From cc54a4f8cb467af66c35ee3eb0d880329ff0b715 Mon Sep 17 00:00:00 2001
From: Florian Jacob <projects+git@florianjacob.de>
Date: Thu, 17 May 2018 16:43:01 +0200
Subject: [PATCH] /rooms/{roomId}/members: specify access_token requirement as
 the behaviour of which members the users see is user-specific and therefore
 requires authentication.

Signed-off-by: Florian Jacob <projects+git AT florianjacob )DOT( de>
---
 api/client-server/rooms.yaml | 2 ++
 changelogs/client_server.rst | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/api/client-server/rooms.yaml b/api/client-server/rooms.yaml
index 88c2b9d9..cc1f2bf7 100644
--- a/api/client-server/rooms.yaml
+++ b/api/client-server/rooms.yaml
@@ -288,6 +288,8 @@ paths:
           description: The room to get the member events for.
           required: true
           x-example: "!636q39766251:example.com"
+      security:
+        - accessToken: []
       responses:
         200:
           description: |-
diff --git a/changelogs/client_server.rst b/changelogs/client_server.rst
index a2a929b0..3c4fbffa 100644
--- a/changelogs/client_server.rst
+++ b/changelogs/client_server.rst
@@ -35,6 +35,8 @@ Unreleased changes
     (`#1139 <https://github.com/matrix-org/matrix-doc/pull/1139>`_).
   - Clarify that ``/account/whoami`` should consider application services
     (`#1152 <https://github.com/matrix-org/matrix-doc/pull/1152>`_).
+  - Mark ``GET /rooms/{roomId}/members`` as requiring authentication
+    (`#1245 <https://github.com/matrix-org/matrix-doc/pull/1244>`_).
 
 - Changes to the API which will be backwards-compatible for clients: