From f1e01dd2b2217b49de953f8fd0875e00bdb257b2 Mon Sep 17 00:00:00 2001
From: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com>
Date: Wed, 26 Feb 2020 12:22:55 +0000
Subject: [PATCH] Ensure 'deactivated' parameter is a boolean on user admin
 API, Fix error handling of call to deactivate user (#6990)

---
 changelog.d/6990.bugfix     |  1 +
 synapse/rest/admin/users.py | 11 +++++++----
 2 files changed, 8 insertions(+), 4 deletions(-)
 create mode 100644 changelog.d/6990.bugfix

diff --git a/changelog.d/6990.bugfix b/changelog.d/6990.bugfix
new file mode 100644
index 000000000000..8c1c48f4d424
--- /dev/null
+++ b/changelog.d/6990.bugfix
@@ -0,0 +1 @@
+Prevent user from setting 'deactivated' to anything other than a bool on the v2 PUT /users Admin API.
\ No newline at end of file
diff --git a/synapse/rest/admin/users.py b/synapse/rest/admin/users.py
index 064908fbb001..80f959248dcd 100644
--- a/synapse/rest/admin/users.py
+++ b/synapse/rest/admin/users.py
@@ -226,13 +226,16 @@ async def on_PUT(self, request, user_id):
                     )
 
             if "deactivated" in body:
-                deactivate = bool(body["deactivated"])
+                deactivate = body["deactivated"]
+                if not isinstance(deactivate, bool):
+                    raise SynapseError(
+                        400, "'deactivated' parameter is not of type boolean"
+                    )
+
                 if deactivate and not user["deactivated"]:
-                    result = await self.deactivate_account_handler.deactivate_account(
+                    await self.deactivate_account_handler.deactivate_account(
                         target_user.to_string(), False
                     )
-                    if not result:
-                        raise SynapseError(500, "Could not deactivate user")
 
             user = await self.admin_handler.get_user(target_user)
             return 200, user