From 07be190507e385ec6ce5de7d09ddae4bcb96f692 Mon Sep 17 00:00:00 2001
From: Jade Ellis <jade@ellis.link>
Date: Thu, 18 Dec 2025 22:26:01 +0000
Subject: [PATCH] fix: Return 404 when event is not accessible

---
 src/api/client/relations.rs | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/api/client/relations.rs b/src/api/client/relations.rs
index ba39bda7..265c003b 100644
--- a/src/api/client/relations.rs
+++ b/src/api/client/relations.rs
@@ -1,11 +1,11 @@
 use axum::extract::State;
 use conduwuit::{
-	Result, at, debug_warn,
+	Result, at, debug_warn, err,
 	matrix::{Event, event::RelationTypeEqual, pdu::PduCount},
 	utils::{IterStream, ReadyExt, result::FlatOk, stream::WidebandExt},
 };
 use conduwuit_service::Services;
-use futures::StreamExt;
+use futures::{StreamExt, TryFutureExt};
 use ruma::{
 	EventId, RoomId, UInt, UserId,
 	api::{
@@ -109,6 +109,15 @@ async fn paginate_relations_with_filter(
 	recurse: bool,
 	dir: Direction,
 ) -> Result<get_relating_events::v1::Response> {
+	if !services
+		.rooms
+		.state_accessor
+		.user_can_see_event(sender_user, room_id, target)
+	{
+		debug_warn!(req_evt = ?target, ?room_id, "Event relations requested by {sender_user} but is not allowed to see it, returning 404");
+		return err!(Request(NotFound("Event not found.")));
+	}
+
 	let start: PduCount = from
 		.map(str::parse)
 		.transpose()?