diff --git a/changelog.d/18518.bugfix b/changelog.d/18518.bugfix new file mode 100644 index 00000000000..959528d7c84 --- /dev/null +++ b/changelog.d/18518.bugfix @@ -0,0 +1 @@ +Fix the 'Login as a user' Admin API not checking if the user exists before issuing an access token. \ No newline at end of file diff --git a/synapse/rest/admin/users.py b/synapse/rest/admin/users.py index d6725eed8e6..50ea52b865c 100644 --- a/synapse/rest/admin/users.py +++ b/synapse/rest/admin/users.py @@ -1068,6 +1068,7 @@ def __init__(self, hs: "HomeServer"): self.store = hs.get_datastores().main self.auth = hs.get_auth() self.auth_handler = hs.get_auth_handler() + self.admin_handler = hs.get_admin_handler() self.is_mine_id = hs.is_mine_id async def on_POST( @@ -1082,6 +1083,10 @@ async def on_POST( HTTPStatus.BAD_REQUEST, "Only local users can be logged in as" ) + _user_info_dict = await self.admin_handler.get_user(UserID.from_string(user_id)) + if not _user_info_dict: + raise NotFoundError("User not found") + body = parse_json_object_from_request(request, allow_empty_body=True) valid_until_ms = body.get("valid_until_ms") diff --git a/tests/rest/admin/test_user.py b/tests/rest/admin/test_user.py index 5f73dbdc4a8..8f88b44eb2b 100644 --- a/tests/rest/admin/test_user.py +++ b/tests/rest/admin/test_user.py @@ -4279,6 +4279,17 @@ def test_not_admin(self) -> None: self.assertEqual(403, channel.code, msg=channel.json_body) + def test_no_user(self) -> None: + """Try to log in as a user that doesn't exist.""" + channel = self.make_request( + "POST", + "/_synapse/admin/v1/users/%s/login" % urllib.parse.quote("@ghost:test"), + b"{}", + access_token=self.admin_user_tok, + ) + self.assertEqual(404, channel.code, msg=channel.json_body) + self.assertEqual(Codes.NOT_FOUND, channel.json_body["errcode"]) + def test_send_event(self) -> None: """Test that sending event as a user works.""" # Create a room.