From b859919acc3ad6c61ba26a3c9b1e36c75a30c3fe Mon Sep 17 00:00:00 2001
From: David Teller <d.o.teller+github@gmail.com>
Date: Thu, 28 Jan 2021 12:18:07 +0100
Subject: [PATCH] FIXUP: Now testing that the user is admin!

---
 changelog.d/9150.feature      |  5 +----
 synapse/rest/admin/rooms.py   |  3 ++-
 tests/rest/admin/test_room.py | 36 ++++++++++++++++++++++++++++++++++-
 3 files changed, 38 insertions(+), 6 deletions(-)

diff --git a/changelog.d/9150.feature b/changelog.d/9150.feature
index 86c4fd3d7..48a8148de 100644
--- a/changelog.d/9150.feature
+++ b/changelog.d/9150.feature
@@ -1,4 +1 @@
-New API /_synapse/admin/rooms/{roomId}/context/{eventId}
-
-This API mirrors /_matrix/client/r0/rooms/{roomId}/context/{eventId} but lets administrators
-inspect rooms. Designed to annotate abuse reports with context.
+New API /_synapse/admin/rooms/{roomId}/context/{eventId}.
diff --git a/synapse/rest/admin/rooms.py b/synapse/rest/admin/rooms.py
index 653965528..439319754 100644
--- a/synapse/rest/admin/rooms.py
+++ b/synapse/rest/admin/rooms.py
@@ -578,7 +578,8 @@ class RoomEventContextServlet(RestServlet):
         self.auth = hs.get_auth()
 
     async def on_GET(self, request, room_id, event_id):
-        requester = await self.auth.get_user_by_req(request, allow_guest=True)
+        requester = await self.auth.get_user_by_req(request, allow_guest=False)
+        await assert_user_is_admin(self.auth, requester.user)
 
         limit = parse_integer(request, "limit", default=10)
 
diff --git a/tests/rest/admin/test_room.py b/tests/rest/admin/test_room.py
index 7e89eb479..fd201993d 100644
--- a/tests/rest/admin/test_room.py
+++ b/tests/rest/admin/test_room.py
@@ -1430,7 +1430,41 @@ class JoinAliasRoomTestCase(unittest.HomeserverTestCase):
         self.assertEquals(200, int(channel.result["code"]), msg=channel.result["body"])
         self.assertEqual(private_room_id, channel.json_body["joined_rooms"][0])
 
-    def test_context(self):
+    def test_context_as_non_admin(self):
+        """
+        Test that, without being admin, one cannot use the context admin API
+        """
+        # Create a room.
+        user_id = self.register_user("test", "test")
+        user_tok = self.login("test", "test")
+
+        self.register_user("test_2", "test")
+        user_tok_2 = self.login("test_2", "test")
+
+        room_id = self.helper.create_room_as(user_id, tok=user_tok)
+
+        # Populate the room with events.
+        events = []
+        for i in range(30):
+            events.append(
+                self.helper.send_event(
+                    room_id, "com.example.test", content={"index": i}, tok=user_tok
+                )
+            )
+
+        # Now attempt to find the context using the admin API without being admin.
+        midway = (len(events) - 1) // 2
+        for tok in [user_tok, user_tok_2]:
+            channel = self.make_request(
+                "GET",
+                "/_synapse/admin/v1/rooms/%s/context/%s"
+                % (room_id, events[midway]["event_id"]),
+                access_token=tok,
+            )
+            self.assertEquals(403, int(channel.result["code"]), msg=channel.result["body"])
+            self.assertEqual(Codes.FORBIDDEN, channel.json_body["errcode"])
+
+    def test_context_as_admin(self):
         """
         Test that, as admin, we can find the context of an event without having joined the room.
         """