Return a 404 for admin api user lookup if user not found (#6901)

* commit 'd8994942f': Return a 404 for admin api user lookup if user not found (#6901) Move the warning at the top of the release changes
matrix-org · Mar 23, 2020 · dbf10b0 · dbf10b0
2 parents 279521a + d899494
commit dbf10b0
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 4 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -1,6 +1,8 @@
 Synapse 1.10.0 (2020-02-12)
 ===========================
 
+**WARNING to client developers**: As of this release Synapse validates `client_secret` parameters in the Client-Server API as per the spec. See [\#6766](https://github.com/matrix-org/synapse/issues/6766) for details.
+
 Updates to the Docker image
 ---------------------------
 
@@ -54,9 +56,6 @@ Internal Changes
 Synapse 1.10.0rc1 (2020-01-31)
 ==============================
 
-**WARNING to client developers**: As of this release Synapse validates `client_secret` parameters in the Client-Server API as per the spec. See [\#6766](https://github.com/matrix-org/synapse/issues/6766) for details.
-
-
 Features
 --------
 

diff --git a/changelog.d/6901.misc b/changelog.d/6901.misc
@@ -0,0 +1 @@
+Return a 404 instead of 200 for querying information of a non-existant user through the admin API.
diff --git a/synapse/rest/admin/users.py b/synapse/rest/admin/users.py
@@ -21,7 +21,7 @@
 from six.moves import http_client
 
 from synapse.api.constants import UserTypes
-from synapse.api.errors import Codes, SynapseError
+from synapse.api.errors import Codes, NotFoundError, SynapseError
 from synapse.http.servlet import (
     RestServlet,
     assert_params_in_dict,
@@ -152,6 +152,9 @@ async def on_GET(self, request, user_id):
 
         ret = await self.admin_handler.get_user(target_user)
 
+        if not ret:
+            raise NotFoundError("User not found")
+
         return 200, ret
 
     async def on_PUT(self, request, user_id):

diff --git a/tests/rest/admin/test_user.py b/tests/rest/admin/test_user.py
@@ -401,6 +401,22 @@ def test_requester_is_no_admin(self):
         self.assertEqual(403, int(channel.result["code"]), msg=channel.result["body"])
         self.assertEqual("You are not a server admin", channel.json_body["error"])
 
+    def test_user_does_not_exist(self):
+        """
+        Tests that a lookup for a user that does not exist returns a 404
+        """
+        self.hs.config.registration_shared_secret = None
+
+        request, channel = self.make_request(
+            "GET",
+            "/_synapse/admin/v2/users/@unknown_person:test",
+            access_token=self.admin_user_tok,
+        )
+        self.render(request)
+
+        self.assertEqual(404, channel.code, msg=channel.json_body)
+        self.assertEqual("M_NOT_FOUND", channel.json_body["errcode"])
+
     def test_requester_is_admin(self):
         """
         If the user is a server admin, a new user is created.