diff --git a/changelog.d/3641.bugfix b/changelog.d/3641.bugfix
index 02181975c011d04cf30241d836adaa1858f26990..149349baa23c496e3f8bdd9bd4cc95ced61dd766 100644
--- a/changelog.d/3641.bugfix
+++ b/changelog.d/3641.bugfix
@@ -1 +1 @@
-Fix a potential event disclosure issue
\ No newline at end of file
+Fix a potential issue where servers could request events for rooms they have not joined.
diff --git a/changelog.d/3642.bugfix b/changelog.d/3642.bugfix
new file mode 100644
index 0000000000000000000000000000000000000000..e2e9b209def6fb06466e85a9e7168db67d5bb140
--- /dev/null
+++ b/changelog.d/3642.bugfix
@@ -0,0 +1 @@
+Fix a potential issue where users could see events in private joins before they joined
diff --git a/synapse/handlers/events.py b/synapse/handlers/events.py
index c3f2d7feff3a29c793e1898542b3b5018ce9a05b..f772e62c28f6311af4b6f1cd7b4c4751d1d8bcff 100644
--- a/synapse/handlers/events.py
+++ b/synapse/handlers/events.py
@@ -19,10 +19,12 @@ import random
from twisted.internet import defer
from synapse.api.constants import EventTypes, Membership
+from synapse.api.errors import AuthError
from synapse.events import EventBase
from synapse.events.utils import serialize_event
from synapse.types import UserID
from synapse.util.logutils import log_function
+from synapse.visibility import filter_events_for_client
from ._base import BaseHandler
@@ -129,11 +131,13 @@ class EventStreamHandler(BaseHandler):
class EventHandler(BaseHandler):
@defer.inlineCallbacks
- def get_event(self, user, event_id):
+ def get_event(self, user, room_id, event_id):
"""Retrieve a single specified event.
Args:
user (synapse.types.UserID): The user requesting the event
+ room_id (str|None): The expected room id. We'll return None if the
+ event's room does not match.
event_id (str): The event ID to obtain.
Returns:
dict: An event, or None if there is no event matching this ID.
@@ -142,13 +146,26 @@ class EventHandler(BaseHandler):
AuthError if the user does not have the rights to inspect this
event.
"""
- event = yield self.store.get_event(event_id)
+ event = yield self.store.get_event(event_id, check_room_id=room_id)
if not event:
defer.returnValue(None)
return
- if hasattr(event, "room_id"):
- yield self.auth.check_joined_room(event.room_id, user.to_string())
+ users = yield self.store.get_users_in_room(event.room_id)
+ is_peeking = user.to_string() not in users
+
+ filtered = yield filter_events_for_client(
+ self.store,
+ user.to_string(),
+ [event],
+ is_peeking=is_peeking
+ )
+
+ if not filtered:
+ raise AuthError(
+ 403,
+ "You don't have permission to access that event."
+ )
defer.returnValue(event)
diff --git a/synapse/rest/client/v1/events.py b/synapse/rest/client/v1/events.py
index b70c9c280682a6751cb73236c5145053d07dbd44..0f3a2e8b5104cef84d092a8e15a88dd31f834877 100644
--- a/synapse/rest/client/v1/events.py
+++ b/synapse/rest/client/v1/events.py
@@ -88,7 +88,7 @@ class EventRestServlet(ClientV1RestServlet):
@defer.inlineCallbacks
def on_GET(self, request, event_id):
requester = yield self.auth.get_user_by_req(request)
- event = yield self.event_handler.get_event(requester.user, event_id)
+ event = yield self.event_handler.get_event(requester.user, None, event_id)
time_now = self.clock.time_msec()
if event:
diff --git a/synapse/rest/client/v1/room.py b/synapse/rest/client/v1/room.py
index 3d6244785427e36c0a817005c059d85c66a55c06..2a679ac8303ebcf9f26d46d9503fda42eff64555 100644
--- a/synapse/rest/client/v1/room.py
+++ b/synapse/rest/client/v1/room.py
@@ -508,7 +508,7 @@ class RoomEventServlet(ClientV1RestServlet):
@defer.inlineCallbacks
def on_GET(self, request, room_id, event_id):
requester = yield self.auth.get_user_by_req(request)
- event = yield self.event_handler.get_event(requester.user, event_id)
+ event = yield self.event_handler.get_event(requester.user, room_id, event_id)
time_now = self.clock.time_msec()
if event: