State-reset and security mitigations.

Upgrade Ruma to present. The following are intentionally benign for activation in a later commit: - Hydra backports not default. - Room version 12 not default. - Room version 12 not listed as stable. Do not enable them manually or you can brick your database. Signed-off-by: Jason Volk <jason@zemos.net>
2025-06-29 03:33:29 +00:00
parent 2c6dd78502
commit 628597c318
134 changed files with 14961 additions and 4935 deletions
--- a/src/service/rooms/timeline/append.rs
+++ b/src/service/rooms/timeline/append.rs
@@ -7,12 +7,11 @@ use futures::StreamExt;
 use ruma::{
 	CanonicalJsonObject, CanonicalJsonValue, EventId, OwnedUserId, RoomId, RoomVersionId, UserId,
 	events::{
-		GlobalAccountDataEventType, StateEventType, TimelineEventType,
+		GlobalAccountDataEventType, TimelineEventType,
 		push_rules::PushRulesEvent,
 		room::{
 			encrypted::Relation,
 			member::{MembershipState, RoomMemberEventContent},
-			power_levels::RoomPowerLevelsEventContent,
 			redaction::RoomRedactionEventContent,
 		},
 	},
@@ -186,14 +185,6 @@ where

 	drop(insert_lock);

-	// See if the event matches any known pushers via power level
-	let power_levels: RoomPowerLevelsEventContent = self
-		.services
-		.state_accessor
-		.room_state_get_content(pdu.room_id(), &StateEventType::RoomPowerLevels, "")
-		.await
-		.unwrap_or_default();
-
 	// Don't notify the sender of their own events, and dont send from ignored users
 	let mut push_target: HashSet<_> = self
 		.services
@@ -245,6 +236,12 @@ where
 		let mut highlight = false;
 		let mut notify = false;

+		let power_levels = self
+			.services
+			.state_accessor
+			.get_power_levels(pdu.room_id())
+			.await?;
+
 		for action in self
 			.services
 			.pusher