Allow reading state if history_visibility is world readable

See https://matrix.org/docs/spec/client_server/r0.6.1#id87
next
Timo Kösters 2020-10-18 16:19:14 +02:00
parent 9f487dd93a
commit 243126d393
No known key found for this signature in database
GPG Key ID: 24DA7517711A2BA4
1 changed files with 68 additions and 13 deletions

View File

@ -8,7 +8,11 @@ use ruma::{
send_state_event_for_empty_key, send_state_event_for_key, send_state_event_for_empty_key, send_state_event_for_key,
}, },
}, },
events::{AnyStateEventContent, EventContent}, events::{
room::history_visibility::HistoryVisibility,
room::history_visibility::HistoryVisibilityEventContent, AnyStateEventContent,
EventContent, EventType,
},
EventId, RoomId, UserId, EventId, RoomId, UserId,
}; };
@ -97,11 +101,28 @@ pub fn get_state_events_route(
) -> ConduitResult<get_state_events::Response> { ) -> ConduitResult<get_state_events::Response> {
let sender_id = body.sender_id.as_ref().expect("user is authenticated"); let sender_id = body.sender_id.as_ref().expect("user is authenticated");
// Users not in the room should not be able to access the state unless history_visibility is
// WorldReadable
if !db.rooms.is_joined(sender_id, &body.room_id)? { if !db.rooms.is_joined(sender_id, &body.room_id)? {
return Err(Error::BadRequest( if !matches!(
ErrorKind::Forbidden, db.rooms
"You don't have permission to view the room state.", .room_state_get(&body.room_id, &EventType::RoomHistoryVisibility, "")?
)); .map(|event| {
serde_json::from_value::<HistoryVisibilityEventContent>(event.content)
.map_err(|_| {
Error::bad_database(
"Invalid room history visibility event in database.",
)
})
.map(|e| e.history_visibility)
}),
Some(Ok(HistoryVisibility::WorldReadable))
) {
return Err(Error::BadRequest(
ErrorKind::Forbidden,
"You don't have permission to view the room state.",
));
}
} }
Ok(get_state_events::Response { Ok(get_state_events::Response {
@ -125,11 +146,28 @@ pub fn get_state_events_for_key_route(
) -> ConduitResult<get_state_events_for_key::Response> { ) -> ConduitResult<get_state_events_for_key::Response> {
let sender_id = body.sender_id.as_ref().expect("user is authenticated"); let sender_id = body.sender_id.as_ref().expect("user is authenticated");
// Users not in the room should not be able to access the state unless history_visibility is
// WorldReadable
if !db.rooms.is_joined(sender_id, &body.room_id)? { if !db.rooms.is_joined(sender_id, &body.room_id)? {
return Err(Error::BadRequest( if !matches!(
ErrorKind::Forbidden, db.rooms
"You don't have permission to view the room state.", .room_state_get(&body.room_id, &EventType::RoomHistoryVisibility, "")?
)); .map(|event| {
serde_json::from_value::<HistoryVisibilityEventContent>(event.content)
.map_err(|_| {
Error::bad_database(
"Invalid room history visibility event in database.",
)
})
.map(|e| e.history_visibility)
}),
Some(Ok(HistoryVisibility::WorldReadable))
) {
return Err(Error::BadRequest(
ErrorKind::Forbidden,
"You don't have permission to view the room state.",
));
}
} }
let event = db let event = db
@ -157,11 +195,28 @@ pub fn get_state_events_for_empty_key_route(
) -> ConduitResult<get_state_events_for_empty_key::Response> { ) -> ConduitResult<get_state_events_for_empty_key::Response> {
let sender_id = body.sender_id.as_ref().expect("user is authenticated"); let sender_id = body.sender_id.as_ref().expect("user is authenticated");
// Users not in the room should not be able to access the state unless history_visibility is
// WorldReadable
if !db.rooms.is_joined(sender_id, &body.room_id)? { if !db.rooms.is_joined(sender_id, &body.room_id)? {
return Err(Error::BadRequest( if !matches!(
ErrorKind::Forbidden, db.rooms
"You don't have permission to view the room state.", .room_state_get(&body.room_id, &EventType::RoomHistoryVisibility, "")?
)); .map(|event| {
serde_json::from_value::<HistoryVisibilityEventContent>(event.content)
.map_err(|_| {
Error::bad_database(
"Invalid room history visibility event in database.",
)
})
.map(|e| e.history_visibility)
}),
Some(Ok(HistoryVisibility::WorldReadable))
) {
return Err(Error::BadRequest(
ErrorKind::Forbidden,
"You don't have permission to view the room state.",
));
}
} }
let event = db let event = db