Allow users to redact their own events

2024-07-02 09:28:20 +02:00 · 2015-08-28 15:31:49 +01:00 · 2015-08-28 15:31:49 +01:00 · 8256a8ece7
parent 4c56928263
commit 8256a8ece7
2 changed files with 42 additions and 10 deletions
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@ -20,7 +20,7 @@ from twisted.internet import defer
 from synapse.api.constants import EventTypes, Membership, JoinRules
 from synapse.api.errors import AuthError, Codes, SynapseError
 from synapse.util.logutils import log_function
-from synapse.types import UserID
+from synapse.types import UserID, EventID

 import logging

@ -91,7 +91,7 @@ class Auth(object):
                self._check_power_levels(event, auth_events)

            if event.type == EventTypes.Redaction:
-                self._check_redaction(event, auth_events)
+                self.check_redaction(event, auth_events)

            logger.debug("Allowing! %s", event)
        except AuthError as e:
@ -541,16 +541,33 @@ class Auth(object):

        return True

-    def _check_redaction(self, event, auth_events):
+    def check_redaction(self, event, auth_events):
+        """Check whether the event sender is allowed to redact the target event.
+
+        Returns:
+            True if the the sender is allowed to redact the target event if the
+            target event was created by them.
+            False if the sender is allowed to redact the target event with no
+            further checks.
+
+        Raises:
+            AuthError if the event sender is definitely not allowed to redact
+            the target event.
+        """
        user_level = self._get_user_power_level(event.user_id, auth_events)

        redact_level = self._get_named_level(auth_events, "redact", 50)

-        if user_level < redact_level:
-            raise AuthError(
-                403,
-                "You don't have permission to redact events"
-            )
+        if user_level > redact_level:
+            return False
+
+        if EventID.from_string(event.redacts).domain == self.hs.get_config().server_name:
+            return True
+
+        raise AuthError(
+            403,
+            "You don't have permission to redact events"
+        )

    def _check_power_levels(self, event, auth_events):
        user_list = event.content.get("users", {})
--- a/synapse/handlers/_base.py
+++ b/synapse/handlers/_base.py
@ -15,7 +15,7 @@

 from twisted.internet import defer

-from synapse.api.errors import LimitExceededError, SynapseError
+from synapse.api.errors import LimitExceededError, SynapseError, AuthError
 from synapse.crypto.event_signing import add_hashes_and_signatures
 from synapse.api.constants import Membership, EventTypes
 from synapse.types import UserID, RoomAlias
@ -131,7 +131,7 @@ class BaseHandler(object):
                    )

        if event.type == EventTypes.CanonicalAlias:
-            # Check the alias is acually valid (at this time at least)
+            # Check the alias is actually valid (at this time at least)
            room_alias_str = event.content.get("alias", None)
            if room_alias_str:
                room_alias = RoomAlias.from_string(room_alias_str)
@ -146,6 +146,21 @@ class BaseHandler(object):
                        )
                    )

+        if event.type == EventTypes.Redaction:
+            if self.auth.check_redaction(event, auth_events=context.current_state):
+                original_event = yield self.store.get_event(
+                    event.redacts,
+                    check_redacted=False,
+                    get_prev_content=False,
+                    allow_rejected=False,
+                    allow_none=False
+                )
+                if event.user_id != original_event.user_id:
+                    raise AuthError(
+                        403,
+                        "You don't have permission to redact events"
+                    )
+
        destinations = set(extra_destinations)
        for k, s in context.current_state.items():
            try: