Merge pull request from GHSA-3x4c-pq33-4w3q

* Add some tests to characterise the problem Some failing. Current states: RoomsMemberListTestCase test_get_member_list ... [OK] test_get_member_list_mixed_memberships ... [OK] test_get_member_list_no_permission ... [OK] test_get_member_list_no_permission_former_member ... [OK] test_get_member_list_no_permission_former_member_with_at_token ... [FAIL] test_get_member_list_no_room ... [OK] test_get_member_list_no_permission_with_at_token ... [FAIL] * Correct the tests * Check user is/was member before divulging room membership * Pull out only the 1 membership event we want. * Update tests/rest/client/v1/test_rooms.py Co-authored-by: Erik Johnston <erik@matrix.org> * Fixup tests (following apply review suggestion) Co-authored-by: Erik Johnston <erik@matrix.org>
author: reivilibre <38398653+reivilibre@users.noreply.github.com> 2021-08-31 10:09:58 +0100
committer: GitHub <noreply@github.com> 2021-08-31 10:09:58 +0100
commit: 52c7a51cfc568ed61d800df99dcca25dc3b5fe3e (patch)
tree: 60d4a8ba77d6f3d8c06dcd81259a2233900c97bd /synapse/handlers/message.py
parent: Fix incompatibility with Twisted < 21. (#10713) (diff)
download: synapse-52c7a51cfc568ed61d800df99dcca25dc3b5fe3e.tar.xz
1 files changed, 20 insertions, 3 deletions
diff --git a/synapse/handlers/message.py b/synapse/handlers/message.py
index 8a0024ce84..101a29c6d3 100644
--- a/synapse/handlers/message.py
+++ b/synapse/handlers/message.py
@@ -183,20 +183,37 @@ class MessageHandler:
 
             if not last_events:
                 raise NotFoundError("Can't find event for token %s" % (at_token,))
+            last_event = last_events[0]
+
+            # check whether the user is in the room at that time to determine
+            # whether they should be treated as peeking.
+            state_map = await self.state_store.get_state_for_event(
+                last_event.event_id,
+                StateFilter.from_types([(EventTypes.Member, user_id)]),
+            )
+
+            joined = False
+            membership_event = state_map.get((EventTypes.Member, user_id))
+            if membership_event:
+                joined = membership_event.membership == Membership.JOIN
+
+            is_peeking = not joined
 
             visible_events = await filter_events_for_client(
                 self.storage,
                 user_id,
                 last_events,
                 filter_send_to_client=False,
+                is_peeking=is_peeking,
             )
 
-            event = last_events[0]
             if visible_events:
                 room_state_events = await self.state_store.get_state_for_events(
-                    [event.event_id], state_filter=state_filter
+                    [last_event.event_id], state_filter=state_filter
                 )
-                room_state: Mapping[Any, EventBase] = room_state_events[event.event_id]
+                room_state: Mapping[Any, EventBase] = room_state_events[
+                    last_event.event_id
+                ]
             else:
                 raise AuthError(
                     403,
author	reivilibre <38398653+reivilibre@users.noreply.github.com>	2021-08-31 10:09:58 +0100
committer	GitHub <noreply@github.com>	2021-08-31 10:09:58 +0100
commit	52c7a51cfc568ed61d800df99dcca25dc3b5fe3e (patch)
tree	60d4a8ba77d6f3d8c06dcd81259a2233900c97bd /synapse/handlers/message.py
parent	Fix incompatibility with Twisted < 21. (#10713) (diff)
download	synapse-52c7a51cfc568ed61d800df99dcca25dc3b5fe3e.tar.xz