Ensure 'deactivated' parameter is a boolean on user admin API, Fix er…

…ror handling of call to deactivate user (matrix-org#6990)
phil-flex · Mar 27, 2020 · f1e01dd · f1e01dd
1 parent 61ac743
commit f1e01dd
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 4 deletions.
diff --git a/changelog.d/6990.bugfix b/changelog.d/6990.bugfix
@@ -0,0 +1 @@
+Prevent user from setting 'deactivated' to anything other than a bool on the v2 PUT /users Admin API.
diff --git a/synapse/rest/admin/users.py b/synapse/rest/admin/users.py
@@ -226,13 +226,16 @@ async def on_PUT(self, request, user_id):
                     )
 
             if "deactivated" in body:
-                deactivate = bool(body["deactivated"])
+                deactivate = body["deactivated"]
+                if not isinstance(deactivate, bool):
+                    raise SynapseError(
+                        400, "'deactivated' parameter is not of type boolean"
+                    )
+
                 if deactivate and not user["deactivated"]:
-                    result = await self.deactivate_account_handler.deactivate_account(
+                    await self.deactivate_account_handler.deactivate_account(
                         target_user.to_string(), False
                     )
-                    if not result:
-                        raise SynapseError(500, "Could not deactivate user")
 
             user = await self.admin_handler.get_user(target_user)
             return 200, user