Merge commit '96bcc5d902' into release-v1.80

release-v1.80
Richard van der Hoff 2023-03-21 19:59:28 +00:00
commit a9216edbaa
9 changed files with 76 additions and 11 deletions

1
changelog.d/15298.bugfix Normal file
View File

@ -0,0 +1 @@
Fix a bug in which the [`POST /_matrix/client/v3/rooms/{roomId}/report/{eventId}`](https://spec.matrix.org/v1.6/client-server-api/#post_matrixclientv3roomsroomidreporteventid) endpoint would return the wrong error if the user did not have permission to view the event. This aligns Synapse's implementation with [MSC2249](https://github.com/matrix-org/matrix-spec-proposals/pull/2249).

1
changelog.d/15300.bugfix Normal file
View File

@ -0,0 +1 @@
Fix a bug in which the [`POST /_matrix/client/v3/rooms/{roomId}/report/{eventId}`](https://spec.matrix.org/v1.6/client-server-api/#post_matrixclientv3roomsroomidreporteventid) endpoint would return the wrong error if the user did not have permission to view the event. This aligns Synapse's implementation with [MSC2249](https://github.com/matrix-org/matrix-spec-proposals/pull/2249).

3
changelog.d/15301.bugfix Normal file
View File

@ -0,0 +1,3 @@
Fix a bug introduced in Synapse 1.75.0rc1 where the [SQLite port_db script](https://matrix-org.github.io/synapse/latest/postgres.html#porting-from-sqlite)
would fail to open the SQLite database.

View File

@ -88,6 +88,18 @@ process, for example:
dpkg -i matrix-synapse-py3_1.3.0+stretch1_amd64.deb dpkg -i matrix-synapse-py3_1.3.0+stretch1_amd64.deb
``` ```
# Upgrading to v1.80.0
## Reporting events error code change
Before this update, the
[`POST /_matrix/client/v3/rooms/{roomId}/report/{eventId}`](https://spec.matrix.org/v1.6/client-server-api/#post_matrixclientv3roomsroomidreporteventid)
endpoint would return a `403` if a user attempted to report an event that they did not have access to.
This endpoint will now return a `404` in this case instead.
Clients that implement event reporting should check that their error handling code will handle this
change.
# Upgrading to v1.79.0 # Upgrading to v1.79.0
## The `on_threepid_bind` module callback method has been deprecated ## The `on_threepid_bind` module callback method has been deprecated

View File

@ -1329,7 +1329,7 @@ def main() -> None:
sqlite_config = { sqlite_config = {
"name": "sqlite3", "name": "sqlite3",
"args": { "args": {
"database": "file:{}?mode=rw".format(args.sqlite_database), "database": args.sqlite_database,
"cp_min": 1, "cp_min": 1,
"cp_max": 1, "cp_max": 1,
"check_same_thread": False, "check_same_thread": False,

View File

@ -159,15 +159,16 @@ class EventHandler:
Returns: Returns:
An event, or None if there is no event matching this ID. An event, or None if there is no event matching this ID.
Raises: Raises:
SynapseError if there was a problem retrieving this event, or AuthError: if the user does not have the rights to inspect this event.
AuthError if the user does not have the rights to inspect this
event.
""" """
redact_behaviour = ( redact_behaviour = (
EventRedactBehaviour.as_is if show_redacted else EventRedactBehaviour.redact EventRedactBehaviour.as_is if show_redacted else EventRedactBehaviour.redact
) )
event = await self.store.get_event( event = await self.store.get_event(
event_id, check_room_id=room_id, redact_behaviour=redact_behaviour event_id,
check_room_id=room_id,
redact_behaviour=redact_behaviour,
allow_none=True,
) )
if not event: if not event:

View File

@ -16,7 +16,7 @@ import logging
from http import HTTPStatus from http import HTTPStatus
from typing import TYPE_CHECKING, Tuple from typing import TYPE_CHECKING, Tuple
from synapse.api.errors import Codes, NotFoundError, SynapseError from synapse.api.errors import AuthError, Codes, NotFoundError, SynapseError
from synapse.http.server import HttpServer from synapse.http.server import HttpServer
from synapse.http.servlet import RestServlet, parse_json_object_from_request from synapse.http.servlet import RestServlet, parse_json_object_from_request
from synapse.http.site import SynapseRequest from synapse.http.site import SynapseRequest
@ -62,12 +62,18 @@ class ReportEventRestServlet(RestServlet):
Codes.BAD_JSON, Codes.BAD_JSON,
) )
event = await self._event_handler.get_event( try:
requester.user, room_id, event_id, show_redacted=False event = await self._event_handler.get_event(
) requester.user, room_id, event_id, show_redacted=False
)
except AuthError:
# The event exists, but this user is not allowed to access this event.
event = None
if event is None: if event is None:
raise NotFoundError( raise NotFoundError(
"Unable to report event: it does not exist or you aren't able to see it." "Unable to report event: "
"it does not exist or you aren't able to see it."
) )
await self.store.add_event_report( await self.store.add_event_report(

View File

@ -805,7 +805,6 @@ class EventsWorkerStore(SQLBaseStore):
# the events have been redacted, and if so pulling the redaction event # the events have been redacted, and if so pulling the redaction event
# out of the database to check it. # out of the database to check it.
# #
missing_events = {}
try: try:
# Try to fetch from any external cache. We already checked the # Try to fetch from any external cache. We already checked the
# in-memory cache above. # in-memory cache above.

View File

@ -84,6 +84,48 @@ class ReportEventTestCase(unittest.HomeserverTestCase):
access_token=self.other_user_tok, access_token=self.other_user_tok,
) )
self.assertEqual(404, channel.code, msg=channel.result["body"]) self.assertEqual(404, channel.code, msg=channel.result["body"])
self.assertEqual(
"Unable to report event: it does not exist or you aren't able to see it.",
channel.json_body["error"],
msg=channel.result["body"],
)
def test_cannot_report_event_if_not_in_room(self) -> None:
"""
Tests that we don't accept event reports for events that exist, but for which
the reporter should not be able to view (because they are not in the room).
"""
# Have the admin user create a room (the "other" user will not join this room).
new_room_id = self.helper.create_room_as(tok=self.admin_user_tok)
# Have the admin user send an event in this room.
response = self.helper.send_event(
new_room_id,
"m.room.message",
content={
"msgtype": "m.text",
"body": "This event has some bad words in it! Flip!",
},
tok=self.admin_user_tok,
)
event_id = response["event_id"]
# Have the "other" user attempt to report it. Perhaps they found the event ID
# in a screenshot or something...
channel = self.make_request(
"POST",
f"rooms/{new_room_id}/report/{event_id}",
{"reason": "I'm not in this room but I have opinions anyways!"},
access_token=self.other_user_tok,
)
# The "other" user is not in the room, so their report should be rejected.
self.assertEqual(404, channel.code, msg=channel.result["body"])
self.assertEqual(
"Unable to report event: it does not exist or you aren't able to see it.",
channel.json_body["error"],
msg=channel.result["body"],
)
def _assert_status(self, response_status: int, data: JsonDict) -> None: def _assert_status(self, response_status: int, data: JsonDict) -> None:
channel = self.make_request( channel = self.make_request(