Don't allow users to ignore themselves. (element-hq#18508)

Half-Shot · web-flow · commit 6e600c986eba · 2025-06-06T15:37:15.000+01:00
Fixes the self-ignore issues we've being seeing of reports of by ignoring bad requests from clients. Fixes element-hq#11963 Fix element-hq/element-web#29969 although this should also be fixed on the client to avoid confusing errors popping up while rejecting invites. Related to matrix-org/matrix-rust-sdk#5073
diff --git a/changelog.d/18508.bugfix b/changelog.d/18508.bugfix
@@ -0,0 +1 @@
+Prevent users from adding themselves to their own ignore list.
diff --git a/synapse/storage/databases/main/account_data.py b/synapse/storage/databases/main/account_data.py
@@ -34,6 +34,7 @@
 )
 
 from synapse.api.constants import AccountDataTypes
+from synapse.api.errors import Codes, SynapseError
 from synapse.replication.tcp.streams import AccountDataStream
 from synapse.storage._base import db_to_json
 from synapse.storage.database import (
@@ -780,6 +781,9 @@ def _add_account_data_for_user(
         else:
             currently_ignored_users = set()
 
+        if user_id in currently_ignored_users:
+            raise SynapseError(400, "You cannot ignore yourself", Codes.INVALID_PARAM)
+
         # If the data has not changed, nothing to do.
         if previously_ignored_users == currently_ignored_users:
             return
diff --git a/tests/storage/test_account_data.py b/tests/storage/test_account_data.py
@@ -24,6 +24,7 @@
 from twisted.test.proto_helpers import MemoryReactor
 
 from synapse.api.constants import AccountDataTypes
+from synapse.api.errors import Codes, SynapseError
 from synapse.server import HomeServer
 from synapse.util import Clock
 
@@ -93,6 +94,20 @@ def test_ignoring_users(self) -> None:
         # Check the removed user.
         self.assert_ignorers("@another:remote", {self.user})
 
+    def test_ignoring_self_fails(self) -> None:
+        """Ensure users cannot add themselves to the ignored list."""
+
+        f = self.get_failure(
+            self.store.add_account_data_for_user(
+                self.user,
+                AccountDataTypes.IGNORED_USER_LIST,
+                {"ignored_users": {self.user: {}}},
+            ),
+            SynapseError,
+        ).value
+        self.assertEqual(f.code, 400)
+        self.assertEqual(f.errcode, Codes.INVALID_PARAM)
+
     def test_caching(self) -> None:
         """Ensure that caching works properly between different users."""
         # The first user ignores a user.

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Prevent users from adding themselves to their own ignore list.`