summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--changelog.d/9150.feature5
-rw-r--r--synapse/rest/admin/rooms.py3
-rw-r--r--tests/rest/admin/test_room.py36
3 files changed, 38 insertions, 6 deletions
diff --git a/changelog.d/9150.feature b/changelog.d/9150.feature
index 86c4fd3d72..48a8148dee 100644
--- a/changelog.d/9150.feature
+++ b/changelog.d/9150.feature
@@ -1,4 +1 @@
-New API /_synapse/admin/rooms/{roomId}/context/{eventId}
-
-This API mirrors /_matrix/client/r0/rooms/{roomId}/context/{eventId} but lets administrators
-inspect rooms. Designed to annotate abuse reports with context.
+New API /_synapse/admin/rooms/{roomId}/context/{eventId}.
diff --git a/synapse/rest/admin/rooms.py b/synapse/rest/admin/rooms.py
index 6539655289..4393197549 100644
--- a/synapse/rest/admin/rooms.py
+++ b/synapse/rest/admin/rooms.py
@@ -578,7 +578,8 @@ class RoomEventContextServlet(RestServlet):
         self.auth = hs.get_auth()
 
     async def on_GET(self, request, room_id, event_id):
-        requester = await self.auth.get_user_by_req(request, allow_guest=True)
+        requester = await self.auth.get_user_by_req(request, allow_guest=False)
+        await assert_user_is_admin(self.auth, requester.user)
 
         limit = parse_integer(request, "limit", default=10)
 
diff --git a/tests/rest/admin/test_room.py b/tests/rest/admin/test_room.py
index 7e89eb4793..fd201993d3 100644
--- a/tests/rest/admin/test_room.py
+++ b/tests/rest/admin/test_room.py
@@ -1430,7 +1430,41 @@ class JoinAliasRoomTestCase(unittest.HomeserverTestCase):
         self.assertEquals(200, int(channel.result["code"]), msg=channel.result["body"])
         self.assertEqual(private_room_id, channel.json_body["joined_rooms"][0])
 
-    def test_context(self):
+    def test_context_as_non_admin(self):
+        """
+        Test that, without being admin, one cannot use the context admin API
+        """
+        # Create a room.
+        user_id = self.register_user("test", "test")
+        user_tok = self.login("test", "test")
+
+        self.register_user("test_2", "test")
+        user_tok_2 = self.login("test_2", "test")
+
+        room_id = self.helper.create_room_as(user_id, tok=user_tok)
+
+        # Populate the room with events.
+        events = []
+        for i in range(30):
+            events.append(
+                self.helper.send_event(
+                    room_id, "com.example.test", content={"index": i}, tok=user_tok
+                )
+            )
+
+        # Now attempt to find the context using the admin API without being admin.
+        midway = (len(events) - 1) // 2
+        for tok in [user_tok, user_tok_2]:
+            channel = self.make_request(
+                "GET",
+                "/_synapse/admin/v1/rooms/%s/context/%s"
+                % (room_id, events[midway]["event_id"]),
+                access_token=tok,
+            )
+            self.assertEquals(403, int(channel.result["code"]), msg=channel.result["body"])
+            self.assertEqual(Codes.FORBIDDEN, channel.json_body["errcode"])
+
+    def test_context_as_admin(self):
         """
         Test that, as admin, we can find the context of an event without having joined the room.
         """
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-09-20 20:33:42 +0000