(|_| {
|
||||||
|
Error::bad_database(
|
||||||
|
"Invalid room history visibility event in database.",
|
||||||
|
)
|
||||||
|
})
|
||||||
|
.map(|e| e.history_visibility)
|
||||||
|
}),
|
||||||
|
Some(Ok(HistoryVisibility::WorldReadable))
|
||||||
|
) {
|
||||||
return Err(Error::BadRequest(
|
return Err(Error::BadRequest(
|
||||||
ErrorKind::Forbidden,
|
ErrorKind::Forbidden,
|
||||||
"You don't have permission to view the room state.",
|
"You don't have permission to view the room state.",
|
||||||
));
|
));
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
let event = db
|
let event = db
|
||||||
.rooms
|
.rooms
|
||||||
|
|
Loading…
Reference in New Issue