Users that knock on a room with a shared history visibility and are subsequently kicked are able to view all previous events

Description

I created a room (room version 10) as a test user with the following initial state:

• history_visibility: shared
• join_rule: knock

I’m observing that if another user knocks on the room and that admin test user kicks them, the kicked user is still able to fetch all of the previous events of the room using the /_matrix/client/v3/rooms/{roomId}/messages GET endpoint.

This seems like unexpected behaviour to me and a major risk to the privacy/confidentiality of the users in the room.

The Client-Server API Spec mentions this for shared room history visibility:

“Previous events are always accessible to newly joined members. All events in the room are accessible, even those sent when the member was not a part of the room.”

I have a feeling that room members with membership set as knock are mistakenly being considered as newly joined members in this case.

Steps to reproduce

• the following steps refer to user 1 (room creator and admin) and user 2 (knocker)
• create a room as user 1 with the following properties:
  • history_visibility: shared
  • join_rule: knock
  • room_version: 10
• send a few test messages as user 1 in the room
• knock on the room as user 2
• kick user 2 as user 1
• access previous events in the room as user 2 using the /_matrix/client/v3/rooms/{roomId}/messages GET endpoint
• observe that the test messages sent as user 1 are accessible through this endpoint by user 2

Homeserver

Local test homeserver

Synapse Version

1.68.0

Installation Method

Docker (matrixdotorg/synapse)

Platform

Official Docker image running in a container on Manjaro Linux

Relevant log output

[Edit 2022-09-30 11:41 UTC by dmr: redacted logs which contained sensitive information.]

Anything else that would be useful to know?

No response