From 5ebc994f841508beb48f06d22073e08845c5f593 Mon Sep 17 00:00:00 2001 From: "Paul \"LeoNerd\" Evans" Date: Thu, 11 Dec 2014 18:11:43 +0000 Subject: [PATCH] Actually auth-check to ensure people can only send typing notifications for rooms they're actually in --- synapse/handlers/typing.py | 4 ++++ tests/handlers/test_typing.py | 10 ++++++++++ 2 files changed, 14 insertions(+) diff --git a/synapse/handlers/typing.py b/synapse/handlers/typing.py index c55221c6df..fa903c251c 100644 --- a/synapse/handlers/typing.py +++ b/synapse/handlers/typing.py @@ -67,6 +67,8 @@ class TypingNotificationHandler(BaseHandler): if target_user != auth_user: raise AuthError(400, "Cannot set another user's typing state") + yield self.auth.check_joined_room(room_id, target_user.to_string()) + logger.debug( "%s has started typing in %s", target_user.to_string(), room_id ) @@ -102,6 +104,8 @@ class TypingNotificationHandler(BaseHandler): if target_user != auth_user: raise AuthError(400, "Cannot set another user's typing state") + yield self.auth.check_joined_room(room_id, target_user.to_string()) + logger.debug( "%s has stopped typing in %s", target_user.to_string(), room_id ) diff --git a/tests/handlers/test_typing.py b/tests/handlers/test_typing.py index b858f96323..bc19db8dfa 100644 --- a/tests/handlers/test_typing.py +++ b/tests/handlers/test_typing.py @@ -22,6 +22,7 @@ import json from ..utils import MockHttpResource, MockClock, DeferredMockCallable, MockKey +from synapse.api.errors import AuthError from synapse.server import HomeServer from synapse.handlers.typing import TypingNotificationHandler @@ -68,7 +69,10 @@ class TypingNotificationsTestCase(unittest.TestCase): mock_notifier = Mock(spec=["on_new_user_event"]) self.on_new_user_event = mock_notifier.on_new_user_event + self.auth = Mock(spec=[]) + hs = HomeServer("test", + auth=self.auth, clock=self.clock, db_pool=None, datastore=Mock(spec=[ @@ -142,6 +146,12 @@ class TypingNotificationsTestCase(unittest.TestCase): self.room_member_handler.fetch_room_distributions_into = ( fetch_room_distributions_into) + def check_joined_room(room_id, user_id): + if user_id not in [u.to_string() for u in self.room_members]: + raise AuthError(401, "User is not in the room") + + self.auth.check_joined_room = check_joined_room + # Some local users to test with self.u_apple = hs.parse_userid("@apple:test") self.u_banana = hs.parse_userid("@banana:test")