Skip to main content

tuwunel_api/client/admin/
mod.rs

1mod get_nonce;
2mod is_user_locked;
3mod is_user_suspended;
4mod lock_user;
5pub(crate) mod mas;
6mod register;
7mod suspend_user;
8
9use futures::future::join3;
10use ruma::UserId;
11use tuwunel_core::{Err, Result};
12
13pub(crate) use self::{
14	get_nonce::admin_register_nonce_route, is_user_locked::is_user_locked_route,
15	is_user_suspended::is_user_suspended_route, lock_user::lock_user_route,
16	register::admin_register_route, suspend_user::suspend_user_route,
17};
18
19/// MSC4323: authorization is checked before account lookups
20/// (anti-enumeration) per spec.
21async fn authorize(services: &crate::State, caller: &UserId, target: &UserId) -> Result {
22	if caller == target {
23		return Err!(Request(Forbidden("You cannot suspend or lock your own account")));
24	}
25
26	if !services.globals.user_is_local(target) {
27		return Err!(Request(InvalidParam("User is not local to this server")));
28	}
29
30	let (caller_admin, target_active, target_admin) = join3(
31		services.admin.user_is_admin(caller),
32		services.users.is_active(target),
33		services.admin.user_is_admin(target),
34	)
35	.await;
36
37	if !caller_admin {
38		return Err!(Request(Forbidden("Only server administrators can use this endpoint")));
39	}
40
41	if !target_active {
42		return Err!(Request(NotFound("Unknown user")));
43	}
44
45	if target_admin {
46		return Err!(Request(Forbidden(
47			"You cannot suspend or lock another server administrator"
48		)));
49	}
50
51	Ok(())
52}