Block attempts to annotate the same event twice

c7ec06e8 · Erik Johnston · 24b93b9c · c7ec06e8 · c7ec06e8 · c7ec06e8
Commit c7ec06e8 authored 5 years ago by Erik Johnston
--- a/synapse/handlers/message.py
+++ b/synapse/handlers/message.py
@@ -22,7 +22,7 @@ from canonicaljson import encode_canonical_json, json
 from twisted.internet import defer
 from twisted.internet.defer import succeed

-from synapse.api.constants import EventTypes, Membership
+from synapse.api.constants import EventTypes, Membership, RelationTypes
 from synapse.api.errors import (
    AuthError,
    Codes,
@@ -601,6 +601,20 @@ class EventCreationHandler(object):

        self.validator.validate_new(event)

+        # We now check that if this event is an annotation that the can't
+        # annotate the same way twice (e.g. stops users from liking an event
+        # multiple times).
+        relation = event.content.get("m.relates_to", {})
+        if relation.get("rel_type") == RelationTypes.ANNOTATION:
+            relates_to = relation["event_id"]
+            aggregation_key = relation["key"]
+
+            already_exists = yield self.store.has_user_annotated_event(
+                relates_to, event.type, aggregation_key, event.sender,
+            )
+            if already_exists:
+                raise SynapseError(400, "Can't send same reaction twice")
+
        logger.debug(
            "Created event %s",
            event.event_id,

--- a/synapse/storage/relations.py
+++ b/synapse/storage/relations.py
@@ -350,9 +350,7 @@ class RelationsWorkerStore(SQLBaseStore):
        """

        def _get_applicable_edit_txn(txn):
-            txn.execute(
-                sql, (event_id, RelationTypes.REPLACE,)
-            )
+            txn.execute(sql, (event_id, RelationTypes.REPLACE))
            row = txn.fetchone()
            if row:
                return row[0]
@@ -367,6 +365,50 @@ class RelationsWorkerStore(SQLBaseStore):
        edit_event = yield self.get_event(edit_id, allow_none=True)
        defer.returnValue(edit_event)

+    def has_user_annotated_event(self, parent_id, event_type, aggregation_key, sender):
+        """Check if a user has already annotated an event with the same key
+        (e.g. already liked an event).
+
+        Args:
+            parent_id (str): The event being annotated
+            event_type (str): The event type of the annotation
+            aggregation_key (str): The aggregation key of the annotation
+            sender (str): The sender of the annotation
+
+        Returns:
+            Deferred[bool]
+        """
+
+        sql = """
+            SELECT 1 FROM event_relations
+            INNER JOIN events USING (event_id)
+            WHERE
+                relates_to_id = ?
+                AND relation_type = ?
+                AND type = ?
+                AND sender = ?
+                AND aggregation_key = ?
+            LIMIT 1;
+        """
+
+        def _get_if_user_has_annotated_event(txn):
+            txn.execute(
+                sql,
+                (
+                    parent_id,
+                    RelationTypes.ANNOTATION,
+                    event_type,
+                    sender,
+                    aggregation_key,
+                ),
+            )
+
+            return bool(txn.fetchone())
+
+        return self.runInteraction(
+            "get_if_user_has_annotated_event", _get_if_user_has_annotated_event
+        )
+

 class RelationsStore(RelationsWorkerStore):
    def _handle_event_relations(self, txn, event):

--- a/tests/rest/client/v2_alpha/test_relations.py
+++ b/tests/rest/client/v2_alpha/test_relations.py
@@ -90,6 +90,15 @@ class RelationsTestCase(unittest.HomeserverTestCase):
        channel = self._send_relation(RelationTypes.ANNOTATION, EventTypes.Member)
        self.assertEquals(400, channel.code, channel.json_body)

+    def test_deny_double_react(self):
+        """Test that we deny relations on membership events
+        """
+        channel = self._send_relation(RelationTypes.ANNOTATION, "m.reaction", "a")
+        self.assertEquals(200, channel.code, channel.json_body)
+
+        channel = self._send_relation(RelationTypes.ANNOTATION, "m.reaction", "a")
+        self.assertEquals(400, channel.code, channel.json_body)
+
    def test_basic_paginate_relations(self):
        """Tests that calling pagination API corectly the latest relations.
        """
@@ -234,14 +243,30 @@ class RelationsTestCase(unittest.HomeserverTestCase):
        """Test that we can paginate within an annotation group.
        """

+        # We need to create ten separate users to send each reaction.
+        access_tokens = [self.user_token, self.user2_token]
+        idx = 0
+        while len(access_tokens) < 10:
+            user_id, token = self._create_user("test" + str(idx))
+            idx += 1
+
+            self.helper.join(self.room, user=user_id, tok=token)
+            access_tokens.append(token)
+
+        idx = 0
        expected_event_ids = []
        for _ in range(10):
            channel = self._send_relation(
-                RelationTypes.ANNOTATION, "m.reaction", key=u"👍"
+                RelationTypes.ANNOTATION,
+                "m.reaction",
+                key=u"👍",
+                access_token=access_tokens[idx],
            )
            self.assertEquals(200, channel.code, channel.json_body)
            expected_event_ids.append(channel.json_body["event_id"])

+            idx += 1
+
        # Also send a different type of reaction so that we test we don't see it
        channel = self._send_relation(RelationTypes.ANNOTATION, "m.reaction", key="a")
        self.assertEquals(200, channel.code, channel.json_body)