Prevent alias registration in AS exclusive namespace (#480)
* Prevent alias registration in AS exclusive namespace * Fix M_Exclusive errors so they return status 400 instead of 403. Signed-off-by: Andrew Morgan <andrewm@matrix.org> * Directly access namespace map instead of searching for key
This commit is contained in:
parent
141fd91537
commit
1cc21d6bcd
4 changed files with 20 additions and 3 deletions
|
@ -112,7 +112,8 @@ func UserInUse(msg string) *MatrixError {
|
|||
|
||||
// ASExclusive is an error returned when an application service tries to
|
||||
// register an username that is outside of its registered namespace, or if a
|
||||
// user attempts to register a username within an exclusive namespace
|
||||
// user attempts to register a username or room alias within an exclusive
|
||||
// namespace.
|
||||
func ASExclusive(msg string) *MatrixError {
|
||||
return &MatrixError{"M_EXCLUSIVE", msg}
|
||||
}
|
||||
|
|
|
@ -146,6 +146,7 @@ func createRoom(req *http.Request, device *authtypes.Device,
|
|||
// TODO: visibility/presets/raw initial state/creation content
|
||||
|
||||
// TODO: Create room alias association
|
||||
// Make sure this doesn't fall into an application service's namespace though!
|
||||
|
||||
logger.WithFields(log.Fields{
|
||||
"userID": userID,
|
||||
|
|
|
@ -113,6 +113,21 @@ func SetLocalAlias(
|
|||
}
|
||||
}
|
||||
|
||||
// Check that the alias does not fall within an exclusive namespace of an
|
||||
// application service
|
||||
for _, appservice := range cfg.Derived.ApplicationServices {
|
||||
if userNamespaces, ok := appservice.NamespaceMap["users"]; ok {
|
||||
for _, namespace := range userNamespaces {
|
||||
if namespace.Exclusive && namespace.RegexpObject.MatchString(alias) {
|
||||
return util.JSONResponse{
|
||||
Code: http.StatusBadRequest,
|
||||
JSON: jsonerror.ASExclusive("Alias is reserved by an application service"),
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
var r struct {
|
||||
RoomID string `json:"room_id"`
|
||||
}
|
||||
|
|
|
@ -363,7 +363,7 @@ func validateApplicationService(
|
|||
if !UsernameIsWithinApplicationServiceNamespace(cfg, username, matchedApplicationService) {
|
||||
// If we didn't find any matches, return M_EXCLUSIVE
|
||||
return "", &util.JSONResponse{
|
||||
Code: http.StatusUnauthorized,
|
||||
Code: http.StatusBadRequest,
|
||||
JSON: jsonerror.ASExclusive(fmt.Sprintf(
|
||||
"Supplied username %s did not match any namespaces for application service ID: %s", username, matchedApplicationService.ID)),
|
||||
}
|
||||
|
@ -372,7 +372,7 @@ func validateApplicationService(
|
|||
// Check this user does not fit multiple application service namespaces
|
||||
if UsernameMatchesMultipleExclusiveNamespaces(cfg, username) {
|
||||
return "", &util.JSONResponse{
|
||||
Code: http.StatusUnauthorized,
|
||||
Code: http.StatusBadRequest,
|
||||
JSON: jsonerror.ASExclusive(fmt.Sprintf(
|
||||
"Supplied username %s matches multiple exclusive application service namespaces. Only 1 match allowed", username)),
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue