Actually auth-check to ensure people can only send typing notifications for rooms they're actually in

2014-12-11 18:11:43 +00:00 · 2014-12-11 18:11:43 +00:00 · 5ebc994f84
commit 5ebc994f84
parent 966c4b2b04
2 changed files with 14 additions and 0 deletions
--- a/synapse/handlers/typing.py
+++ b/synapse/handlers/typing.py
@ -67,6 +67,8 @@ class TypingNotificationHandler(BaseHandler):
        if target_user != auth_user:
            raise AuthError(400, "Cannot set another user's typing state")

+        yield self.auth.check_joined_room(room_id, target_user.to_string())
+
        logger.debug(
            "%s has started typing in %s", target_user.to_string(), room_id
        )
@ -102,6 +104,8 @@ class TypingNotificationHandler(BaseHandler):
        if target_user != auth_user:
            raise AuthError(400, "Cannot set another user's typing state")

+        yield self.auth.check_joined_room(room_id, target_user.to_string())
+
        logger.debug(
            "%s has stopped typing in %s", target_user.to_string(), room_id
        )
--- a/tests/handlers/test_typing.py
+++ b/tests/handlers/test_typing.py
@ -22,6 +22,7 @@ import json

 from ..utils import MockHttpResource, MockClock, DeferredMockCallable, MockKey

+from synapse.api.errors import AuthError
 from synapse.server import HomeServer
 from synapse.handlers.typing import TypingNotificationHandler

@ -68,7 +69,10 @@ class TypingNotificationsTestCase(unittest.TestCase):
        mock_notifier = Mock(spec=["on_new_user_event"])
        self.on_new_user_event = mock_notifier.on_new_user_event

+        self.auth = Mock(spec=[])
+
        hs = HomeServer("test",
+                auth=self.auth,
                clock=self.clock,
                db_pool=None,
                datastore=Mock(spec=[
@ -142,6 +146,12 @@ class TypingNotificationsTestCase(unittest.TestCase):
        self.room_member_handler.fetch_room_distributions_into = (
                fetch_room_distributions_into)

+        def check_joined_room(room_id, user_id):
+            if user_id not in [u.to_string() for u in self.room_members]:
+                raise AuthError(401, "User is not in the room")
+
+        self.auth.check_joined_room = check_joined_room
+
        # Some local users to test with
        self.u_apple = hs.parse_userid("@apple:test")
        self.u_banana = hs.parse_userid("@banana:test")