matrix/authentication-service
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-authentication-service.git synced 2025-08-07 17:03:01 +03:00
Code Activity

Restrict displayname and email changes of users

Browse Source 
This allows users to change their displayname and email only if the
config allows it
This commit is contained in:
Quentin Gliech
2024-03-29 14:28:54 +01:00
parent e080932906
commit ae1f244b28
2 changed files with 23 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
crates/graphql/src/mutations/matrix.rs
View File

@@ -1,4 +1,4 @@
// Copyright 2023 The Matrix.org Foundation C.I.C. // Copyright 2023, 2024 The Matrix.org Foundation C.I.C.
// //
// Licensed under the Apache License, Version 2.0 (the "License"); // Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License. // you may not use this file except in compliance with the License.
@@ -87,6 +87,11 @@ impl MatrixMutations {
return Err(async_graphql::Error::new("Unauthorized")); return Err(async_graphql::Error::new("Unauthorized"));
} }
// Allow non-admins to change their display name if the site config allows it
if !requester.is_admin() && !state.site_config().displayname_change_allowed {
return Err(async_graphql::Error::new("Unauthorized"));
}
let mut repo = state.repository().await?; let mut repo = state.repository().await?;
let user = repo let user = repo
.user() .user()

18
crates/graphql/src/mutations/user_email.rs
View File

@@ -1,4 +1,4 @@
// Copyright 2023 The Matrix.org Foundation C.I.C. // Copyright 2023, 2024 The Matrix.org Foundation C.I.C.
// //
// Licensed under the Apache License, Version 2.0 (the "License"); // Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License. // you may not use this file except in compliance with the License.
@@ -389,6 +389,11 @@ impl UserEmailMutations {
return Err(async_graphql::Error::new("Unauthorized")); return Err(async_graphql::Error::new("Unauthorized"));
} }
// Allow non-admins to change their email address if the site config allows it
if !requester.is_admin() && !state.site_config().email_change_allowed {
return Err(async_graphql::Error::new("Unauthorized"));
}
// Only admins can skip validation // Only admins can skip validation
if (input.skip_verification.is_some() || input.skip_policy_check.is_some()) if (input.skip_verification.is_some() || input.skip_policy_check.is_some())
&& !requester.is_admin() && !requester.is_admin()
@@ -600,6 +605,11 @@ impl UserEmailMutations {
return Ok(RemoveEmailPayload::NotFound); return Ok(RemoveEmailPayload::NotFound);
} }
// Allow non-admins to remove their email address if the site config allows it
if !requester.is_admin() && !state.site_config().email_change_allowed {
return Err(async_graphql::Error::new("Unauthorized"));
}
let user = repo let user = repo
.user() .user()
.lookup(user_email.user_id) .lookup(user_email.user_id)
@@ -644,6 +654,12 @@ impl UserEmailMutations {
return Err(async_graphql::Error::new("Unauthorized")); return Err(async_graphql::Error::new("Unauthorized"));
} }
// Allow non-admins to change their primary email address if the site config
// allows it
if !requester.is_admin() && !state.site_config().email_change_allowed {
return Err(async_graphql::Error::new("Unauthorized"));
}
if user_email.confirmed_at.is_none() { if user_email.confirmed_at.is_none() {
return Ok(SetPrimaryEmailPayload::Unverified); return Ok(SetPrimaryEmailPayload::Unverified);
} }