magmaus3/continuwuity
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix lockdown_public_room_directory bypass, add appservice exclusion

Browse source 
Signed-off-by: strawberry <strawberry@puppygock.gay>
This commit is contained in:
strawberry 2024-10-24 21:38:26 -04:00
parent 30e3e45f9f
commit 9761e2f10c
No known key found for this signature in database
2 changed files with 33 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

5
src/api/client/directory.rs
View file

@ -137,7 +137,10 @@ pub(crate) async fn set_room_visibility_route(
match &body.visibility { match &body.visibility {
room::Visibility::Public => { room::Visibility::Public => {
if services.globals.config.lockdown_public_room_directory && !services.users.is_admin(sender_user)? { if services.globals.config.lockdown_public_room_directory
&& !services.users.is_admin(sender_user)?
&& body.appservice_info.is_none()
{
info!( info!(
"Non-admin user {sender_user} tried to publish {0} to the room directory while \ "Non-admin user {sender_user} tried to publish {0} to the room directory while \
\"lockdown_public_room_directory\" is enabled", \"lockdown_public_room_directory\" is enabled",

30
src/api/client/room.rs
View file

@ -1,7 +1,7 @@
use std::{cmp::max, collections::BTreeMap}; use std::{cmp::max, collections::BTreeMap};
use axum::extract::State; use axum::extract::State;
use conduit::{debug_info, debug_warn, err}; use conduit::{debug_info, debug_warn, err, Err};
use ruma::{ use ruma::{
api::client::{ api::client::{
error::ErrorKind, error::ErrorKind,
@ -64,6 +64,7 @@ const TRANSFERABLE_STATE_EVENTS: &[StateEventType; 9] = &[
/// - Send events listed in initial state /// - Send events listed in initial state
/// - Send events implied by `name` and `topic` /// - Send events implied by `name` and `topic`
/// - Send invite events /// - Send invite events
#[allow(clippy::large_stack_frames)]
pub(crate) async fn create_room_route( pub(crate) async fn create_room_route(
State(services): State<crate::State>, body: Ruma<create_room::v3::Request>, State(services): State<crate::State>, body: Ruma<create_room::v3::Request>,
) -> Result<create_room::v3::Response> { ) -> Result<create_room::v3::Response> {
@ -92,6 +93,28 @@ pub(crate) async fn create_room_route(
)); ));
} }
if body.visibility == room::Visibility::Public
&& services.globals.config.lockdown_public_room_directory
&& !services.users.is_admin(sender_user)?
&& body.appservice_info.is_none()
{
info!(
"Non-admin user {sender_user} tried to publish {0} to the room directory while \
\"lockdown_public_room_directory\" is enabled",
&room_id
);
services
.admin
.send_text(&format!(
"Non-admin user {sender_user} tried to publish {0} to the room directory while \
\"lockdown_public_room_directory\" is enabled",
&room_id
))
.await;
return Err!(Request(Forbidden("Publishing rooms to the room directory is not allowed")));
}
let _short_id = services.rooms.short.get_or_create_shortroomid(&room_id)?; let _short_id = services.rooms.short.get_or_create_shortroomid(&room_id)?;
let state_lock = services.rooms.state.mutex.lock(&room_id).await; let state_lock = services.rooms.state.mutex.lock(&room_id).await;
@ -450,6 +473,11 @@ pub(crate) async fn create_room_route(
if body.visibility == room::Visibility::Public { if body.visibility == room::Visibility::Public {
services.rooms.directory.set_public(&room_id)?; services.rooms.directory.set_public(&room_id)?;
services
.admin
.send_text(&format!("{sender_user} made {} public to the room directory", &room_id))
.await;
info!("{sender_user} made {0} public to the room directory", &room_id);
} }
info!("{sender_user} created a room with room ID {room_id}"); info!("{sender_user} created a room with room ID {room_id}");