From 590d5a27ea25d3079f15cf4f53a73c31e0a6991f Mon Sep 17 00:00:00 2001
From: Sam Wedgwood <sam@wedgwood.dev>
Date: Wed, 2 Aug 2023 15:50:38 +0100
Subject: [PATCH] treat no sender ID as not joined to room in sendevent -
 returning 403 forbidden instead of 404 not found

---
 clientapi/routing/sendevent.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/clientapi/routing/sendevent.go b/clientapi/routing/sendevent.go
index 172001714..224013403 100644
--- a/clientapi/routing/sendevent.go
+++ b/clientapi/routing/sendevent.go
@@ -316,11 +316,18 @@ func generateSendEvent(
 		}
 	}
 	senderID, err := rsAPI.QuerySenderIDForUser(ctx, *validRoomID, *fullUserID)
-	if err != nil || senderID == nil {
+	if err != nil {
 		return nil, &util.JSONResponse{
 			Code: http.StatusNotFound,
 			JSON: spec.NotFound("Unable to find senderID for user"),
 		}
+	} else if senderID == nil {
+		// TODO: is it always the case that lack of a sender ID means they're not joined?
+		//       And should this logic be deferred to the roomserver somehow?
+		return nil, &util.JSONResponse{
+			Code: http.StatusForbidden,
+			JSON: spec.Forbidden("not joined to room"),
+		}
 	}
 
 	// create the new event and set all the fields we can