summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--synapse/handlers/message.py36
-rw-r--r--synapse/rest/client/v1/room.py3
2 files changed, 26 insertions, 13 deletions
diff --git a/synapse/handlers/message.py b/synapse/handlers/message.py
index f6740544c1..ca8c6c55bb 100644
--- a/synapse/handlers/message.py
+++ b/synapse/handlers/message.py
@@ -420,27 +420,41 @@ class MessageHandler(BaseHandler):
         )
 
     @defer.inlineCallbacks
-    def get_joined_members(self, user_id, room_id):
+    def get_joined_members(self, requester, room_id):
         """Get all the joined members in the room and their profile information.
 
         If the user has left the room return the state events from when they left.
 
         Args:
-            user_id(str): The user requesting state events.
+            requester(Requester): The user requesting state events.
             room_id(str): The room ID to get all state events from.
         Returns:
             A dict of user_id to profile info
         """
-        membership, membership_event_id = yield self._check_in_room_or_world_readable(
-            room_id, user_id
-        )
-
-        if membership == Membership.JOIN:
-            users_with_profile = yield self.state.get_current_user_in_room(room_id)
-        else:
-            raise NotImplementedError(
-                "Getting joined members after leaving is not implemented"
+        user_id = requester.user.to_string()
+        if not requester.app_service:
+            # We check AS auth after fetching the room membership, as it
+            # requires us to pull out all joined members anyway.
+            membership, _ = yield self._check_in_room_or_world_readable(
+                room_id, user_id
             )
+            if membership != Membership.JOIN:
+                raise NotImplementedError(
+                    "Getting joined members after leaving is not implemented"
+                )
+
+        users_with_profile = yield self.state.get_current_user_in_room(room_id)
+
+        # If this is an AS, double check that they are allowed to see the members.
+        # This can either be because the AS user is in the room or becuase there
+        # is a user in the room that the AS is "interested in"
+        if requester.app_service and user_id not in users_with_profile:
+            for uid in users_with_profile:
+                if requester.app_service.is_interested_in_user(uid):
+                    break
+            else:
+                # Loop fell through, AS has no interested users in room
+                raise AuthError(403, "Appservice not in room")
 
         defer.returnValue({
             user_id: {
diff --git a/synapse/rest/client/v1/room.py b/synapse/rest/client/v1/room.py
index 4be0fee38d..6c379d53ac 100644
--- a/synapse/rest/client/v1/room.py
+++ b/synapse/rest/client/v1/room.py
@@ -403,10 +403,9 @@ class JoinedRoomMemberListRestServlet(ClientV1RestServlet):
     @defer.inlineCallbacks
     def on_GET(self, request, room_id):
         requester = yield self.auth.get_user_by_req(request)
-        user_id = requester.user.to_string()
 
         users_with_profile = yield self.message_handler.get_joined_members(
-            user_id, room_id,
+            requester, room_id,
         )
 
         defer.returnValue((200, {
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-09-21 08:29:02 +0000