Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Fix a missing await when in the spaces summary #10208

Merged
merged 7 commits into from
Jun 18, 2021
Merged
Show file tree
Hide file tree
Changes from 6 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/10208.bugfix
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Fix a bug introduced in v1.35.1 where an `allow` key of a `m.room.join_rules` event could be applied for incorrect room versions and configurations.
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure this explains it well enough, but not awaiting there it means that you could have a room with allow set in the join rules, but a join rule of not restricted and those allow rules would still be applied.

Realistically I don't think this is user visible unless someone was messing with join rules in a weird way, although it means you could slightly leak data if you did this.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this was more user-visible, I'd probably suggest rephrasing "an allow key of a m.room.join_rules event could be applied" with something more user-digestible, but as it's not it's likely more useful to be clear about what exactly the missing await affected. In which case, to a developer, this is very clear 🙂

3 changes: 1 addition & 2 deletions synapse/handlers/space_summary.py
Original file line number Diff line number Diff line change
Expand Up @@ -445,14 +445,13 @@ async def _is_room_accessible(
member_event_id = state_ids.get((EventTypes.Member, requester), None)

# If they're in the room they can see info on it.
member_event = None
if member_event_id:
member_event = await self._store.get_event(member_event_id)
if member_event.membership in (Membership.JOIN, Membership.INVITE):
return True

# Otherwise, check if they should be allowed access via membership in a space.
if self._event_auth_handler.has_restricted_join_rules(
if await self._event_auth_handler.has_restricted_join_rules(
state_ids, room_version
):
allowed_rooms = (
Expand Down
99 changes: 98 additions & 1 deletion tests/handlers/test_space_summary.py
Original file line number Diff line number Diff line change
Expand Up @@ -11,10 +11,15 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from typing import Any, Optional
from typing import Any, Iterable, Optional, Tuple
from unittest import mock

from synapse.api.errors import AuthError
from synapse.handlers.space_summary import _child_events_comparison_key
from synapse.rest import admin
from synapse.rest.client.v1 import login, room
from synapse.server import HomeServer
from synapse.types import JsonDict

from tests import unittest

Expand Down Expand Up @@ -79,3 +84,95 @@ def test_invalid_ordering_value(self):

ev1 = _create_event("!abc:test", "a" * 51)
self.assertEqual([ev2, ev1], _order(ev1, ev2))


class SpaceSummaryTestCase(unittest.HomeserverTestCase):
servlets = [
admin.register_servlets_for_client_rest_resource,
room.register_servlets,
login.register_servlets,
]

def prepare(self, reactor, clock, hs: HomeServer):
self.hs = hs
self.handler = self.hs.get_space_summary_handler()

self.user = self.register_user("user", "pass")
self.token = self.login("user", "pass")

def _add_child(self, space_id: str, room_id: str, token: str) -> None:
"""Add a child room to a space."""
self.helper.send_state(
space_id,
event_type="m.space.child",
body={"via": [self.hs.hostname]},
tok=token,
state_key=room_id,
)

def _assert_rooms(self, result: JsonDict, rooms: Iterable[str]) -> None:
"""Assert that the expected room IDs are in the response."""
self.assertCountEqual([room.get("room_id") for room in result["rooms"]], rooms)

def _assert_events(
self, result: JsonDict, events: Iterable[Tuple[str, str]]
) -> None:
"""Assert that the expected parent / child room IDs are in the response."""
self.assertCountEqual(
[
(event.get("room_id"), event.get("state_key"))
for event in result["events"]
],
events,
)

def test_simple_space(self):
"""Test a simple space with a single room."""
space = self.helper.create_room_as(self.user, tok=self.token)
room = self.helper.create_room_as(self.user, tok=self.token)
self._add_child(space, room, self.token)

result = self.get_success(self.handler.get_space_summary(self.user, space))
# The result should have the space and the room in it, along with a link
# from space -> room.
self._assert_rooms(result, [space, room])
self._assert_events(result, [(space, room)])

def test_visibility(self):
"""A user not in a space cannot inspect it."""
space = self.helper.create_room_as(self.user, tok=self.token)
room = self.helper.create_room_as(self.user, tok=self.token)
self._add_child(space, room, self.token)

user2 = self.register_user("user2", "pass")
token2 = self.login("user2", "pass")

# The user cannot see the space.
self.get_failure(self.handler.get_space_summary(user2, space), AuthError)

# Joining the room causes it to be visible.
self.helper.join(space, user2, tok=token2)
result = self.get_success(self.handler.get_space_summary(user2, space))

# The result should only has the space, but includes the link to the room.
clokep marked this conversation as resolved.
Show resolved Hide resolved
self._assert_rooms(result, [space])
self._assert_events(result, [(space, room)])

def test_world_readable(self):
"""A world-readable room is visible to everyone."""
space = self.helper.create_room_as(self.user, tok=self.token)
room = self.helper.create_room_as(self.user, tok=self.token)
self._add_child(space, room, self.token)
self.helper.send_state(
space,
event_type="m.room.history_visibility",
body={"history_visibility": "world_readable"},
tok=self.token,
)

user2 = self.register_user("user2", "pass")

# The space should be visible, as well as the link to the room.
result = self.get_success(self.handler.get_space_summary(user2, space))
self._assert_rooms(result, [space])
self._assert_events(result, [(space, room)])