mirror of
https://mau.dev/maunium/synapse.git
synced 2024-11-18 07:52:56 +01:00
Return m.change_password.enabled=false if local database is disabled (#9588)
Instead of if the user does not have a password hash. This allows a SSO user to add a password to their account, but only if the local password database is configured.
This commit is contained in:
parent
e3bc0e6f7c
commit
8000cf1315
4 changed files with 58 additions and 15 deletions
1
changelog.d/9588.bugfix
Normal file
1
changelog.d/9588.bugfix
Normal file
|
@ -0,0 +1 @@
|
||||||
|
Fix the `/capabilities` endpoint to return `m.change_password` as disabled if the local password database is not used for authentication. Contributed by @dklimpel.
|
|
@ -886,6 +886,19 @@ class AuthHandler(BaseHandler):
|
||||||
)
|
)
|
||||||
return result
|
return result
|
||||||
|
|
||||||
|
def can_change_password(self) -> bool:
|
||||||
|
"""Get whether users on this server are allowed to change or set a password.
|
||||||
|
|
||||||
|
Both `config.password_enabled` and `config.password_localdb_enabled` must be true.
|
||||||
|
|
||||||
|
Note that any account (even SSO accounts) are allowed to add passwords if the above
|
||||||
|
is true.
|
||||||
|
|
||||||
|
Returns:
|
||||||
|
Whether users on this server are allowed to change or set a password
|
||||||
|
"""
|
||||||
|
return self._password_enabled and self._password_localdb_enabled
|
||||||
|
|
||||||
def get_supported_login_types(self) -> Iterable[str]:
|
def get_supported_login_types(self) -> Iterable[str]:
|
||||||
"""Get a the login types supported for the /login API
|
"""Get a the login types supported for the /login API
|
||||||
|
|
||||||
|
|
|
@ -13,12 +13,18 @@
|
||||||
# See the License for the specific language governing permissions and
|
# See the License for the specific language governing permissions and
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
import logging
|
import logging
|
||||||
|
from typing import TYPE_CHECKING, Tuple
|
||||||
|
|
||||||
from synapse.api.room_versions import KNOWN_ROOM_VERSIONS
|
from synapse.api.room_versions import KNOWN_ROOM_VERSIONS
|
||||||
from synapse.http.servlet import RestServlet
|
from synapse.http.servlet import RestServlet
|
||||||
|
from synapse.http.site import SynapseRequest
|
||||||
|
from synapse.types import JsonDict
|
||||||
|
|
||||||
from ._base import client_patterns
|
from ._base import client_patterns
|
||||||
|
|
||||||
|
if TYPE_CHECKING:
|
||||||
|
from synapse.server import HomeServer
|
||||||
|
|
||||||
logger = logging.getLogger(__name__)
|
logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
|
@ -27,21 +33,16 @@ class CapabilitiesRestServlet(RestServlet):
|
||||||
|
|
||||||
PATTERNS = client_patterns("/capabilities$")
|
PATTERNS = client_patterns("/capabilities$")
|
||||||
|
|
||||||
def __init__(self, hs):
|
def __init__(self, hs: "HomeServer"):
|
||||||
"""
|
|
||||||
Args:
|
|
||||||
hs (synapse.server.HomeServer): server
|
|
||||||
"""
|
|
||||||
super().__init__()
|
super().__init__()
|
||||||
self.hs = hs
|
self.hs = hs
|
||||||
self.config = hs.config
|
self.config = hs.config
|
||||||
self.auth = hs.get_auth()
|
self.auth = hs.get_auth()
|
||||||
self.store = hs.get_datastore()
|
self.auth_handler = hs.get_auth_handler()
|
||||||
|
|
||||||
async def on_GET(self, request):
|
async def on_GET(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
|
||||||
requester = await self.auth.get_user_by_req(request, allow_guest=True)
|
await self.auth.get_user_by_req(request, allow_guest=True)
|
||||||
user = await self.store.get_user_by_id(requester.user.to_string())
|
change_password = self.auth_handler.can_change_password()
|
||||||
change_password = bool(user["password_hash"])
|
|
||||||
|
|
||||||
response = {
|
response = {
|
||||||
"capabilities": {
|
"capabilities": {
|
||||||
|
@ -58,5 +59,5 @@ class CapabilitiesRestServlet(RestServlet):
|
||||||
return 200, response
|
return 200, response
|
||||||
|
|
||||||
|
|
||||||
def register_servlets(hs, http_server):
|
def register_servlets(hs: "HomeServer", http_server):
|
||||||
CapabilitiesRestServlet(hs).register(http_server)
|
CapabilitiesRestServlet(hs).register(http_server)
|
||||||
|
|
|
@ -18,6 +18,7 @@ from synapse.rest.client.v1 import login
|
||||||
from synapse.rest.client.v2_alpha import capabilities
|
from synapse.rest.client.v2_alpha import capabilities
|
||||||
|
|
||||||
from tests import unittest
|
from tests import unittest
|
||||||
|
from tests.unittest import override_config
|
||||||
|
|
||||||
|
|
||||||
class CapabilitiesTestCase(unittest.HomeserverTestCase):
|
class CapabilitiesTestCase(unittest.HomeserverTestCase):
|
||||||
|
@ -33,6 +34,7 @@ class CapabilitiesTestCase(unittest.HomeserverTestCase):
|
||||||
hs = self.setup_test_homeserver()
|
hs = self.setup_test_homeserver()
|
||||||
self.store = hs.get_datastore()
|
self.store = hs.get_datastore()
|
||||||
self.config = hs.config
|
self.config = hs.config
|
||||||
|
self.auth_handler = hs.get_auth_handler()
|
||||||
return hs
|
return hs
|
||||||
|
|
||||||
def test_check_auth_required(self):
|
def test_check_auth_required(self):
|
||||||
|
@ -56,7 +58,7 @@ class CapabilitiesTestCase(unittest.HomeserverTestCase):
|
||||||
capabilities["m.room_versions"]["default"],
|
capabilities["m.room_versions"]["default"],
|
||||||
)
|
)
|
||||||
|
|
||||||
def test_get_change_password_capabilities(self):
|
def test_get_change_password_capabilities_password_login(self):
|
||||||
localpart = "user"
|
localpart = "user"
|
||||||
password = "pass"
|
password = "pass"
|
||||||
user = self.register_user(localpart, password)
|
user = self.register_user(localpart, password)
|
||||||
|
@ -66,10 +68,36 @@ class CapabilitiesTestCase(unittest.HomeserverTestCase):
|
||||||
capabilities = channel.json_body["capabilities"]
|
capabilities = channel.json_body["capabilities"]
|
||||||
|
|
||||||
self.assertEqual(channel.code, 200)
|
self.assertEqual(channel.code, 200)
|
||||||
|
|
||||||
# Test case where password is handled outside of Synapse
|
|
||||||
self.assertTrue(capabilities["m.change_password"]["enabled"])
|
self.assertTrue(capabilities["m.change_password"]["enabled"])
|
||||||
self.get_success(self.store.user_set_password_hash(user, None))
|
|
||||||
|
@override_config({"password_config": {"localdb_enabled": False}})
|
||||||
|
def test_get_change_password_capabilities_localdb_disabled(self):
|
||||||
|
localpart = "user"
|
||||||
|
password = "pass"
|
||||||
|
user = self.register_user(localpart, password)
|
||||||
|
access_token = self.get_success(
|
||||||
|
self.auth_handler.get_access_token_for_user_id(
|
||||||
|
user, device_id=None, valid_until_ms=None
|
||||||
|
)
|
||||||
|
)
|
||||||
|
|
||||||
|
channel = self.make_request("GET", self.url, access_token=access_token)
|
||||||
|
capabilities = channel.json_body["capabilities"]
|
||||||
|
|
||||||
|
self.assertEqual(channel.code, 200)
|
||||||
|
self.assertFalse(capabilities["m.change_password"]["enabled"])
|
||||||
|
|
||||||
|
@override_config({"password_config": {"enabled": False}})
|
||||||
|
def test_get_change_password_capabilities_password_disabled(self):
|
||||||
|
localpart = "user"
|
||||||
|
password = "pass"
|
||||||
|
user = self.register_user(localpart, password)
|
||||||
|
access_token = self.get_success(
|
||||||
|
self.auth_handler.get_access_token_for_user_id(
|
||||||
|
user, device_id=None, valid_until_ms=None
|
||||||
|
)
|
||||||
|
)
|
||||||
|
|
||||||
channel = self.make_request("GET", self.url, access_token=access_token)
|
channel = self.make_request("GET", self.url, access_token=access_token)
|
||||||
capabilities = channel.json_body["capabilities"]
|
capabilities = channel.json_body["capabilities"]
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue