Prevent suspended users from sending encrypted messages (#18157)

Missed in the first round.
This commit is contained in:
Shay 2025-02-21 02:06:44 -08:00 committed by GitHub
parent caa1f9d806
commit 8fd7148e6a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 128 additions and 7 deletions

1
changelog.d/18157.bugfix Normal file
View file

@ -0,0 +1 @@
Prevent suspended users from sending encrypted messages.

View file

@ -644,11 +644,33 @@ class EventCreationHandler:
"""
await self.auth_blocking.check_auth_blocking(requester=requester)
if event_dict["type"] == EventTypes.Message:
requester_suspended = await self.store.get_user_suspended_status(
requester.user.to_string()
)
if requester_suspended:
requester_suspended = await self.store.get_user_suspended_status(
requester.user.to_string()
)
if requester_suspended:
# We want to allow suspended users to perform "corrective" actions
# asked of them by server admins, such as redact their messages and
# leave rooms.
if event_dict["type"] in ["m.room.redaction", "m.room.member"]:
if event_dict["type"] == "m.room.redaction":
event = await self.store.get_event(
event_dict["content"]["redacts"], allow_none=True
)
if event:
if event.sender != requester.user.to_string():
raise SynapseError(
403,
"You can only redact your own events while account is suspended.",
Codes.USER_ACCOUNT_SUSPENDED,
)
if event_dict["type"] == "m.room.member":
if event_dict["content"]["membership"] != "leave":
raise SynapseError(
403,
"Changing membership while account is suspended is not allowed.",
Codes.USER_ACCOUNT_SUSPENDED,
)
else:
raise SynapseError(
403,
"Sending messages while account is suspended is not allowed.",

View file

@ -1371,6 +1371,23 @@ class RoomJoinTestCase(RoomBase):
)
self.assertEqual(channel.json_body["errcode"], "M_USER_SUSPENDED")
def test_suspended_user_can_leave_room(self) -> None:
channel = self.make_request(
"POST", f"/join/{self.room1}", access_token=self.tok1
)
self.assertEqual(channel.code, 200)
# set the user as suspended
self.get_success(self.store.set_user_suspended_status(self.user1, True))
# leave room
channel = self.make_request(
"POST",
f"/rooms/{self.room1}/leave",
access_token=self.tok1,
)
self.assertEqual(channel.code, 200)
class RoomAppserviceTsParamTestCase(unittest.HomeserverTestCase):
servlets = [
@ -3989,10 +4006,25 @@ class UserSuspensionTests(unittest.HomeserverTestCase):
self.user2 = self.register_user("teresa", "hackme")
self.tok2 = self.login("teresa", "hackme")
self.room1 = self.helper.create_room_as(room_creator=self.user1, tok=self.tok1)
self.admin = self.register_user("admin", "pass", True)
self.admin_tok = self.login("admin", "pass")
self.room1 = self.helper.create_room_as(
room_creator=self.user1, tok=self.tok1, room_version="11"
)
self.store = hs.get_datastores().main
def test_suspended_user_cannot_send_message_to_room(self) -> None:
self.room2 = self.helper.create_room_as(
room_creator=self.user1, is_public=False, tok=self.tok1
)
self.helper.send_state(
self.room2,
EventTypes.RoomEncryption,
{EventContentFields.ENCRYPTION_ALGORITHM: "m.megolm.v1.aes-sha2"},
tok=self.tok1,
)
def test_suspended_user_cannot_send_message_to_public_room(self) -> None:
# set the user as suspended
self.get_success(self.store.set_user_suspended_status(self.user1, True))
@ -4004,6 +4036,24 @@ class UserSuspensionTests(unittest.HomeserverTestCase):
)
self.assertEqual(channel.json_body["errcode"], "M_USER_SUSPENDED")
def test_suspended_user_cannot_send_message_to_encrypted_room(self) -> None:
channel = self.make_request(
"PUT",
f"/_synapse/admin/v1/suspend/{self.user1}",
{"suspend": True},
access_token=self.admin_tok,
)
self.assertEqual(channel.code, 200)
self.assertEqual(channel.json_body, {f"user_{self.user1}_suspended": True})
channel = self.make_request(
"PUT",
f"/rooms/{self.room2}/send/m.room.encrypted/1",
access_token=self.tok1,
content={},
)
self.assertEqual(channel.json_body["errcode"], "M_USER_SUSPENDED")
def test_suspended_user_cannot_change_profile_data(self) -> None:
# set the user as suspended
self.get_success(self.store.set_user_suspended_status(self.user1, True))
@ -4069,3 +4119,51 @@ class UserSuspensionTests(unittest.HomeserverTestCase):
shorthand=False,
)
self.assertEqual(channel.code, 200)
channel = self.make_request(
"PUT",
f"/_matrix/client/v3/rooms/{self.room1}/send/m.room.redaction/3456346",
access_token=self.tok1,
content={"reason": "bogus", "redacts": event_id},
shorthand=False,
)
self.assertEqual(channel.json_body["errcode"], "M_USER_SUSPENDED")
channel = self.make_request(
"PUT",
f"/_matrix/client/v3/rooms/{self.room1}/send/m.room.redaction/3456346",
access_token=self.tok1,
content={"reason": "bogus", "redacts": event_id2},
shorthand=False,
)
self.assertEqual(channel.code, 200)
def test_suspended_user_cannot_ban_others(self) -> None:
# user to ban joins room user1 created
self.make_request("POST", f"/rooms/{self.room1}/join", access_token=self.tok2)
# suspend user1
self.get_success(self.store.set_user_suspended_status(self.user1, True))
# user1 tries to ban other user while suspended
channel = self.make_request(
"POST",
f"/_matrix/client/v3/rooms/{self.room1}/ban",
access_token=self.tok1,
content={"reason": "spite", "user_id": self.user2},
shorthand=False,
)
self.assertEqual(channel.json_body["errcode"], "M_USER_SUSPENDED")
# un-suspend user1
self.get_success(self.store.set_user_suspended_status(self.user1, False))
# ban now goes through
channel = self.make_request(
"POST",
f"/_matrix/client/v3/rooms/{self.room1}/ban",
access_token=self.tok1,
content={"reason": "spite", "user_id": self.user2},
shorthand=False,
)
self.assertEqual(channel.code, 200)