fix: restrict getUsersInRoom to members

src/socket.io/modules.js

@@ -113,11 +113,14 @@ SocketModules.chats.getUsersInRoom = async function (socket, data) {
 	if (!data || !data.roomId) {
 		throw new Error('[[error:invalid-data]]');
 	}
-	const [userData, isOwner] = await Promise.all([
+	const [isUserInRoom, isOwner, userData] = await Promise.all([
-		Messaging.getUsersInRoom(data.roomId, 0, -1),
+		Messaging.isUserInRoom(socket.uid, data.roomId),
 		Messaging.isRoomOwner(socket.uid, data.roomId),
+		Messaging.getUsersInRoom(data.roomId, 0, -1),
 	]);
-
+	if (!isUserInRoom) {
+		throw new Error('[[error:no-privileges]]');
+	}
 	userData.forEach((user) => {
 		user.canKick = (parseInt(user.uid, 10) !== parseInt(socket.uid, 10)) && isOwner;
 	});

test/messaging.js

@@ -150,6 +150,19 @@ describe('Messaging Library', function () {
 			});
 		});
 
+		it('should get users in room', async function () {
+			const data = await socketModules.chats.getUsersInRoom({ uid: fooUid }, { roomId: roomId });
+			assert(Array.isArray(data) && data.length === 3);
+		});
+
+		it('should throw error if user is not in room', async function () {
+			try {
+				const data = await socketModules.chats.getUsersInRoom({ uid: 123123123 }, { roomId: roomId });
+			} catch (err) {
+				assert.equal(err.message, '[[error:no-privileges]]');
+			}
+		});
+
 		it('should fail to add users to room if max is reached', function (done) {
 			meta.config.maximumUsersInChatRoom = 2;
 			socketModules.chats.addUserToRoom({ uid: fooUid }, { roomId: roomId, username: 'test' }, function (err) {