forked from MirrorHub/synapse
Only require consent for events with an associated request
There are a number of instances where a server or admin may puppet a user to join/leave rooms, which we don't want to fail if the user has not consented to the privacy policy. We fix this by adding a check to test if the requester has an associated access_token, which is used as a proxy to answer the question of whether the action is being done on behalf of a real request from the user.
This commit is contained in:
parent
67d618e111
commit
74c46d81fa
1 changed files with 5 additions and 1 deletions
|
@ -316,8 +316,12 @@ class EventCreationHandler(object):
|
|||
target, e
|
||||
)
|
||||
|
||||
# Check if the user has accepted the privacy policy. We only do this if
|
||||
# the requester has an associated access_token_id, which indicates that
|
||||
# this action came from a user request rather than an automatice server
|
||||
# or admin action.
|
||||
is_exempt = yield self._is_exempt_from_privacy_policy(builder, requester)
|
||||
if not is_exempt:
|
||||
if requester.access_token_id and not is_exempt:
|
||||
yield self.assert_accepted_privacy_policy(requester)
|
||||
|
||||
if token_id is not None:
|
||||
|
|
Loading…
Reference in a new issue