Skip to content
Snippets Groups Projects
Commit 3a7d7a3f authored by Paul "LeoNerd" Evans's avatar Paul "LeoNerd" Evans
Browse files

Sanitise a user's powerlevel to an int() before numerical comparison, because... 

Sanitise a user's powerlevel to an int() before numerical comparison, because otherwise Python is "helpful" with it (SYN-351)
parent 6080830b
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 7 additions and 0 deletions
synapse/api/auth.py
+ 7
0
View file @ 3a7d7a3f
...@@ -189,6 +189,12 @@ class Auth(object): ...@@ -189,6 +189,12 @@ class Auth(object):
auth_events, auth_events,
) )
# TODO(paul): There's an awful lot of int()-casting in this code;
# surely we should be squashing strings to integers at a higher
# level, maybe when we insert?
if user_level is not None:
user_level = int(user_level)
ban_level, kick_level, redact_level = ( ban_level, kick_level, redact_level = (
self._get_ops_level_from_event_state( self._get_ops_level_from_event_state(
event, event,
...@@ -269,6 +275,7 @@ class Auth(object): ...@@ -269,6 +275,7 @@ class Auth(object):
403, "You cannot kick user %s." % target_user_id 403, "You cannot kick user %s." % target_user_id
) )
elif Membership.BAN == membership: elif Membership.BAN == membership:
print "I wonder how user's level of %r compares to ban level of %r" % (user_level, ban_level)
if user_level < ban_level: if user_level < ban_level:
raise AuthError(403, "You don't have permission to ban") raise AuthError(403, "You don't have permission to ban")
else: else:
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment