Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Allow a user who could join a restricted room to see it in spaces summary. #9922

Merged
merged 18 commits into from
May 20, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/9922.feature
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Experimental support to allow a user who could join a restricted room to view it in the spaces summary.
2 changes: 1 addition & 1 deletion synapse/federation/transport/server.py
Original file line number Diff line number Diff line change
Expand Up @@ -1428,7 +1428,7 @@ async def on_POST(
)

return 200, await self.handler.federation_space_summary(
room_id, suggested_only, max_rooms_per_space, exclude_rooms
origin, room_id, suggested_only, max_rooms_per_space, exclude_rooms
)


Expand Down
104 changes: 83 additions & 21 deletions synapse/handlers/event_auth.py
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from typing import TYPE_CHECKING, Optional
from typing import TYPE_CHECKING, Collection, Optional

from synapse.api.constants import EventTypes, JoinRules, Membership
from synapse.api.errors import AuthError
Expand Down Expand Up @@ -59,32 +59,76 @@ async def check_restricted_join_rules(
):
return

# This is not a room with a restricted join rule, so we don't need to do the
# restricted room specific checks.
#
# Note: We'll be applying the standard join rule checks later, which will
# catch the cases of e.g. trying to join private rooms without an invite.
if not await self.has_restricted_join_rules(state_ids, room_version):
return
clokep marked this conversation as resolved.
Show resolved Hide resolved

# Get the spaces which allow access to this room and check if the user is
# in any of them.
allowed_spaces = await self.get_spaces_that_allow_join(state_ids)
if not await self.is_user_in_rooms(allowed_spaces, user_id):
raise AuthError(
403,
"You do not belong to any of the required spaces to join this room.",
)

async def has_restricted_join_rules(
clokep marked this conversation as resolved.
Show resolved Hide resolved
self, state_ids: StateMap[str], room_version: RoomVersion
) -> bool:
"""
Return if the room has the proper join rules set for access via spaces.

Args:
state_ids: The state of the room as it currently is.
room_version: The room version of the room to query.

Returns:
True if the proper room version and join rules are set for restricted access.
"""
# This only applies to room versions which support the new join rule.
if not room_version.msc3083_join_rules:
return
return False

# If there's no join rule, then it defaults to invite (so this doesn't apply).
join_rules_event_id = state_ids.get((EventTypes.JoinRules, ""), None)
if not join_rules_event_id:
return
return False

# If the join rule is not restricted, this doesn't apply.
join_rules_event = await self._store.get_event(join_rules_event_id)
return join_rules_event.content.get("join_rule") == JoinRules.MSC3083_RESTRICTED

async def get_spaces_that_allow_join(
self, state_ids: StateMap[str]
) -> Collection[str]:
"""
Generate a list of spaces which allow access to a room.

Args:
state_ids: The state of the room as it currently is.

Returns:
A collection of spaces which provide membership to the room.
"""
# If there's no join rule, then it defaults to invite (so this doesn't apply).
join_rules_event_id = state_ids.get((EventTypes.JoinRules, ""), None)
if not join_rules_event_id:
return ()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd be tempted to also do a check of has_restricted_join_rules here as well

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Then we'll do the check twice for every caller? 😕

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ugh, true. IDK.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As of now we end up re-fetching the join rules event twice too which is unfortunate.


# If the join rule is not restricted, this doesn't apply.
join_rules_event = await self._store.get_event(join_rules_event_id)
if join_rules_event.content.get("join_rule") != JoinRules.MSC3083_RESTRICTED:
return

# If allowed is of the wrong form, then only allow invited users.
allowed_spaces = join_rules_event.content.get("allow", [])
if not isinstance(allowed_spaces, list):
allowed_spaces = ()

# Get the list of joined rooms and see if there's an overlap.
if allowed_spaces:
joined_rooms = await self._store.get_rooms_for_user(user_id)
else:
joined_rooms = ()
return ()

# Pull out the other room IDs, invalid data gets filtered.
result = []
for space in allowed_spaces:
if not isinstance(space, dict):
continue
Expand All @@ -93,13 +137,31 @@ async def check_restricted_join_rules(
if not isinstance(space_id, str):
continue

# The user was joined to one of the spaces specified, they can join
# this room!
if space_id in joined_rooms:
return
result.append(space_id)

return result

async def is_user_in_rooms(self, room_ids: Collection[str], user_id: str) -> bool:
"""
Check whether a user is a member of any of the provided rooms.

Args:
room_ids: The rooms to check for membership.
user_id: The user to check.

Returns:
True if the user is in any of the rooms, false otherwise.
"""
if not room_ids:
return False

# Get the list of joined rooms and see if there's an overlap.
joined_rooms = await self._store.get_rooms_for_user(user_id)

# Check each room and see if the user is in it.
for room_id in room_ids:
if room_id in joined_rooms:
return True

# The user was not in any of the required spaces.
raise AuthError(
403,
"You do not belong to any of the required spaces to join this room.",
)
# The user was not in any of the rooms.
return False
Loading