mirror of
https://mau.dev/maunium/synapse.git
synced 2024-11-12 04:52:26 +01:00
Do not return allowed_room_ids from /hierarchy response. (#12175)
This field is only to be used in the Server-Server API, and not the Client-Server API, but was being leaked when a federation response was used in the /hierarchy API.
This commit is contained in:
parent
d8bab6793c
commit
ca9234a9eb
3 changed files with 17 additions and 2 deletions
1
changelog.d/12175.bugfix
Normal file
1
changelog.d/12175.bugfix
Normal file
|
@ -0,0 +1 @@
|
|||
Fix a bug where non-standard information was returned from the `/hierarchy` API. Introduced in Synapse v1.41.0.
|
|
@ -295,7 +295,7 @@ class RoomSummaryHandler:
|
|||
# inaccessible to the requesting user.
|
||||
if room_entry:
|
||||
# Add the room (including the stripped m.space.child events).
|
||||
rooms_result.append(room_entry.as_json())
|
||||
rooms_result.append(room_entry.as_json(for_client=True))
|
||||
|
||||
# If this room is not at the max-depth, check if there are any
|
||||
# children to process.
|
||||
|
@ -843,14 +843,25 @@ class _RoomEntry:
|
|||
# This may not include all children.
|
||||
children_state_events: Sequence[JsonDict] = ()
|
||||
|
||||
def as_json(self) -> JsonDict:
|
||||
def as_json(self, for_client: bool = False) -> JsonDict:
|
||||
"""
|
||||
Returns a JSON dictionary suitable for the room hierarchy endpoint.
|
||||
|
||||
It returns the room summary including the stripped m.space.child events
|
||||
as a sub-key.
|
||||
|
||||
Args:
|
||||
for_client: If true, any server-server only fields are stripped from
|
||||
the result.
|
||||
|
||||
"""
|
||||
result = dict(self.room)
|
||||
|
||||
# Before returning to the client, remove the allowed_room_ids key, if it
|
||||
# exists.
|
||||
if for_client:
|
||||
result.pop("allowed_room_ids", False)
|
||||
|
||||
result["children_state"] = self.children_state_events
|
||||
return result
|
||||
|
||||
|
|
|
@ -172,6 +172,9 @@ class SpaceSummaryTestCase(unittest.HomeserverTestCase):
|
|||
result_room_ids = []
|
||||
result_children_ids = []
|
||||
for result_room in result["rooms"]:
|
||||
# Ensure federation results are not leaking over the client-server API.
|
||||
self.assertNotIn("allowed_room_ids", result_room)
|
||||
|
||||
result_room_ids.append(result_room["room_id"])
|
||||
result_children_ids.append(
|
||||
[
|
||||
|
|
Loading…
Reference in a new issue