diff --git a/changelog.d/18518.bugfix b/changelog.d/18518.bugfix new file mode 100644 index 00000000000..959528d7c84 --- /dev/null +++ b/changelog.d/18518.bugfix @@ -0,0 +1 @@ +Fix the 'Login as a user' Admin API not checking if the user exists before issuing an access token. \ No newline at end of file diff --git a/synapse/rest/admin/users.py b/synapse/rest/admin/users.py index ccd34d17d80..807a9cad5b2 100644 --- a/synapse/rest/admin/users.py +++ b/synapse/rest/admin/users.py @@ -1144,6 +1144,7 @@ def __init__(self, hs: "HomeServer"): self.store = hs.get_datastores().main self.auth = hs.get_auth() self.auth_handler = hs.get_auth_handler() + self.admin_handler = hs.get_admin_handler() self.is_mine_id = hs.is_mine_id async def on_POST( @@ -1158,6 +1159,12 @@ async def on_POST( HTTPStatus.BAD_REQUEST, "Only local users can be logged in as" ) + # Validate user_id + UserID.from_string(user_id) + _user_info_dict = await self.store.get_user_by_id(user_id) + if not _user_info_dict: + raise NotFoundError("User not found") + body = parse_json_object_from_request(request, allow_empty_body=True) valid_until_ms = body.get("valid_until_ms") diff --git a/tests/rest/admin/test_user.py b/tests/rest/admin/test_user.py index 6d0584fa63e..72937df9a63 100644 --- a/tests/rest/admin/test_user.py +++ b/tests/rest/admin/test_user.py @@ -4288,6 +4288,17 @@ def test_not_admin(self) -> None: self.assertEqual(403, channel.code, msg=channel.json_body) + def test_no_user(self) -> None: + """Try to log in as a user that doesn't exist.""" + channel = self.make_request( + "POST", + "/_synapse/admin/v1/users/%s/login" % urllib.parse.quote("@ghost:test"), + b"{}", + access_token=self.admin_user_tok, + ) + self.assertEqual(404, channel.code, msg=channel.json_body) + self.assertEqual(Codes.NOT_FOUND, channel.json_body["errcode"]) + def test_send_event(self) -> None: """Test that sending event as a user works.""" # Create a room.