Only require consent for events with an associated request

There are a number of instances where a server or admin may puppet a user to join/leave rooms, which we don't want to fail if the user has not consented to the privacy policy. We fix this by adding a check to test if the requester has an associated access_token, which is used as a proxy to answer the question of whether the action is being done on behalf of a real request from the user.

Only require consent for events with an associated request
74c46d81 · Erik Johnston · 67d618e1 · 74c46d81
Commit 74c46d81 authored 6 years ago by Erik Johnston
--- a/synapse/handlers/message.py
+++ b/synapse/handlers/message.py
@@ -316,8 +316,12 @@ class EventCreationHandler(object):
                        target, e
                    )
+        # Check if the user has accepted the privacy policy. We only do this if
+        # the requester has an associated access_token_id, which indicates that
+        # this action came from a user request rather than an automatice server
+        # or admin action.
        is_exempt = yield self._is_exempt_from_privacy_policy(builder, requester)
-        if not is_exempt:
+        if requester.access_token_id and not is_exempt:
            yield self.assert_accepted_privacy_policy(requester)
        if token_id is not None: