From 7c741e62cfa2b21b012f96e1880b9ede6959d8a5 Mon Sep 17 00:00:00 2001 From: timedout Date: Tue, 30 Dec 2025 17:30:54 +0000 Subject: [PATCH] fix: Forbid creators in power levels --- src/core/matrix/state_res/event_auth.rs | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/src/core/matrix/state_res/event_auth.rs b/src/core/matrix/state_res/event_auth.rs index 7fec1f6a..da3a0898 100644 --- a/src/core/matrix/state_res/event_auth.rs +++ b/src/core/matrix/state_res/event_auth.rs @@ -558,12 +558,19 @@ where // If type is m.room.power_levels if *incoming_event.event_type() == TimelineEventType::RoomPowerLevels { debug!("starting m.room.power_levels check"); - + let mut creators = BTreeSet::new(); + if room_version.explicitly_privilege_room_creators { + creators.insert(create_event.sender().to_owned()); + for creator in room_create_content.additional_creators.iter().flatten() { + creators.insert(creator.deserialize()?); + } + } match check_power_levels( room_version, incoming_event, power_levels_event.as_ref(), sender_power_level, + &creators, ) { | Some(required_pwr_lvl) => if !required_pwr_lvl { @@ -1221,8 +1228,8 @@ fn check_power_levels( power_event: &impl Event, previous_power_event: Option<&impl Event>, user_level: Int, + creators: &BTreeSet, ) -> Option { - // TODO(hydra): This function does not care about creators! match power_event.state_key() { | Some("") => {}, | Some(key) => { @@ -1287,6 +1294,10 @@ fn check_power_levels( for user in user_levels_to_check { let old_level = old_state.users.get(user); let new_level = new_state.users.get(user); + if new_level.is_some() && creators.contains(user) { + warn!("creators cannot appear in the users list of m.room.power_levels"); + return Some(false); // cannot alter creator power level + } if old_level.is_some() && new_level.is_some() && old_level == new_level { continue; }