From 3d8cc67f659f9017a88f4fd0b0c5ca254e469a5e Mon Sep 17 00:00:00 2001
From: mattc <buffless-matt@users.noreply.github.com>
Date: Tue, 15 Mar 2022 14:04:26 +1100
Subject: [PATCH] Alter - Relax authorization restrictions for admin users'
 usage statistics endpoint to be accessible to homeserver admins.

There was no need to lock it down to only global admins.
---
 api/custom/usage.go        | 7 ++++++-
 api/webserver/webserver.go | 2 +-
 docs/admin.md              | 9 ++++++---
 3 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/api/custom/usage.go b/api/custom/usage.go
index 98f8af19..8c37842d 100644
--- a/api/custom/usage.go
+++ b/api/custom/usage.go
@@ -215,13 +215,18 @@ func GetUploadsUsage(r *http.Request, rctx rcontext.RequestContext, user api.Use
 
 // GetUsersUsageStats attempts to provide a loose equivalent to this Synapse admin end-point:
 // https://matrix-org.github.io/synapse/develop/admin_api/statistics.html#users-media-usage-statistics
-func GetUsersUsageStats(r *http.Request, rctx rcontext.RequestContext, _ api.UserInfo) interface{} {
+func GetUsersUsageStats(r *http.Request, rctx rcontext.RequestContext, user api.UserInfo) interface{} {
 	params := mux.Vars(r)
 	qs := r.URL.Query()
 	var err error
 
 	serverName := params["serverName"]
 
+	isGlobalAdmin, isLocalAdmin := api.GetRequestUserAdminStatus(r, rctx, user)
+	if !isGlobalAdmin && (!util.IsServerOurs(serverName) || !isLocalAdmin) {
+		return api.AuthFailed()
+	}
+
 	orderBy := qs.Get("order_by")
 	if len(qs["order_by"]) == 0 {
 		orderBy = "user_id"
diff --git a/api/webserver/webserver.go b/api/webserver/webserver.go
index 3e719b7d..fb9c7dd4 100644
--- a/api/webserver/webserver.go
+++ b/api/webserver/webserver.go
@@ -71,7 +71,7 @@ func Init() *sync.WaitGroup {
 	domainUsageHandler := handler{api.RepoAdminRoute(custom.GetDomainUsage), "domain_usage", counter, false}
 	userUsageHandler := handler{api.RepoAdminRoute(custom.GetUserUsage), "user_usage", counter, false}
 	uploadsUsageHandler := handler{api.RepoAdminRoute(custom.GetUploadsUsage), "uploads_usage", counter, false}
-	usersUsageStatsHandler := handler{api.RepoAdminRoute(custom.GetUsersUsageStats), "users_usage_stats", counter, false}
+	usersUsageStatsHandler := handler{api.AccessTokenRequiredRoute(custom.GetUsersUsageStats), "users_usage_stats", counter, false}
 	getBackgroundTaskHandler := handler{api.RepoAdminRoute(custom.GetTask), "get_background_task", counter, false}
 	listAllBackgroundTasksHandler := handler{api.RepoAdminRoute(custom.ListAllTasks), "list_all_background_tasks", counter, false}
 	listUnfinishedBackgroundTasksHandler := handler{api.RepoAdminRoute(custom.ListUnfinishedTasks), "list_unfinished_background_tasks", counter, false}
diff --git a/docs/admin.md b/docs/admin.md
index aaf70a7a..b35b4092 100644
--- a/docs/admin.md
+++ b/docs/admin.md
@@ -171,7 +171,7 @@ The `task_id` can be given to the Background Tasks API described below.
 
 ## Data usage for servers/users
 
-Individual servers and users can often hoard data in the media repository. These endpoints will tell you how much. These endpoints can only be called by repository admins - they are not available to admins of the homeservers.
+Individual servers and users can often hoard data in the media repository. These endpoints will tell you how much. Unless stated otherwise (below), these endpoints can only be called by repository admins - they are not available to admins of the homeservers.
 
 **Caution**: These endpoints may return *lots* of data. Making very specific requests is recommended.
 
@@ -232,8 +232,11 @@ Use the same endpoint as above, but specifying one or more `?user_id=@alice:exam
 
 #### All known users' usage statistics
 
-Similar to [Per-user usage (all known users)](#per-user-usage-all-known-users), but with a focus on statistics, and with
-parameterized querying ability.
+Similar to [Per-user usage (all known users)](#per-user-usage-all-known-users), but with:
+
+* a focus on statistics
+* parameterized querying ability
+* relaxed authorization restrictions (to allow homeserver admins to query against their own homeserver)
 
 This end-point attempts to be a loose equivalent to
 [this](https://matrix-org.github.io/synapse/develop/admin_api/statistics.html#users-media-usage-statistics) Synapse
-- 
GitLab