clean up a few tasks related to allow lists

lib/hk-util.js

@@ -834,6 +834,7 @@ const directMessageCommands = {
 */
 HK.onDirectMessage = function (Env, Server, seq, userId, json) {
     const Log = Env.Log;
+    const HISTORY_KEEPER_ID = Env.id;
     Log.silly('HK_MESSAGE', json);
 
     let parsed;
@@ -891,10 +892,27 @@ HK.onDirectMessage = function (Env, Server, seq, userId, json) {
                 return;
             }
 
-            // XXX NOT ALLOWED
-            // respond to txid with error as in handleGetHistory
-            // send the allow list anyway, it might not get used currently
-            // but will in the future
+/*  Anyone in the userlist that isn't in the allow list should have already
+    been kicked out of the channel. Likewise, disallowed users should not
+    be able to add themselves to the userlist because JOIN commands respect
+    access control settings. The error that is sent below protects against
+    the remaining case, in which users try to get history without having
+    joined the channel. Normally we'd send the allow list to tell them the
+    key with which they should authenticate, but since we don't use this
+    behaviour, I'm doing the easy thing and just telling them to GO AWAY.
+
+    We can implement the more advanced behaviour later if it turns out that
+    we need it. This command validates guards against all kinds of history
+    access: GET_HISTORY, GET_HISTORY_RANGE, GET_FULL_HISTORY.
+*/
+
+            w.abort();
+            return void Server.send(userId, [
+                seq,
+                'ERROR',
+                'ERESTRICTED',
+                HISTORY_KEEPER_ID
+            ]);
         }));
     }).nThen(function () {
         // run the appropriate command from the map