ember/continuwuity
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

fix: Restrict suspend+lock commands to admin room

Browse source 
Also prevent locking the service user or admin users
This commit is contained in:
timedout 2026-01-05 19:49:12 +00:00
parent 8b5e4d8fe1
commit a83c1f1513
No known key found for this signature in database
GPG key ID: 0FA334385D0B689F
1 changed files with 13 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
src/admin/user/commands.rs
View file

@ -238,6 +238,7 @@ pub(super) async fn deactivate(&self, no_leave_rooms: bool, user_id: String) ->
#[admin_command] #[admin_command]
pub(super) async fn suspend(&self, user_id: String) -> Result { pub(super) async fn suspend(&self, user_id: String) -> Result {
self.bail_restricted()?;
let user_id = parse_local_user_id(self.services, &user_id)?; let user_id = parse_local_user_id(self.services, &user_id)?;
if user_id == self.services.globals.server_user { if user_id == self.services.globals.server_user {
@ -262,6 +263,7 @@ pub(super) async fn suspend(&self, user_id: String) -> Result {
#[admin_command] #[admin_command]
pub(super) async fn unsuspend(&self, user_id: String) -> Result { pub(super) async fn unsuspend(&self, user_id: String) -> Result {
self.bail_restricted()?;
let user_id = parse_local_user_id(self.services, &user_id)?; let user_id = parse_local_user_id(self.services, &user_id)?;
if user_id == self.services.globals.server_user { if user_id == self.services.globals.server_user {
@ -977,12 +979,22 @@ pub(super) async fn force_leave_remote_room(
#[admin_command] #[admin_command]
pub(super) async fn lock(&self, user_id: String) -> Result { pub(super) async fn lock(&self, user_id: String) -> Result {
self.bail_restricted()?;
let user_id = parse_local_user_id(self.services, &user_id)?; let user_id = parse_local_user_id(self.services, &user_id)?;
assert!( assert!(
self.services.globals.user_is_local(&user_id), self.services.globals.user_is_local(&user_id),
"Parsed user_id must be a local user" "Parsed user_id must be a local user"
); );
if user_id == self.services.globals.server_user {
return Err!("Not allowed to lock the server service account.",);
}
if !self.services.users.exists(&user_id).await {
return Err!("User {user_id} does not exist.");
}
if self.services.users.is_admin(&user_id).await {
return Err!("Admin users cannot be locked.");
}
self.services self.services
.users .users
.lock_account(&user_id, self.sender_or_service_user()) .lock_account(&user_id, self.sender_or_service_user())
@ -994,12 +1006,12 @@ pub(super) async fn lock(&self, user_id: String) -> Result {
#[admin_command] #[admin_command]
pub(super) async fn unlock(&self, user_id: String) -> Result { pub(super) async fn unlock(&self, user_id: String) -> Result {
self.bail_restricted()?;
let user_id = parse_local_user_id(self.services, &user_id)?; let user_id = parse_local_user_id(self.services, &user_id)?;
assert!( assert!(
self.services.globals.user_is_local(&user_id), self.services.globals.user_is_local(&user_id),
"Parsed user_id must be a local user" "Parsed user_id must be a local user"
); );
self.services.users.unlock_account(&user_id).await; self.services.users.unlock_account(&user_id).await;
self.write_str(&format!("User {user_id} has been unlocked.")) self.write_str(&format!("User {user_id} has been unlocked."))