From 228c3c405fe8bbe1dc8ee4b73f9fa451291b8b12 Mon Sep 17 00:00:00 2001
From: Andrew Morgan <andrew@amorgan.xyz>
Date: Wed, 31 Jul 2019 13:59:12 +0100
Subject: [PATCH 1/8] Return 404 instead of 403 when retrieving an event
 without perms

---
 synapse/rest/client/v1/room.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/synapse/rest/client/v1/room.py b/synapse/rest/client/v1/room.py
index 6fe1eddcce4a..ca9b889d19fb 100644
--- a/synapse/rest/client/v1/room.py
+++ b/synapse/rest/client/v1/room.py
@@ -568,7 +568,13 @@ def __init__(self, hs):
     @defer.inlineCallbacks
     def on_GET(self, request, room_id, event_id):
         requester = yield self.auth.get_user_by_req(request, allow_guest=True)
-        event = yield self.event_handler.get_event(requester.user, room_id, event_id)
+        try:
+            event = yield self.event_handler.get_event(requester.user, room_id, event_id)
+        except AuthError as e:
+            # This endpoint is supposed to return a 404 when the requester does
+            # not have permission to access the event
+            # https://matrix.org/docs/spec/client_server/r0.5.0#get-matrix-client-r0-rooms-roomid-event-eventid
+            return (404, e.msg)
 
         time_now = self.clock.time_msec()
         if event:

From ccddd9b9a8cd89211ebd8bc5d464fde27a8d7fe4 Mon Sep 17 00:00:00 2001
From: Andrew Morgan <andrew@amorgan.xyz>
Date: Wed, 31 Jul 2019 14:03:58 +0100
Subject: [PATCH 2/8] Add changelog

---
 changelog.d/5798.bugfix | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 changelog.d/5798.bugfix

diff --git a/changelog.d/5798.bugfix b/changelog.d/5798.bugfix
new file mode 100644
index 000000000000..7db2c37af5d9
--- /dev/null
+++ b/changelog.d/5798.bugfix
@@ -0,0 +1 @@
+Return 404 instead of 403 when accessing /rooms/{roomId}/event/{eventId} for an event without the appropriate permissions.

From e906115472b62d2a1eee679f5180d9e76293bbcf Mon Sep 17 00:00:00 2001
From: Andrew Morgan <andrew@amorgan.xyz>
Date: Wed, 31 Jul 2019 14:18:35 +0100
Subject: [PATCH 3/8] lint

---
 synapse/rest/client/v1/room.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/synapse/rest/client/v1/room.py b/synapse/rest/client/v1/room.py
index ca9b889d19fb..5efed57439bd 100644
--- a/synapse/rest/client/v1/room.py
+++ b/synapse/rest/client/v1/room.py
@@ -569,7 +569,9 @@ def __init__(self, hs):
     def on_GET(self, request, room_id, event_id):
         requester = yield self.auth.get_user_by_req(request, allow_guest=True)
         try:
-            event = yield self.event_handler.get_event(requester.user, room_id, event_id)
+            event = yield self.event_handler.get_event(
+                requester.user, room_id, event_id
+            )
         except AuthError as e:
             # This endpoint is supposed to return a 404 when the requester does
             # not have permission to access the event

From 2347e3c36206e4a2f75be28b14870082d891a05f Mon Sep 17 00:00:00 2001
From: Andrew Morgan <andrew@amorgan.xyz>
Date: Wed, 31 Jul 2019 14:26:16 +0100
Subject: [PATCH 4/8] Hide event existence

---
 synapse/rest/client/v1/room.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/synapse/rest/client/v1/room.py b/synapse/rest/client/v1/room.py
index 5efed57439bd..4c0d0f0ec1cb 100644
--- a/synapse/rest/client/v1/room.py
+++ b/synapse/rest/client/v1/room.py
@@ -576,7 +576,7 @@ def on_GET(self, request, room_id, event_id):
             # This endpoint is supposed to return a 404 when the requester does
             # not have permission to access the event
             # https://matrix.org/docs/spec/client_server/r0.5.0#get-matrix-client-r0-rooms-roomid-event-eventid
-            return (404, e.msg)
+            return (404, "Event not found.")
 
         time_now = self.clock.time_msec()
         if event:

From ad2c41596528b99c3bd6744f5b1df199a5b0d2bb Mon Sep 17 00:00:00 2001
From: Andrew Morgan <andrew@amorgan.xyz>
Date: Wed, 31 Jul 2019 14:28:37 +0100
Subject: [PATCH 5/8] lint

---
 synapse/rest/client/v1/room.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/synapse/rest/client/v1/room.py b/synapse/rest/client/v1/room.py
index 4c0d0f0ec1cb..fba5c5175869 100644
--- a/synapse/rest/client/v1/room.py
+++ b/synapse/rest/client/v1/room.py
@@ -572,7 +572,7 @@ def on_GET(self, request, room_id, event_id):
             event = yield self.event_handler.get_event(
                 requester.user, room_id, event_id
             )
-        except AuthError as e:
+        except AuthError:
             # This endpoint is supposed to return a 404 when the requester does
             # not have permission to access the event
             # https://matrix.org/docs/spec/client_server/r0.5.0#get-matrix-client-r0-rooms-roomid-event-eventid

From f536e7c6a7b150f5446a53dcf2762803733529f5 Mon Sep 17 00:00:00 2001
From: Andrew Morgan <andrew@amorgan.xyz>
Date: Wed, 31 Jul 2019 15:14:19 +0100
Subject: [PATCH 6/8] Add M_NOT_FOUND errcode to response

---
 synapse/rest/client/v1/room.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/synapse/rest/client/v1/room.py b/synapse/rest/client/v1/room.py
index fba5c5175869..aaeb034ee3d1 100644
--- a/synapse/rest/client/v1/room.py
+++ b/synapse/rest/client/v1/room.py
@@ -576,7 +576,7 @@ def on_GET(self, request, room_id, event_id):
             # This endpoint is supposed to return a 404 when the requester does
             # not have permission to access the event
             # https://matrix.org/docs/spec/client_server/r0.5.0#get-matrix-client-r0-rooms-roomid-event-eventid
-            return (404, "Event not found.")
+            return (404, "Event not found.", errcode=Codes.NOT_FOUND)
 
         time_now = self.clock.time_msec()
         if event:

From dc361798e51ee43f3f7fe4c11dd37251a7d2ffd9 Mon Sep 17 00:00:00 2001
From: Andrew Morgan <andrew@amorgan.xyz>
Date: Mon, 5 Aug 2019 12:39:36 +0100
Subject: [PATCH 7/8] raise a SynapseError instead of tuple

---
 synapse/rest/client/v1/room.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/synapse/rest/client/v1/room.py b/synapse/rest/client/v1/room.py
index aaeb034ee3d1..0418b69942f4 100644
--- a/synapse/rest/client/v1/room.py
+++ b/synapse/rest/client/v1/room.py
@@ -576,7 +576,7 @@ def on_GET(self, request, room_id, event_id):
             # This endpoint is supposed to return a 404 when the requester does
             # not have permission to access the event
             # https://matrix.org/docs/spec/client_server/r0.5.0#get-matrix-client-r0-rooms-roomid-event-eventid
-            return (404, "Event not found.", errcode=Codes.NOT_FOUND)
+            raise SynapseError(404, "Event not found.", errcode=Codes.NOT_FOUND)
 
         time_now = self.clock.time_msec()
         if event:

From 9d567cc26c7a61956d45106d64d995091cfdf94a Mon Sep 17 00:00:00 2001
From: Andrew Morgan <andrew@amorgan.xyz>
Date: Tue, 6 Aug 2019 13:08:35 +0100
Subject: [PATCH 8/8] change other 404 to a SynapseError

---
 synapse/rest/client/v1/room.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/synapse/rest/client/v1/room.py b/synapse/rest/client/v1/room.py
index 0418b69942f4..4b2344e69644 100644
--- a/synapse/rest/client/v1/room.py
+++ b/synapse/rest/client/v1/room.py
@@ -582,8 +582,8 @@ def on_GET(self, request, room_id, event_id):
         if event:
             event = yield self._event_serializer.serialize_event(event, time_now)
             return (200, event)
-        else:
-            return (404, "Event not found.")
+
+        return SynapseError(404, "Event not found.", errcode=Codes.NOT_FOUND)
 
 
 class RoomEventContextServlet(RestServlet):