summary refs log tree commit diff
path: root/synapse/handlers/message.py
diff options
context:
space:
mode:
authorErik Johnston <erikj@jki.re>2017-09-28 10:44:44 +0100
committerGitHub <noreply@github.com>2017-09-28 10:44:44 +0100
commitbf86a41ef1c81f2e0495f6132fec7e14d50ecf00 (patch)
tree004e0c3acc15bea438e498d07f68427b3a22fdee /synapse/handlers/message.py
parentMerge pull request #2475 from matrix-org/erikj/joined_members_auth (diff)
parentFix /joined_members to work with AS users (diff)
downloadsynapse-bf86a41ef1c81f2e0495f6132fec7e14d50ecf00.tar.xz
Merge pull request #2476 from matrix-org/erikj/joined_members_auth
Fix /joined_members to work with AS users
Diffstat (limited to 'synapse/handlers/message.py')
-rw-r--r--synapse/handlers/message.py36
1 files changed, 25 insertions, 11 deletions
diff --git a/synapse/handlers/message.py b/synapse/handlers/message.py
index f6740544c1..ca8c6c55bb 100644
--- a/synapse/handlers/message.py
+++ b/synapse/handlers/message.py
@@ -420,27 +420,41 @@ class MessageHandler(BaseHandler):
         )
 
     @defer.inlineCallbacks
-    def get_joined_members(self, user_id, room_id):
+    def get_joined_members(self, requester, room_id):
         """Get all the joined members in the room and their profile information.
 
         If the user has left the room return the state events from when they left.
 
         Args:
-            user_id(str): The user requesting state events.
+            requester(Requester): The user requesting state events.
             room_id(str): The room ID to get all state events from.
         Returns:
             A dict of user_id to profile info
         """
-        membership, membership_event_id = yield self._check_in_room_or_world_readable(
-            room_id, user_id
-        )
-
-        if membership == Membership.JOIN:
-            users_with_profile = yield self.state.get_current_user_in_room(room_id)
-        else:
-            raise NotImplementedError(
-                "Getting joined members after leaving is not implemented"
+        user_id = requester.user.to_string()
+        if not requester.app_service:
+            # We check AS auth after fetching the room membership, as it
+            # requires us to pull out all joined members anyway.
+            membership, _ = yield self._check_in_room_or_world_readable(
+                room_id, user_id
             )
+            if membership != Membership.JOIN:
+                raise NotImplementedError(
+                    "Getting joined members after leaving is not implemented"
+                )
+
+        users_with_profile = yield self.state.get_current_user_in_room(room_id)
+
+        # If this is an AS, double check that they are allowed to see the members.
+        # This can either be because the AS user is in the room or becuase there
+        # is a user in the room that the AS is "interested in"
+        if requester.app_service and user_id not in users_with_profile:
+            for uid in users_with_profile:
+                if requester.app_service.is_interested_in_user(uid):
+                    break
+            else:
+                # Loop fell through, AS has no interested users in room
+                raise AuthError(403, "Appservice not in room")
 
         defer.returnValue({
             user_id: {