/events/:eventId endpoint allows access to events from before the user joined the room (SYN-593)

[matrixbot]

curl 'https://matrix.org/_matrix/client/api/v1/events/$1416421146527WDCdP:matrix.org?access_token=<redacted>'
{
    "age": 36270900773,
    "content": {
        "body": "can haz invite?",
        "msgtype": "m.text"
    },
    "event_id": "$1416421146527WDCdP:matrix.org",
    "origin_server_ts": 1414157883323,
    "room_id": "!zOmsiVucpWbRRDjSwe:matrix.org",
    "sender": "@&#8203;irc_kegan:matrix.org",
    "stream_ordering": 16594,
    "type": "m.room.message",
    "unsigned": {
        "age": 36270900773
    },
    "user_id": "@&#8203;irc_kegan:matrix.org"
}

(Imported from https://matrix.org/jira/browse/SYN-593)

(Reported by @richvdh)

[matrixbot]

Jira watchers: @erikjohnston @richvdh

[matrixbot]

Were you joined at the time? What was the history visibility?

-- @erikjohnston

[matrixbot]

Yes, I was joined at the time. To be fair, in the above example, the history visibility at the time of the event was unset; however I can also reproduce it on a later event, once the history_visibility was set to invite (but still before I joined the room):

curl 'https://matrix.org/_matrix/client/api/v1/events/$143769525125400gNQaz:matrix.org?access_token=<redacted>'

-- @richvdh

[turt2live]

This should be fixed by #3642