Sanitise a user's powerlevel to an int() before numerical comparison, because otherwise Python is "helpful" with it (SYN-351)

2015-04-21 20:18:29 +01:00 · 2015-04-21 20:18:29 +01:00 · 3a7d7a3f22
parent 6080830bef
commit 3a7d7a3f22
1 changed files with 7 additions and 0 deletions
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@ -189,6 +189,12 @@ class Auth(object):
            auth_events,
        )

+        # TODO(paul): There's an awful lot of int()-casting in this code;
+        #   surely we should be squashing strings to integers at a higher
+        #   level, maybe when we insert?
+        if user_level is not None:
+            user_level = int(user_level)
+
        ban_level, kick_level, redact_level = (
            self._get_ops_level_from_event_state(
                event,
@ -269,6 +275,7 @@ class Auth(object):
                        403, "You cannot kick user %s." % target_user_id
                    )
        elif Membership.BAN == membership:
+            print "I wonder how user's level of %r compares to ban level of %r" % (user_level, ban_level)
            if user_level < ban_level:
                raise AuthError(403, "You don't have permission to ban")
        else: