diff --git a/synapse/handlers/message.py b/synapse/handlers/message.py
index f6740544c1..ca8c6c55bb 100644
--- a/synapse/handlers/message.py
+++ b/synapse/handlers/message.py
@@ -420,27 +420,41 @@ class MessageHandler(BaseHandler):
)
@defer.inlineCallbacks
- def get_joined_members(self, user_id, room_id):
+ def get_joined_members(self, requester, room_id):
"""Get all the joined members in the room and their profile information.
If the user has left the room return the state events from when they left.
Args:
- user_id(str): The user requesting state events.
+ requester(Requester): The user requesting state events.
room_id(str): The room ID to get all state events from.
Returns:
A dict of user_id to profile info
"""
- membership, membership_event_id = yield self._check_in_room_or_world_readable(
- room_id, user_id
- )
-
- if membership == Membership.JOIN:
- users_with_profile = yield self.state.get_current_user_in_room(room_id)
- else:
- raise NotImplementedError(
- "Getting joined members after leaving is not implemented"
+ user_id = requester.user.to_string()
+ if not requester.app_service:
+ # We check AS auth after fetching the room membership, as it
+ # requires us to pull out all joined members anyway.
+ membership, _ = yield self._check_in_room_or_world_readable(
+ room_id, user_id
)
+ if membership != Membership.JOIN:
+ raise NotImplementedError(
+ "Getting joined members after leaving is not implemented"
+ )
+
+ users_with_profile = yield self.state.get_current_user_in_room(room_id)
+
+ # If this is an AS, double check that they are allowed to see the members.
+ # This can either be because the AS user is in the room or becuase there
+ # is a user in the room that the AS is "interested in"
+ if requester.app_service and user_id not in users_with_profile:
+ for uid in users_with_profile:
+ if requester.app_service.is_interested_in_user(uid):
+ break
+ else:
+ # Loop fell through, AS has no interested users in room
+ raise AuthError(403, "Appservice not in room")
defer.returnValue({
user_id: {
diff --git a/synapse/rest/client/v1/room.py b/synapse/rest/client/v1/room.py
index 4be0fee38d..6c379d53ac 100644
--- a/synapse/rest/client/v1/room.py
+++ b/synapse/rest/client/v1/room.py
@@ -403,10 +403,9 @@ class JoinedRoomMemberListRestServlet(ClientV1RestServlet):
@defer.inlineCallbacks
def on_GET(self, request, room_id):
requester = yield self.auth.get_user_by_req(request)
- user_id = requester.user.to_string()
users_with_profile = yield self.message_handler.get_joined_members(
- user_id, room_id,
+ requester, room_id,
)
defer.returnValue((200, {
|
