Skip to content

fix: Avoid a M_FORBIDDEN response when a user tries to erase their account and profile updates are disabled #19398

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jason-famedly wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

fix: Avoid a M_FORBIDDEN response when a user tries to erase their account and profile updates are disabled #19398

jason-famedly wants to merge 2 commits into from

Conversation

@jason-famedly
Copy link

@jason-famedly jason-famedly commented Jan 21, 2026

Currently synapse returns M_FORBIDDEN when trying to use the account deactivation API, if the server admin disabled displayname changes. This is undesirable, since it prevents GDPR erasure without admin interaction. The admin API seems to work fine though. This also only seems to affect the deactivate API, when the erase flag is true.

Relevant endpoint: https://spec.matrix.org/latest/client-server-api/#post_matrixclientv3accountdeactivate

This change only adds an additional check on the condition prior to the forbidden response, to verify that the request is a deactivation and that it is clearing the relevant profile data

There did not seem to be a basic test for this endpoint that checks the erase usage, so that was added as well as checking the above mentioned behavior.

Pull Request Checklist

  • Pull request is based on the develop branch
  • Pull request includes a changelog file. The entry should:
    • Be a short description of your change which makes sense to users. "Fixed a bug that prevented receiving messages from other servers." instead of "Moved X method from EventStore to EventWorkerStore.".
    • Use markdown where necessary, mostly for code blocks.
    • End with either a period (.) or an exclamation mark (!).
    • Start with a capital letter.
    • Feel free to credit yourself, by adding a sentence "Contributed by @github_username." or "Contributed by [Your Name]." to the end of the entry.
  • Code style is correct (run the linters)

@jason-famedly
fix: Allow a user to GDPR erase their profile data even when changing…
a668b13 
… profile data is disabled in configuration

Specifically, to check if this is a deactivation and that it is being
set to `""` for an GDPR level erasure
@jason-famedly
changelog
8499906
@jason-famedly jason-famedly requested a review from a team as a code owner January 21, 2026 16:54
@CLAassistant
Copy link

CLAassistant commented Jan 21, 2026

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

jason-famedly
jason-famedly commented Jan 21, 2026
View reviewed changes
tests/handlers/test_profile.py
Comment on lines -116 to +118
def test_set_my_name_if_disabled(self) -> None:
self.hs.config.registration.enable_set_displayname = False

@override_config({"enable_set_displayname": False})
def test_set_displayname_if_disabled(self) -> None:
Copy link
Author

@jason-famedly jason-famedly Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This(and the similar in this file) was a drive-by fix to not accidentally change the state of the homeserver configuration the other tests in this series may depend on. If the order of the tests in this series was reversed, at least one of the tests would not pass. No changes here were relevant for to the purpose of this work

Copy link
Author

@jason-famedly jason-famedly Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can remove this if it is an obstacle

jason-famedly
jason-famedly commented Jan 21, 2026
View reviewed changes
synapse/handlers/profile.py
Comment on lines +199 to +201
if (
not by_admin and not self.hs.config.registration.enable_set_displayname
) and not (deactivation and new_displayname == ""):
Copy link
Author

@jason-famedly jason-famedly Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

new_displayname(and similarily below for new_avatar_url) an explicit "" is checked for, as that is what the DeactivateAccountHandler.deactivate_account() uses

jason-famedly
jason-famedly commented Jan 21, 2026
View reviewed changes
tests/rest/client/test_account.py
Comment on lines +516 to +525
self.get_success(
profile_handler.set_displayname(
user_id, create_requester(user_id), "Kermit the Frog"
)
)
self.get_success(
profile_handler.set_avatar_url(
user_id, create_requester(user_id), "http://test/Kermit.jpg"
)
)
Copy link
Author

@jason-famedly jason-famedly Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I chose to use profile data for this erasure test as the "smoke signal" that it was functioning, since it was relevant for the fix being included. There are rather large area of other things that could be checked for, and I did not see any explicit testing for comprehensive deletion of data

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jason-famedly @CLAassistant