(Report received out-of-band from a user unwilling to use Github):
From the docs (and our intention):
404 Not Found — Returned if the room does not exist, or is configured as inaccessible (and this user doesn't have access)."
And to a larger extent, the return of a 404 when actions are performed on rooms with all permissions disabled.
From a cursory check, it seems that both a manual "accessible" check and an @auth.accessible_required decorator are missing from several routes in rooms.py, messages.py and views.py, potentially allowing a user to scan for existing room names.
The web viewer, for instance, returns 403 instead of 404 for an inaccessible room.
(Report received out-of-band from a user unwilling to use Github):
From the docs (and our intention):
And to a larger extent, the return of a 404 when actions are performed on rooms with all permissions disabled.
From a cursory check, it seems that both a manual "accessible" check and an @auth.accessible_required decorator are missing from several routes in rooms.py, messages.py and views.py, potentially allowing a user to scan for existing room names.
The web viewer, for instance, returns 403 instead of 404 for an inaccessible room.