From 8b7bf5e7d7dbb7d87848156c27666fc2353efeba Mon Sep 17 00:00:00 2001
From: Till Faelligen <2353100+S7evinK@users.noreply.github.com>
Date: Tue, 25 Oct 2022 15:00:52 +0200
Subject: [PATCH] Return forbidden if not a member anymore (fix  #2802)

---
 syncapi/routing/memberships.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/syncapi/routing/memberships.go b/syncapi/routing/memberships.go
index b4e34225..c9acc5d2 100644
--- a/syncapi/routing/memberships.go
+++ b/syncapi/routing/memberships.go
@@ -109,6 +109,12 @@ func GetMemberships(
 	}
 
 	if joinedOnly {
+		if !queryRes.IsInRoom {
+			return util.JSONResponse{
+				Code: http.StatusForbidden,
+				JSON: jsonerror.Forbidden("You aren't a member of the room and weren't previously a member of the room."),
+			}
+		}
 		var res getJoinedMembersResponse
 		res.Joined = make(map[string]joinedMember)
 		for _, ev := range result {