Check that event is visible in new APIs

95f3fcda · Erik Johnston · b5c62c6b · 95f3fcda · 95f3fcda
Commit 95f3fcda authored 5 years ago by Erik Johnston
--- a/synapse/rest/client/v2_alpha/relations.py
+++ b/synapse/rest/client/v2_alpha/relations.py
@@ -131,6 +131,7 @@ class RelationPaginationServlet(RestServlet):
        self.store = hs.get_datastore()
        self.clock = hs.get_clock()
        self._event_serializer = hs.get_event_client_serializer()
+        self.event_handler = hs.get_event_handler()
    @defer.inlineCallbacks
    def on_GET(self, request, room_id, parent_id, relation_type=None, event_type=None):
@@ -140,6 +141,10 @@ class RelationPaginationServlet(RestServlet):
            room_id, requester.user.to_string()
        )
+        # This checks that a) the event exists and b) the user is allowed to
+        # view it.
+        yield self.event_handler.get_event(requester.user, room_id, parent_id)
        limit = parse_integer(request, "limit", default=5)
        from_token = parse_string(request, "from")
        to_token = parse_string(request, "to")
@@ -195,6 +200,7 @@ class RelationAggregationPaginationServlet(RestServlet):
        super(RelationAggregationPaginationServlet, self).__init__()
        self.auth = hs.get_auth()
        self.store = hs.get_datastore()
+        self.event_handler = hs.get_event_handler()
    @defer.inlineCallbacks
    def on_GET(self, request, room_id, parent_id, relation_type=None, event_type=None):
@@ -204,6 +210,10 @@ class RelationAggregationPaginationServlet(RestServlet):
            room_id, requester.user.to_string()
        )
+        # This checks that a) the event exists and b) the user is allowed to
+        # view it.
+        yield self.event_handler.get_event(requester.user, room_id, parent_id)
        if relation_type not in (RelationTypes.ANNOTATION, None):
            raise SynapseError(400, "Relation type must be 'annotation'")
@@ -258,6 +268,7 @@ class RelationAggregationGroupPaginationServlet(RestServlet):
        self.store = hs.get_datastore()
        self.clock = hs.get_clock()
        self._event_serializer = hs.get_event_client_serializer()
+        self.event_handler = hs.get_event_handler()
    @defer.inlineCallbacks
    def on_GET(self, request, room_id, parent_id, relation_type, event_type, key):
@@ -267,6 +278,10 @@ class RelationAggregationGroupPaginationServlet(RestServlet):
            room_id, requester.user.to_string()
        )
+        # This checks that a) the event exists and b) the user is allowed to
+        # view it.
+        yield self.event_handler.get_event(requester.user, room_id, parent_id)
        if relation_type != RelationTypes.ANNOTATION:
            raise SynapseError(400, "Relation type must be 'annotation'")
@@ -296,8 +311,6 @@ class RelationAggregationGroupPaginationServlet(RestServlet):
        defer.returnValue((200, return_value))
-        defer.returnValue((200, return_value))
 def register_servlets(hs, http_server):
    RelationSendServlet(hs).register(http_server)

--- a/tests/rest/client/v2_alpha/test_relations.py
+++ b/tests/rest/client/v2_alpha/test_relations.py
@@ -296,7 +296,7 @@ class RelationsTestCase(unittest.HomeserverTestCase):
        request, channel = self.make_request(
            "GET",
-            "/_matrix/client/unstable/rooms/%s/aggregations/m.replaces/%s?limit=1"
+            "/_matrix/client/unstable/rooms/%s/aggregations/%s/m.replace?limit=1"
            % (self.room, self.parent_id),
        )
        self.render(request)