fix: Restore functionality of require_auth_for_profile_requests

2026-05-26 20:49:55 +00:00 · 2026-05-20 11:54:09 -04:00
parent 4968d4c8b7
commit 1cd0228d87
1 changed files with 17 additions and 4 deletions
@@ -9,6 +9,7 @@ use ruma::{
 			AccessToken, AccessTokenOptional, AppserviceToken, AppserviceTokenOptional,
 			AuthScheme, NoAccessToken, NoAuthentication,
 		},
+		client,
 		federation::authentication::ServerSignatures,
 	},
 };
@@ -116,10 +117,9 @@ impl CheckAuth for AccessToken {
 					.await
 					.is_ok_and(std::convert::identity)
 				{
-					if !(route == TypeId::of::<ruma::api::client::session::logout::v3::Request>()
-						|| route
-							== TypeId::of::<ruma::api::client::session::logout_all::v3::Request>(
-							)) {
+					if !(route == TypeId::of::<client::session::logout::v3::Request>()
+						|| route == TypeId::of::<client::session::logout_all::v3::Request>())
+					{
 						return Err!(Request(Unauthorized("Your account is locked.")));
 					}
 				}
@@ -258,6 +258,19 @@ impl CheckAuth for NoAccessToken {
 			err!(Request(Unauthorized(warn!("Failed to extract authorization: {}", err))))
 		})?;

+		// Check special access restrictions
+		if (route == TypeId::of::<client::profile::get_avatar_url::v3::Request>()
+			|| route == TypeId::of::<client::profile::get_display_name::v3::Request>()
+			|| route == TypeId::of::<client::profile::get_profile_field::v3::Request>()
+			|| route == TypeId::of::<client::profile::get_profile::v3::Request>())
+			&& services.config.require_auth_for_profile_requests
+			&& token.is_none()
+		{
+			return Err!(Request(Unauthorized(
+				"This server requires authentication to access user profiles."
+			)));
+		}
+
 		<AccessTokenOptional as CheckAuth>::verify(services, token, request, query, route).await
 	}
 }