forked from MirrorHub/synapse
Prevent clients from reporting nonexistent events. (#13779)
This commit is contained in:
reivilibre
GitHub
parent
69324c346c
commit
e9b1ff9f31
3 changed files with 23 additions and 1 deletions
1
changelog.d/13779.bugfix
Normal file
1
changelog.d/13779.bugfix
Normal file
|
|
@ -0,0 +1 @@
|
||||||
|
Prevent clients from reporting nonexistent events.
|
||||||
|
|
@ -16,7 +16,7 @@ import logging
|
||||||
from http import HTTPStatus
|
from http import HTTPStatus
|
||||||
from typing import TYPE_CHECKING, Tuple
|
from typing import TYPE_CHECKING, Tuple
|
||||||
|
|
||||||
from synapse.api.errors import Codes, SynapseError
|
from synapse.api.errors import Codes, NotFoundError, SynapseError
|
||||||
from synapse.http.server import HttpServer
|
from synapse.http.server import HttpServer
|
||||||
from synapse.http.servlet import RestServlet, parse_json_object_from_request
|
from synapse.http.servlet import RestServlet, parse_json_object_from_request
|
||||||
from synapse.http.site import SynapseRequest
|
from synapse.http.site import SynapseRequest
|
||||||
|
|
@ -39,6 +39,7 @@ class ReportEventRestServlet(RestServlet):
|
||||||
self.auth = hs.get_auth()
|
self.auth = hs.get_auth()
|
||||||
self.clock = hs.get_clock()
|
self.clock = hs.get_clock()
|
||||||
self.store = hs.get_datastores().main
|
self.store = hs.get_datastores().main
|
||||||
|
self._event_handler = self.hs.get_event_handler()
|
||||||
|
|
||||||
async def on_POST(
|
async def on_POST(
|
||||||
self, request: SynapseRequest, room_id: str, event_id: str
|
self, request: SynapseRequest, room_id: str, event_id: str
|
||||||
|
|
@ -61,6 +62,14 @@ class ReportEventRestServlet(RestServlet):
|
||||||
Codes.BAD_JSON,
|
Codes.BAD_JSON,
|
||||||
)
|
)
|
||||||
|
|
||||||
|
event = await self._event_handler.get_event(
|
||||||
|
requester.user, room_id, event_id, show_redacted=False
|
||||||
|
)
|
||||||
|
if event is None:
|
||||||
|
raise NotFoundError(
|
||||||
|
"Unable to report event: it does not exist or you aren't able to see it."
|
||||||
|
)
|
||||||
|
|
||||||
await self.store.add_event_report(
|
await self.store.add_event_report(
|
||||||
room_id=room_id,
|
room_id=room_id,
|
||||||
event_id=event_id,
|
event_id=event_id,
|
||||||
|
|
|
||||||
|
|
@ -73,6 +73,18 @@ class ReportEventTestCase(unittest.HomeserverTestCase):
|
||||||
data = {"reason": None, "score": None}
|
data = {"reason": None, "score": None}
|
||||||
self._assert_status(400, data)
|
self._assert_status(400, data)
|
||||||
|
|
||||||
|
def test_cannot_report_nonexistent_event(self) -> None:
|
||||||
|
"""
|
||||||
|
Tests that we don't accept event reports for events which do not exist.
|
||||||
|
"""
|
||||||
|
channel = self.make_request(
|
||||||
|
"POST",
|
||||||
|
f"rooms/{self.room_id}/report/$nonsenseeventid:test",
|
||||||
|
{"reason": "i am very sad"},
|
||||||
|
access_token=self.other_user_tok,
|
||||||
|
)
|
||||||
|
self.assertEqual(404, channel.code, msg=channel.result["body"])
|
||||||
|
|
||||||
def _assert_status(self, response_status: int, data: JsonDict) -> None:
|
def _assert_status(self, response_status: int, data: JsonDict) -> None:
|
||||||
channel = self.make_request(
|
channel = self.make_request(
|
||||||
"POST", self.report_path, data, access_token=self.other_user_tok
|
"POST", self.report_path, data, access_token=self.other_user_tok
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue