Merge pull request #5124 from matrix-org/babolivier/aliases

Add some limitations to alias creation

Merge pull request #5124 from matrix-org/babolivier/aliases
c193b391 · Brendan Abolivier · GitHub · 0836cbb9 · 84196cb2 · c193b391
Unverified Commit c193b391 authored 5 years ago by Brendan Abolivier Committed by GitHub 5 years ago
--- a/changelog.d/5124.bugfix
+++ b/changelog.d/5124.bugfix
+Add some missing limitations to room alias creation.
--- a/docs/sample_config.yaml
+++ b/docs/sample_config.yaml
@@ -239,6 +239,11 @@ listeners:
 # Used by phonehome stats to group together related servers.
 #server_context: context

+# Whether to require a user to be in the room to add an alias to it.
+# Defaults to 'true'.
+#
+#require_membership_for_aliases: false
+

 ## TLS ##


--- a/synapse/config/server.py
+++ b/synapse/config/server.py
@@ -134,6 +134,12 @@ class ServerConfig(Config):
        # sending out any replication updates.
        self.replication_torture_level = config.get("replication_torture_level")

+        # Whether to require a user to be in the room to add an alias to it.
+        # Defaults to True.
+        self.require_membership_for_aliases = config.get(
+            "require_membership_for_aliases", True,
+        )
+
        self.listeners = []
        for listener in config.get("listeners", []):
            if not isinstance(listener.get("port", None), int):
@@ -490,6 +496,11 @@ class ServerConfig(Config):

        # Used by phonehome stats to group together related servers.
        #server_context: context
+
+        # Whether to require a user to be in the room to add an alias to it.
+        # Defaults to 'true'.
+        #
+        #require_membership_for_aliases: false
        """ % locals()

    def read_arguments(self, args):

--- a/synapse/handlers/directory.py
+++ b/synapse/handlers/directory.py
@@ -36,6 +36,7 @@ logger = logging.getLogger(__name__)


 class DirectoryHandler(BaseHandler):
+    MAX_ALIAS_LENGTH = 255

    def __init__(self, hs):
        super(DirectoryHandler, self).__init__(hs)
@@ -43,8 +44,10 @@ class DirectoryHandler(BaseHandler):
        self.state = hs.get_state_handler()
        self.appservice_handler = hs.get_application_service_handler()
        self.event_creation_handler = hs.get_event_creation_handler()
+        self.store = hs.get_datastore()
        self.config = hs.config
        self.enable_room_list_search = hs.config.enable_room_list_search
+        self.require_membership = hs.config.require_membership_for_aliases

        self.federation = hs.get_federation_client()
        hs.get_federation_registry().register_query_handler(
@@ -83,7 +86,7 @@ class DirectoryHandler(BaseHandler):

    @defer.inlineCallbacks
    def create_association(self, requester, room_alias, room_id, servers=None,
-                           send_event=True):
+                           send_event=True, check_membership=True):
        """Attempt to create a new alias

        Args:
@@ -93,6 +96,8 @@ class DirectoryHandler(BaseHandler):
            servers (list[str]|None): List of servers that others servers
                should try and join via
            send_event (bool): Whether to send an updated m.room.aliases event
+            check_membership (bool): Whether to check if the user is in the room
+                before the alias can be set (if the server's config requires it).

        Returns:
            Deferred
@@ -100,6 +105,13 @@ class DirectoryHandler(BaseHandler):

        user_id = requester.user.to_string()

+        if len(room_alias.to_string()) > self.MAX_ALIAS_LENGTH:
+            raise SynapseError(
+                400,
+                "Can't create aliases longer than %s characters" % self.MAX_ALIAS_LENGTH,
+                Codes.INVALID_PARAM,
+            )
+
        service = requester.app_service
        if service:
            if not service.is_interested_in_alias(room_alias.to_string()):
@@ -108,6 +120,14 @@ class DirectoryHandler(BaseHandler):
                    " this kind of alias.", errcode=Codes.EXCLUSIVE
                )
        else:
+            if self.require_membership and check_membership:
+                rooms_for_user = yield self.store.get_rooms_for_user(user_id)
+                if room_id not in rooms_for_user:
+                    raise AuthError(
+                        403,
+                        "You must be in the room to create an alias for it",
+                    )
+
            if not self.spam_checker.user_may_create_room_alias(user_id, room_alias):
                raise AuthError(
                    403, "This user is not permitted to create this alias",

--- a/synapse/handlers/room.py
+++ b/synapse/handlers/room.py
@@ -402,7 +402,7 @@ class RoomCreationHandler(BaseHandler):
                yield directory_handler.create_association(
                    requester, RoomAlias.from_string(alias),
                    new_room_id, servers=(self.hs.hostname, ),
-                    send_event=False,
+                    send_event=False, check_membership=False,
                )
                logger.info("Moved alias %s to new room", alias)
            except SynapseError as e:
@@ -538,6 +538,7 @@ class RoomCreationHandler(BaseHandler):
                room_alias=room_alias,
                servers=[self.hs.hostname],
                send_event=False,
+                check_membership=False,
            )

        preset_config = config.get(