0
0
Fork 1
mirror of https://mau.dev/maunium/synapse.git synced 2024-11-17 15:31:19 +01:00

Return 404 instead of 403 when retrieving an event without perms (#5798)

Part of fixing matrix-org/sytest#652

Sytest PR: matrix-org/sytest#667
This commit is contained in:
Andrew Morgan 2019-08-06 13:33:55 +01:00 committed by GitHub
parent 8ed9e63432
commit edeae53221
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 12 additions and 3 deletions

1
changelog.d/5798.bugfix Normal file
View file

@ -0,0 +1 @@
Return 404 instead of 403 when accessing /rooms/{roomId}/event/{eventId} for an event without the appropriate permissions.

View file

@ -568,14 +568,22 @@ class RoomEventServlet(RestServlet):
@defer.inlineCallbacks @defer.inlineCallbacks
def on_GET(self, request, room_id, event_id): def on_GET(self, request, room_id, event_id):
requester = yield self.auth.get_user_by_req(request, allow_guest=True) requester = yield self.auth.get_user_by_req(request, allow_guest=True)
event = yield self.event_handler.get_event(requester.user, room_id, event_id) try:
event = yield self.event_handler.get_event(
requester.user, room_id, event_id
)
except AuthError:
# This endpoint is supposed to return a 404 when the requester does
# not have permission to access the event
# https://matrix.org/docs/spec/client_server/r0.5.0#get-matrix-client-r0-rooms-roomid-event-eventid
raise SynapseError(404, "Event not found.", errcode=Codes.NOT_FOUND)
time_now = self.clock.time_msec() time_now = self.clock.time_msec()
if event: if event:
event = yield self._event_serializer.serialize_event(event, time_now) event = yield self._event_serializer.serialize_event(event, time_now)
return (200, event) return (200, event)
else:
return (404, "Event not found.") return SynapseError(404, "Event not found.", errcode=Codes.NOT_FOUND)
class RoomEventContextServlet(RestServlet): class RoomEventContextServlet(RestServlet):