From e1fa3ef151a8d8e0e4b693ebc3135d32d41548af Mon Sep 17 00:00:00 2001
From: Andrew Ferrazzutti <andrewf@element.io>
Date: Mon, 23 Sep 2024 17:19:39 -0400
Subject: [PATCH] Test user ID in middle of state key

---
 tests/rest/client/test_owned_state.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/tests/rest/client/test_owned_state.py b/tests/rest/client/test_owned_state.py
index f740185f6bb..6f4da881aca 100644
--- a/tests/rest/client/test_owned_state.py
+++ b/tests/rest/client/test_owned_state.py
@@ -196,6 +196,17 @@ def test_user_cannot_set_state_with_unseparated_suffixed_key(self) -> None:
             expect_code=HTTPStatus.FORBIDDEN,
         )
 
+    def test_user_cannot_set_state_with_misplaced_userid_in_key(self) -> None:
+        self.helper.send_state(
+            self.room_id,
+            _STATE_EVENT_TEST_TYPE,
+            {},
+            # Still put @ at start of state key, because without it, there is no write protection at all
+            state_key=f"@prefix_{self.user1_user_id}{_STATE_KEY_SUFFIX}",
+            tok=self.user1_access_token,
+            expect_code=HTTPStatus.FORBIDDEN,
+        )
+
     def test_admin_cannot_set_state_with_malformed_userid_key(self) -> None:
         body = self.helper.send_state(
             self.room_id,