Merge pull request from GHSA-3x4c-pq33-4w3q

* Add some tests to characterise the problem Some failing. Current states: RoomsMemberListTestCase test_get_member_list ... [OK] test_get_member_list_mixed_memberships ... [OK] test_get_member_list_no_permission ... [OK] test_get_member_list_no_permission_former_member ... [OK] test_get_member_list_no_permission_former_member_with_at_token ... [FAIL] test_get_member_list_no_room ... [OK] test_get_member_list_no_permission_with_at_token ... [FAIL] * Correct the tests * Check user is/was member before divulging room membership * Pull out only the 1 membership event we want. * Update tests/rest/client/v1/test_rooms.py Co-authored-by: Erik Johnston <erik@matrix.org> * Fixup tests (following apply review suggestion) Co-authored-by: Erik Johnston <erik@matrix.org>
2025-05-03 03:54:52 -04:00 · 2021-08-31 10:09:58 +01:00 · 2021-08-31 10:09:58 +01:00 · 52c7a51cfc
commit 52c7a51cfc
parent 8f98260552
2 changed files with 103 additions and 4 deletions
--- a/synapse/handlers/message.py
+++ b/synapse/handlers/message.py
@ -183,20 +183,37 @@ class MessageHandler:

            if not last_events:
                raise NotFoundError("Can't find event for token %s" % (at_token,))
+            last_event = last_events[0]
+
+            # check whether the user is in the room at that time to determine
+            # whether they should be treated as peeking.
+            state_map = await self.state_store.get_state_for_event(
+                last_event.event_id,
+                StateFilter.from_types([(EventTypes.Member, user_id)]),
+            )
+
+            joined = False
+            membership_event = state_map.get((EventTypes.Member, user_id))
+            if membership_event:
+                joined = membership_event.membership == Membership.JOIN
+
+            is_peeking = not joined

            visible_events = await filter_events_for_client(
                self.storage,
                user_id,
                last_events,
                filter_send_to_client=False,
+                is_peeking=is_peeking,
            )

-            event = last_events[0]
            if visible_events:
                room_state_events = await self.state_store.get_state_for_events(
-                    [event.event_id], state_filter=state_filter
+                    [last_event.event_id], state_filter=state_filter
                )
-                room_state: Mapping[Any, EventBase] = room_state_events[event.event_id]
+                room_state: Mapping[Any, EventBase] = room_state_events[
+                    last_event.event_id
+                ]
            else:
                raise AuthError(
                    403,