Skip to content
This repository was archived by the owner on Apr 26, 2024. It is now read-only.

Commit cb35df9

Browse files
reivilibrereivilibre
authored
Merge pull request from GHSA-jj53-8fmw-f2w2 
1 parent 52c7a51 commit cb35df9

File tree

2 files changed

+59
-2
lines changed

2 files changed

+59
-2
lines changed

synapse/groups/groups_server.py

Lines changed: 16 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -332,6 +332,13 @@ async def get_rooms_in_group(
332332
requester_user_id, group_id
333333
)
334334

335+
# Note! room_results["is_public"] is about whether the room is considered
336+
# public from the group's point of view. (i.e. whether non-group members
337+
# should be able to see the room is in the group).
338+
# This is not the same as whether the room itself is public (in the sense
339+
# of being visible in the room directory).
340+
# As such, room_results["is_public"] itself is not sufficient to determine
341+
# whether any given user is permitted to see the room's metadata.
335342
room_results = await self.store.get_rooms_in_group(
336343
group_id, include_private=is_user_in_group
337344
)
@@ -341,8 +348,15 @@ async def get_rooms_in_group(
341348
room_id = room_result["room_id"]
342349

343350
joined_users = await self.store.get_users_in_room(room_id)
351+
352+
# check the user is actually allowed to see the room before showing it to them
353+
allow_private = requester_user_id in joined_users
354+
344355
entry = await self.room_list_handler.generate_room_entry(
345-
room_id, len(joined_users), with_alias=False, allow_private=True
356+
room_id,
357+
len(joined_users),
358+
with_alias=False,
359+
allow_private=allow_private,
346360
)
347361

348362
if not entry:
@@ -354,7 +368,7 @@ async def get_rooms_in_group(
354368

355369
chunk.sort(key=lambda e: -e["num_joined_members"])
356370

357-
return {"chunk": chunk, "total_room_count_estimate": len(room_results)}
371+
return {"chunk": chunk, "total_room_count_estimate": len(chunk)}
358372

359373

360374
class GroupsServerHandler(GroupsServerWorkerHandler):

tests/rest/client/v2_alpha/test_groups.py

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,43 @@
1+
from synapse.rest.client.v1 import room
2+
from synapse.rest.client.v2_alpha import groups
3+
4+
from tests import unittest
5+
from tests.unittest import override_config
6+
7+
8+
class GroupsTestCase(unittest.HomeserverTestCase):
9+
user_id = "@alice:test"
10+
room_creator_user_id = "@bob:test"
11+
12+
servlets = [room.register_servlets, groups.register_servlets]
13+
14+
@override_config({"enable_group_creation": True})
15+
def test_rooms_limited_by_visibility(self):
16+
group_id = "+spqr:test"
17+
18+
# Alice creates a group
19+
channel = self.make_request("POST", "/create_group", {"localpart": "spqr"})
20+
self.assertEquals(channel.code, 200, msg=channel.text_body)
21+
self.assertEquals(channel.json_body, {"group_id": group_id})
22+
23+
# Bob creates a private room
24+
room_id = self.helper.create_room_as(self.room_creator_user_id, is_public=False)
25+
self.helper.auth_user_id = self.room_creator_user_id
26+
self.helper.send_state(
27+
room_id, "m.room.name", {"name": "bob's secret room"}, tok=None
28+
)
29+
self.helper.auth_user_id = self.user_id
30+
31+
# Alice adds the room to her group.
32+
channel = self.make_request(
33+
"PUT", f"/groups/{group_id}/admin/rooms/{room_id}", {}
34+
)
35+
self.assertEquals(channel.code, 200, msg=channel.text_body)
36+
self.assertEquals(channel.json_body, {})
37+
38+
# Alice now tries to retrieve the room list of the space.
39+
channel = self.make_request("GET", f"/groups/{group_id}/rooms")
40+
self.assertEquals(channel.code, 200, msg=channel.text_body)
41+
self.assertEquals(
42+
channel.json_body, {"chunk": [], "total_room_count_estimate": 0}
43+
)

0 commit comments

Comments
 (0)