Block clients from sending server ACLs that lock the local server out.

synapse/handlers/message.py

@@ -1159,6 +1159,9 @@ def is_inviter_member_event(e):
                 if original_event.room_id != event.room_id:
                     raise SynapseError(400, "Cannot redact event from a different room")
 
+                if original_event.type == EventTypes.ServerACL:
+                    raise AuthError(403, "Redacting server ACL events is not permitted")
+
             prev_state_ids = await context.get_prev_state_ids()
             auth_events_ids = self.auth.compute_auth_events(
                 event, prev_state_ids, for_verification=True

tests/handlers/test_message.py

@@ -190,3 +190,24 @@ def test_deny_server_acl_block_outselves(self):
             tok=self.access_token,
             expect_code=400,
         )
+
+    def test_deny_redact_server_acl(self):
+        """Test that attempting to redact an ACL is blocked
+        """
+
+        body = self.helper.send_state(
+            self.room_id,
+            EventTypes.ServerACL,
+            body={"allow": [self.hs.hostname]},
+            tok=self.access_token,
+            expect_code=200,
+        )
+        event_id = body["event_id"]
+
+        # Redaction of event should fail.
+        path = "/_matrix/client/r0/rooms/%s/redact/%s" % (self.room_id, event_id)
+        request, channel = self.make_request(
+            "POST", path, content={}, access_token=self.access_token
+        )
+        self.render(request)
+        self.assertEqual(int(channel.result["code"]), 403)