fix: permission checks for aliases

2024-06-11 23:15:02 +02:00 · 2024-06-11 23:15:02 +02:00 · 144d548ef7
commit 144d548ef7
parent 7b259272ce
10 changed files with 168 additions and 51 deletions
--- a/src/api/client_server/alias.rs
+++ b/src/api/client_server/alias.rs
@ -18,6 +18,8 @@ use ruma::{
 pub async fn create_alias_route(
    body: Ruma<create_alias::v3::Request>,
 ) -> Result<create_alias::v3::Response> {
+    let sender_user = body.sender_user.as_ref().expect("user is authenticated");
+
    if body.room_alias.server_name() != services().globals.server_name() {
        return Err(Error::BadRequest(
            ErrorKind::InvalidParam,
@ -55,7 +57,7 @@ pub async fn create_alias_route(
    services()
        .rooms
        .alias
-        .set_alias(&body.room_alias, &body.room_id)?;
+        .set_alias(&body.room_alias, &body.room_id, sender_user)?;

    Ok(create_alias::v3::Response::new())
 }
@ -64,11 +66,12 @@ pub async fn create_alias_route(
 ///
 /// Deletes a room alias from this server.
 ///
-/// - TODO: additional access control checks
 /// - TODO: Update canonical alias event
 pub async fn delete_alias_route(
    body: Ruma<delete_alias::v3::Request>,
 ) -> Result<delete_alias::v3::Response> {
+    let sender_user = body.sender_user.as_ref().expect("user is authenticated");
+
    if body.room_alias.server_name() != services().globals.server_name() {
        return Err(Error::BadRequest(
            ErrorKind::InvalidParam,
@ -94,7 +97,10 @@ pub async fn delete_alias_route(
        ));
    }

-    services().rooms.alias.remove_alias(&body.room_alias)?;
+    services()
+        .rooms
+        .alias
+        .remove_alias(&body.room_alias, sender_user)?;

    // TODO: update alt_aliases?

--- a/src/api/client_server/room.rs
+++ b/src/api/client_server/room.rs
@ -485,7 +485,10 @@ pub async fn create_room_route(

    // Homeserver specific stuff
    if let Some(alias) = alias {
-        services().rooms.alias.set_alias(&alias, &room_id)?;
+        services()
+            .rooms
+            .alias
+            .set_alias(&alias, &room_id, sender_user)?;
    }

    if body.visibility == room::Visibility::Public {
@ -815,7 +818,7 @@ pub async fn upgrade_room_route(
        services()
            .rooms
            .alias
-            .set_alias(&alias, &replacement_room)?;
+            .set_alias(&alias, &replacement_room, sender_user)?;
    }

    // Get the old room power levels