test_power_levels.py 6.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205
  1. # -*- coding: utf-8 -*-
  2. # Copyright 2020 The Matrix.org Foundation C.I.C.
  3. #
  4. # Licensed under the Apache License, Version 2.0 (the "License");
  5. # you may not use this file except in compliance with the License.
  6. # You may obtain a copy of the License at
  7. #
  8. # http://www.apache.org/licenses/LICENSE-2.0
  9. #
  10. # Unless required by applicable law or agreed to in writing, software
  11. # distributed under the License is distributed on an "AS IS" BASIS,
  12. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13. # See the License for the specific language governing permissions and
  14. # limitations under the License.
  15. from synapse.rest import admin
  16. from synapse.rest.client.v1 import login, room
  17. from synapse.rest.client.v2_alpha import sync
  18. from tests.unittest import HomeserverTestCase
  19. class PowerLevelsTestCase(HomeserverTestCase):
  20. """Tests that power levels are enforced in various situations"""
  21. servlets = [
  22. admin.register_servlets,
  23. room.register_servlets,
  24. login.register_servlets,
  25. sync.register_servlets,
  26. ]
  27. def make_homeserver(self, reactor, clock):
  28. config = self.default_config()
  29. return self.setup_test_homeserver(config=config)
  30. def prepare(self, reactor, clock, hs):
  31. # register a room admin, moderator and regular user
  32. self.admin_user_id = self.register_user("admin", "pass")
  33. self.admin_access_token = self.login("admin", "pass")
  34. self.mod_user_id = self.register_user("mod", "pass")
  35. self.mod_access_token = self.login("mod", "pass")
  36. self.user_user_id = self.register_user("user", "pass")
  37. self.user_access_token = self.login("user", "pass")
  38. # Create a room
  39. self.room_id = self.helper.create_room_as(
  40. self.admin_user_id, tok=self.admin_access_token
  41. )
  42. # Invite the other users
  43. self.helper.invite(
  44. room=self.room_id,
  45. src=self.admin_user_id,
  46. tok=self.admin_access_token,
  47. targ=self.mod_user_id,
  48. )
  49. self.helper.invite(
  50. room=self.room_id,
  51. src=self.admin_user_id,
  52. tok=self.admin_access_token,
  53. targ=self.user_user_id,
  54. )
  55. # Make the other users join the room
  56. self.helper.join(
  57. room=self.room_id, user=self.mod_user_id, tok=self.mod_access_token
  58. )
  59. self.helper.join(
  60. room=self.room_id, user=self.user_user_id, tok=self.user_access_token
  61. )
  62. # Mod the mod
  63. room_power_levels = self.helper.get_state(
  64. self.room_id, "m.room.power_levels", tok=self.admin_access_token,
  65. )
  66. # Update existing power levels with mod at PL50
  67. room_power_levels["users"].update({self.mod_user_id: 50})
  68. self.helper.send_state(
  69. self.room_id,
  70. "m.room.power_levels",
  71. room_power_levels,
  72. tok=self.admin_access_token,
  73. )
  74. def test_non_admins_cannot_enable_room_encryption(self):
  75. # have the mod try to enable room encryption
  76. self.helper.send_state(
  77. self.room_id,
  78. "m.room.encryption",
  79. {"algorithm": "m.megolm.v1.aes-sha2"},
  80. tok=self.mod_access_token,
  81. expect_code=403, # expect failure
  82. )
  83. # have the user try to enable room encryption
  84. self.helper.send_state(
  85. self.room_id,
  86. "m.room.encryption",
  87. {"algorithm": "m.megolm.v1.aes-sha2"},
  88. tok=self.user_access_token,
  89. expect_code=403, # expect failure
  90. )
  91. def test_non_admins_cannot_send_server_acl(self):
  92. # have the mod try to send a server ACL
  93. self.helper.send_state(
  94. self.room_id,
  95. "m.room.server_acl",
  96. {
  97. "allow": ["*"],
  98. "allow_ip_literals": False,
  99. "deny": ["*.evil.com", "evil.com"],
  100. },
  101. tok=self.mod_access_token,
  102. expect_code=403, # expect failure
  103. )
  104. # have the user try to send a server ACL
  105. self.helper.send_state(
  106. self.room_id,
  107. "m.room.server_acl",
  108. {
  109. "allow": ["*"],
  110. "allow_ip_literals": False,
  111. "deny": ["*.evil.com", "evil.com"],
  112. },
  113. tok=self.user_access_token,
  114. expect_code=403, # expect failure
  115. )
  116. def test_non_admins_cannot_tombstone_room(self):
  117. # Create another room that will serve as our "upgraded room"
  118. self.upgraded_room_id = self.helper.create_room_as(
  119. self.admin_user_id, tok=self.admin_access_token
  120. )
  121. # have the mod try to send a tombstone event
  122. self.helper.send_state(
  123. self.room_id,
  124. "m.room.tombstone",
  125. {
  126. "body": "This room has been replaced",
  127. "replacement_room": self.upgraded_room_id,
  128. },
  129. tok=self.mod_access_token,
  130. expect_code=403, # expect failure
  131. )
  132. # have the user try to send a tombstone event
  133. self.helper.send_state(
  134. self.room_id,
  135. "m.room.tombstone",
  136. {
  137. "body": "This room has been replaced",
  138. "replacement_room": self.upgraded_room_id,
  139. },
  140. tok=self.user_access_token,
  141. expect_code=403, # expect failure
  142. )
  143. def test_admins_can_enable_room_encryption(self):
  144. # have the admin try to enable room encryption
  145. self.helper.send_state(
  146. self.room_id,
  147. "m.room.encryption",
  148. {"algorithm": "m.megolm.v1.aes-sha2"},
  149. tok=self.admin_access_token,
  150. expect_code=200, # expect success
  151. )
  152. def test_admins_can_send_server_acl(self):
  153. # have the admin try to send a server ACL
  154. self.helper.send_state(
  155. self.room_id,
  156. "m.room.server_acl",
  157. {
  158. "allow": ["*"],
  159. "allow_ip_literals": False,
  160. "deny": ["*.evil.com", "evil.com"],
  161. },
  162. tok=self.admin_access_token,
  163. expect_code=200, # expect success
  164. )
  165. def test_admins_can_tombstone_room(self):
  166. # Create another room that will serve as our "upgraded room"
  167. self.upgraded_room_id = self.helper.create_room_as(
  168. self.admin_user_id, tok=self.admin_access_token
  169. )
  170. # have the admin try to send a tombstone event
  171. self.helper.send_state(
  172. self.room_id,
  173. "m.room.tombstone",
  174. {
  175. "body": "This room has been replaced",
  176. "replacement_room": self.upgraded_room_id,
  177. },
  178. tok=self.admin_access_token,
  179. expect_code=200, # expect success
  180. )