mirror of
https://github.com/matrix-construct/construct
synced 2024-12-25 23:14:13 +01:00
modules: Implement 13.29 room server access control list checks.
fixes #47.
This commit is contained in:
parent
f11126613e
commit
645ce4d8e2
15 changed files with 131 additions and 13 deletions
|
@ -78,6 +78,12 @@ get__backfill(client &client,
|
|||
url::decode(room_id, request.parv[0])
|
||||
};
|
||||
|
||||
if(m::room::server_acl::enable_read && !m::room::server_acl::check(room_id, request.node_id))
|
||||
throw m::ACCESS_DENIED
|
||||
{
|
||||
"You are not permitted by the room's server access control list."
|
||||
};
|
||||
|
||||
m::event::id::buf event_id
|
||||
{
|
||||
request.query["v"]?
|
||||
|
|
|
@ -74,6 +74,12 @@ get__backfill_ids(client &client,
|
|||
url::decode(room_id, request.parv[0])
|
||||
};
|
||||
|
||||
if(m::room::server_acl::enable_read && !m::room::server_acl::check(room_id, request.node_id))
|
||||
throw m::ACCESS_DENIED
|
||||
{
|
||||
"You are not permitted by the room's server access control list."
|
||||
};
|
||||
|
||||
m::event::id::buf event_id
|
||||
{
|
||||
request.query["v"]?
|
||||
|
|
|
@ -48,6 +48,12 @@ get__event_auth(client &client,
|
|||
url::decode(room_id, request.parv[0])
|
||||
};
|
||||
|
||||
if(m::room::server_acl::enable_read && !m::room::server_acl::check(room_id, request.node_id))
|
||||
throw m::ACCESS_DENIED
|
||||
{
|
||||
"You are not permitted by the room's server access control list."
|
||||
};
|
||||
|
||||
if(request.parv.size() < 2)
|
||||
throw m::NEED_MORE_PARAMS
|
||||
{
|
||||
|
|
|
@ -75,6 +75,12 @@ get__missing_events(client &client,
|
|||
url::decode(room_id, request.parv[0])
|
||||
};
|
||||
|
||||
if(m::room::server_acl::enable_read && !m::room::server_acl::check(room_id, request.node_id))
|
||||
throw m::ACCESS_DENIED
|
||||
{
|
||||
"You are not permitted by the room's server access control list."
|
||||
};
|
||||
|
||||
ssize_t limit
|
||||
{
|
||||
request["limit"]?
|
||||
|
|
|
@ -96,6 +96,12 @@ put__invite(client &client,
|
|||
"ID of room in request body does not match the path parameter."
|
||||
};
|
||||
|
||||
if(m::room::server_acl::enable_write && !m::room::server_acl::check(room_id, request.node_id))
|
||||
throw m::ACCESS_DENIED
|
||||
{
|
||||
"You are not permitted by the room's server access control list."
|
||||
};
|
||||
|
||||
check_event(request, event);
|
||||
|
||||
thread_local char sigs[4_KiB];
|
||||
|
|
|
@ -79,6 +79,12 @@ get__make_join(client &client,
|
|||
string_view{room_id}
|
||||
};
|
||||
|
||||
if(m::room::server_acl::enable_read && !m::room::server_acl::check(room_id, request.node_id))
|
||||
throw m::ACCESS_DENIED
|
||||
{
|
||||
"You are not permitted by the room's server access control list."
|
||||
};
|
||||
|
||||
if(!room.visible(user_id))
|
||||
throw m::ACCESS_DENIED
|
||||
{
|
||||
|
|
|
@ -67,6 +67,12 @@ get__make_leave(client &client,
|
|||
"You are not permitted to spoof users on other hosts."
|
||||
};
|
||||
|
||||
if(m::room::server_acl::enable_read && !m::room::server_acl::check(room_id, request.node_id))
|
||||
throw m::ACCESS_DENIED
|
||||
{
|
||||
"You are not permitted by the room's server access control list."
|
||||
};
|
||||
|
||||
const m::room room
|
||||
{
|
||||
room_id
|
||||
|
|
|
@ -54,6 +54,12 @@ post__query_auth(client &client,
|
|||
url::decode(room_id, request.parv[0])
|
||||
};
|
||||
|
||||
if(m::room::server_acl::enable_read && !m::room::server_acl::check(room_id, request.node_id))
|
||||
throw m::ACCESS_DENIED
|
||||
{
|
||||
"You are not permitted by the room's server access control list."
|
||||
};
|
||||
|
||||
if(request.parv.size() < 2)
|
||||
throw m::NEED_MORE_PARAMS
|
||||
{
|
||||
|
|
|
@ -101,6 +101,12 @@ put__send_join(client &client,
|
|||
"Event origin must be you."
|
||||
};
|
||||
|
||||
if(m::room::server_acl::enable_write && !m::room::server_acl::check(room_id, request.node_id))
|
||||
throw m::ACCESS_DENIED
|
||||
{
|
||||
"You are not permitted by the room's server access control list."
|
||||
};
|
||||
|
||||
m::vm::opts vmopts;
|
||||
vmopts.non_conform.set(m::event::conforms::MISSING_PREV_STATE);
|
||||
m::vm::eval eval
|
||||
|
|
|
@ -101,6 +101,12 @@ put__send_leave(client &client,
|
|||
"Event origin must be you."
|
||||
};
|
||||
|
||||
if(m::room::server_acl::enable_write && !m::room::server_acl::check(room_id, request.node_id))
|
||||
throw m::ACCESS_DENIED
|
||||
{
|
||||
"You are not permitted by the room's server access control list."
|
||||
};
|
||||
|
||||
m::vm::opts vmopts;
|
||||
vmopts.non_conform.set(m::event::conforms::MISSING_PREV_STATE);
|
||||
m::vm::eval eval
|
||||
|
|
|
@ -48,6 +48,12 @@ get__state(client &client,
|
|||
url::decode(room_id, request.parv[0])
|
||||
};
|
||||
|
||||
if(m::room::server_acl::enable_read && !m::room::server_acl::check(room_id, request.node_id))
|
||||
throw m::ACCESS_DENIED
|
||||
{
|
||||
"You are not permitted by the room's server access control list."
|
||||
};
|
||||
|
||||
m::event::id::buf event_id;
|
||||
if(request.query["event_id"])
|
||||
event_id = url::decode(event_id, request.query.at("event_id"));
|
||||
|
|
|
@ -41,6 +41,12 @@ get__state_ids(client &client,
|
|||
url::decode(room_id, request.parv[0])
|
||||
};
|
||||
|
||||
if(m::room::server_acl::enable_read && !m::room::server_acl::check(room_id, request.node_id))
|
||||
throw m::ACCESS_DENIED
|
||||
{
|
||||
"You are not permitted by the room's server access control list."
|
||||
};
|
||||
|
||||
m::event::id::buf event_id;
|
||||
if(request.query["event_id"])
|
||||
event_id = url::decode(event_id, request.query.at("event_id"));
|
||||
|
|
|
@ -72,6 +72,18 @@ handle_edu_m_receipt(const m::event &event,
|
|||
unquote(member.first)
|
||||
};
|
||||
|
||||
if(m::room::server_acl::enable_write && !m::room::server_acl::check(room_id, origin))
|
||||
{
|
||||
log::dwarning
|
||||
{
|
||||
receipt_log, "Ignoring m.receipt from '%s' in %s :denied by m.room.server_acl.",
|
||||
json::get<"origin"_>(event),
|
||||
string_view{room_id},
|
||||
};
|
||||
|
||||
continue;
|
||||
}
|
||||
|
||||
handle_m_receipt(event, room_id, member.second);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -173,25 +173,46 @@ _handle_edu_m_typing(const m::event &event,
|
|||
at<"user_id"_>(edu)
|
||||
};
|
||||
|
||||
const auto &origin
|
||||
{
|
||||
at<"origin"_>(event)
|
||||
};
|
||||
|
||||
// Check if this server can send an edu for this user. We make an exception
|
||||
// for our server to allow the timeout worker to use this codepath.
|
||||
if(!my_host(at<"origin"_>(event)) && user_id.host() != at<"origin"_>(event))
|
||||
{
|
||||
log::dwarning
|
||||
if(!my_host(origin))
|
||||
if(user_id.host() != origin)
|
||||
{
|
||||
typing_log, "Ignoring %s from %s for alien %s",
|
||||
at<"type"_>(event),
|
||||
at<"origin"_>(event),
|
||||
string_view{user_id}
|
||||
};
|
||||
log::dwarning
|
||||
{
|
||||
typing_log, "Ignoring %s from %s for alien %s",
|
||||
at<"type"_>(event),
|
||||
origin,
|
||||
string_view{user_id}
|
||||
};
|
||||
|
||||
return;
|
||||
}
|
||||
return;
|
||||
}
|
||||
|
||||
// Check if this server can write to the room based on the m.room.server_acl.
|
||||
if(!my_host(origin))
|
||||
if(m::room::server_acl::enable_write && !m::room::server_acl::check(room_id, origin))
|
||||
{
|
||||
log::dwarning
|
||||
{
|
||||
typing_log, "Ignoring %s from '%s' in %s :denied by m.room.server_acl.",
|
||||
at<"type"_>(event),
|
||||
origin,
|
||||
string_view{room_id},
|
||||
};
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
// Update the typing state map for edu's from other servers only; the
|
||||
// state map was already updated for our clients in the committer. Also
|
||||
// condition for skipping redundant updates here too based on the state.
|
||||
if(!my_host(at<"origin"_>(event)))
|
||||
if(!my_host(origin))
|
||||
{
|
||||
// Check if the user is actually in the room. The check is in this
|
||||
// branch for remote servers only because our committer above did this
|
||||
|
@ -203,7 +224,7 @@ _handle_edu_m_typing(const m::event &event,
|
|||
{
|
||||
typing_log, "Ignoring %s from %s for user %s because not in room '%s'",
|
||||
at<"type"_>(event),
|
||||
at<"origin"_>(event),
|
||||
origin,
|
||||
string_view{user_id},
|
||||
string_view{room_id},
|
||||
};
|
||||
|
@ -223,7 +244,7 @@ _handle_edu_m_typing(const m::event &event,
|
|||
log::info
|
||||
{
|
||||
typing_log, "%s %s %s typing in %s",
|
||||
at<"origin"_>(event),
|
||||
origin,
|
||||
string_view{user_id},
|
||||
json::get<"typing"_>(edu)? "started"_sv : "stopped"_sv,
|
||||
string_view{room_id}
|
||||
|
|
|
@ -638,6 +638,11 @@ ircd::m::vm::execute_pdu(eval &eval,
|
|||
at<"room_id"_>(event)
|
||||
};
|
||||
|
||||
const string_view &origin
|
||||
{
|
||||
at<"origin"_>(event)
|
||||
};
|
||||
|
||||
const string_view &type
|
||||
{
|
||||
at<"type"_>(event)
|
||||
|
@ -655,6 +660,14 @@ ircd::m::vm::execute_pdu(eval &eval,
|
|||
fault::EXISTS, "Event has already been evaluated."
|
||||
};
|
||||
|
||||
if(m::room::server_acl::enable_write && !m::room::server_acl::check(room_id, origin))
|
||||
throw m::ACCESS_DENIED
|
||||
{
|
||||
"Execution denied for '%s' by room %s server access control list.",
|
||||
origin,
|
||||
string_view{room_id}
|
||||
};
|
||||
|
||||
if(opts.verify && !verify(event))
|
||||
throw m::BAD_SIGNATURE
|
||||
{
|
||||
|
|
Loading…
Reference in a new issue