Prevent users from creating user-defined postcontent rules

reivilibre · reivilibre · commit 6f175b9f2da9 · 2025-08-19T11:43:06.000+01:00
diff --git a/synapse/rest/client/push_rule.py b/synapse/rest/client/push_rule.py
@@ -19,9 +19,11 @@
 #
 #
 
+from http import HTTPStatus
 from typing import TYPE_CHECKING, List, Tuple, Union
 
 from synapse.api.errors import (
+    Codes,
     NotFoundError,
     StoreError,
     SynapseError,
@@ -239,6 +241,15 @@ def _rule_spec_from_path(path: List[str]) -> RuleSpec:
 def _rule_tuple_from_request_object(
     rule_template: str, rule_id: str, req_obj: JsonDict
 ) -> Tuple[List[JsonDict], List[Union[str, JsonDict]]]:
+    if rule_template == "postcontent":
+        # postcontent is from MSC4306, which says that clients
+        # cannot create their own postcontent rules right now.
+        raise SynapseError(
+            HTTPStatus.BAD_REQUEST,
+            "user-defined rules using `postcontent` are not accepted",
+            errcode=Codes.INVALID_PARAM,
+        )
+
     if rule_template in ["override", "underride"]:
         if "conditions" not in req_obj:
             raise InvalidRuleException("Missing 'conditions'")
diff --git a/tests/rest/client/test_push_rule_attrs.py b/tests/rest/client/test_push_rule_attrs.py
@@ -18,6 +18,8 @@
 # [This file includes modifications made by New Vector Limited]
 #
 #
+from http import HTTPStatus
+
 import synapse
 from synapse.api.errors import Codes
 from synapse.rest.client import login, push_rule, room
@@ -486,3 +488,23 @@ def test_is_user_mention(self) -> None:
             },
             channel.json_body,
         )
+
+    def test_no_user_defined_postcontent_rules(self) -> None:
+        """
+        Tests that clients are not permitted to create MSC4306 `postcontent` rules.
+        """
+        user = self.register_user("bob", "pass")
+        token = self.login("bob", "pass")
+
+        channel = self.make_request(
+            "PUT",
+            "/pushrules/global/postcontent/some.user.rule",
+            {},
+            access_token=token,
+        )
+
+        self.assertEqual(channel.code, HTTPStatus.BAD_REQUEST)
+        self.assertEqual(
+            "HMMM",
+            channel.json_body["errcode"],
+        )
