Return a 404 for admin api user lookup if user not found (#6901)

* commit 'd8994942f': Return a 404 for admin api user lookup if user not found (#6901) Move the warning at the top of the release changes
2020-03-23 17:15:20 +00:00
parent 279521a278 d8994942f2
commit dbf10b08c4
4 changed files with 23 additions and 4 deletions
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,6 +1,8 @@
 Synapse 1.10.0 (2020-02-12)
 ===========================

+**WARNING to client developers**: As of this release Synapse validates `client_secret` parameters in the Client-Server API as per the spec. See [\#6766](https://github.com/matrix-org/synapse/issues/6766) for details.
+
 Updates to the Docker image
 ---------------------------

@@ -54,9 +56,6 @@ Internal Changes
 Synapse 1.10.0rc1 (2020-01-31)
 ==============================

-**WARNING to client developers**: As of this release Synapse validates `client_secret` parameters in the Client-Server API as per the spec. See [\#6766](https://github.com/matrix-org/synapse/issues/6766) for details.
-
-
 Features
 --------

--- a/changelog.d/6901.misc
+++ b/changelog.d/6901.misc
@@ -0,0 +1 @@
+Return a 404 instead of 200 for querying information of a non-existant user through the admin API.
--- a/synapse/rest/admin/users.py
+++ b/synapse/rest/admin/users.py
@@ -21,7 +21,7 @@ from six import text_type
 from six.moves import http_client

 from synapse.api.constants import UserTypes
-from synapse.api.errors import Codes, SynapseError
+from synapse.api.errors import Codes, NotFoundError, SynapseError
 from synapse.http.servlet import (
    RestServlet,
    assert_params_in_dict,
@@ -152,6 +152,9 @@ class UserRestServletV2(RestServlet):

        ret = await self.admin_handler.get_user(target_user)

+        if not ret:
+            raise NotFoundError("User not found")
+
        return 200, ret

    async def on_PUT(self, request, user_id):
--- a/tests/rest/admin/test_user.py
+++ b/tests/rest/admin/test_user.py
@@ -401,6 +401,22 @@ class UserRestTestCase(unittest.HomeserverTestCase):
        self.assertEqual(403, int(channel.result["code"]), msg=channel.result["body"])
        self.assertEqual("You are not a server admin", channel.json_body["error"])

+    def test_user_does_not_exist(self):
+        """
+        Tests that a lookup for a user that does not exist returns a 404
+        """
+        self.hs.config.registration_shared_secret = None
+
+        request, channel = self.make_request(
+            "GET",
+            "/_synapse/admin/v2/users/@unknown_person:test",
+            access_token=self.admin_user_tok,
+        )
+        self.render(request)
+
+        self.assertEqual(404, channel.code, msg=channel.json_body)
+        self.assertEqual("M_NOT_FOUND", channel.json_body["errcode"])
+
    def test_requester_is_admin(self):
        """
        If the user is a server admin, a new user is created.
				`@@ -0,0 +1 @@`
				`Return a 404 instead of 200 for querying information of a non-existant user through the admin API.`