diff --git a/changelog.d/9150.feature b/changelog.d/9150.feature
index 86c4fd3d72..48a8148dee 100644
--- a/changelog.d/9150.feature
+++ b/changelog.d/9150.feature
@@ -1,4 +1 @@
-New API /_synapse/admin/rooms/{roomId}/context/{eventId}
-
-This API mirrors /_matrix/client/r0/rooms/{roomId}/context/{eventId} but lets administrators
-inspect rooms. Designed to annotate abuse reports with context.
+New API /_synapse/admin/rooms/{roomId}/context/{eventId}.
diff --git a/synapse/rest/admin/rooms.py b/synapse/rest/admin/rooms.py
index 6539655289..4393197549 100644
--- a/synapse/rest/admin/rooms.py
+++ b/synapse/rest/admin/rooms.py
@@ -578,7 +578,8 @@ class RoomEventContextServlet(RestServlet):
self.auth = hs.get_auth()
async def on_GET(self, request, room_id, event_id):
- requester = await self.auth.get_user_by_req(request, allow_guest=True)
+ requester = await self.auth.get_user_by_req(request, allow_guest=False)
+ await assert_user_is_admin(self.auth, requester.user)
limit = parse_integer(request, "limit", default=10)
diff --git a/tests/rest/admin/test_room.py b/tests/rest/admin/test_room.py
index 7e89eb4793..fd201993d3 100644
--- a/tests/rest/admin/test_room.py
+++ b/tests/rest/admin/test_room.py
@@ -1430,7 +1430,41 @@ class JoinAliasRoomTestCase(unittest.HomeserverTestCase):
self.assertEquals(200, int(channel.result["code"]), msg=channel.result["body"])
self.assertEqual(private_room_id, channel.json_body["joined_rooms"][0])
- def test_context(self):
+ def test_context_as_non_admin(self):
+ """
+ Test that, without being admin, one cannot use the context admin API
+ """
+ # Create a room.
+ user_id = self.register_user("test", "test")
+ user_tok = self.login("test", "test")
+
+ self.register_user("test_2", "test")
+ user_tok_2 = self.login("test_2", "test")
+
+ room_id = self.helper.create_room_as(user_id, tok=user_tok)
+
+ # Populate the room with events.
+ events = []
+ for i in range(30):
+ events.append(
+ self.helper.send_event(
+ room_id, "com.example.test", content={"index": i}, tok=user_tok
+ )
+ )
+
+ # Now attempt to find the context using the admin API without being admin.
+ midway = (len(events) - 1) // 2
+ for tok in [user_tok, user_tok_2]:
+ channel = self.make_request(
+ "GET",
+ "/_synapse/admin/v1/rooms/%s/context/%s"
+ % (room_id, events[midway]["event_id"]),
+ access_token=tok,
+ )
+ self.assertEquals(403, int(channel.result["code"]), msg=channel.result["body"])
+ self.assertEqual(Codes.FORBIDDEN, channel.json_body["errcode"])
+
+ def test_context_as_admin(self):
"""
Test that, as admin, we can find the context of an event without having joined the room.
"""
|
