MSC2260: Update the auth rules for m.room.aliases events
#2260
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,66 @@ | ||
| # MSC2260: Update the auth rules for `m.room.aliases` events | ||
|
|
||
| ## Background | ||
|
|
||
| Currently, `m.room.aliases` is subject to specific [authorization | ||
| rules](https://matrix.org/docs/spec/rooms/v1#authorization-rules). When these | ||
| rules were introduced, the intention was that `m.room.aliases` would be | ||
| maintained as an up-to-date list of the aliases for the room. However, this has | ||
| not been successful, and in practice the `m.room.aliases` event tends to drift | ||
| out of sync with the aliases (https://github.com/matrix-org/matrix-doc/issues/2262). | ||
|
|
||
| Meanwhile, `m.room.aliases` is open to abuse by remote servers who can add spam | ||
| or offensive aliases (https://github.com/matrix-org/matrix-doc/issues/625). | ||
|
|
||
| ## Proposal | ||
|
|
||
| `m.room.aliases` exists to advertise the aliases available for a given | ||
| room. This is an ability which should be restricted to privileged users in the | ||
| room. | ||
|
|
||
| Therefore, the special-case for `m.room.aliases` is to be removed from the | ||
| [authorization | ||
| rules](https://matrix.org/docs/spec/rooms/v1#authorization-rules). `m.room.aliases` | ||
| would instead be authorised following the normal rules for state events. | ||
ara4n marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
| TBD: are you still allowed to add rooms to the directory when you don't have | ||
richvdh marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| the necessary power level? If so, presumably this happens without updating the | ||
| `m.room.aliases` event. So: | ||
|
|
||
| * Is there any mechanism for syncing the alias list if you are later given | ||
| ops? | ||
richvdh marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
| * What if another user on your server has ops? What if Eve lacks ops and | ||
| secretly adds `#offensive_alias:example.com`, and then Bob (who has ops) | ||
| adds `#nice_alias:example.com`? How do we make sure that the offensive alias | ||
| isn't published by Bob? | ||
richvdh marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
| Server admins will continue to be able to remove entries from the directory | ||
| even if they do not have the right to send the `aliases` event (in which case | ||
| the `m.room.aliases` event will become outdated). | ||
richvdh marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
| It would also be logical to allow the contents of `m.room.aliases` events to be | ||
| redacted, as per [MSC2261](https://github.com/matrix-org/matrix-doc/issues/2261). | ||
|
|
||
| ## Tradeoffs | ||
|
|
||
| Perhaps allowing room admins the ability to redact malicious `aliases` events | ||
| is sufficient? Given that a malicious user could immediately publish a new | ||
| `aliases` event (even if they have been banned from the room), it seems like | ||
| that would be ineffective. | ||
|
Member
There was a problem hiding this comment. Yeah, in that scenario we still need the ability for the room admin to gag randoms from adding remote aliases.
Member
There was a problem hiding this comment. ...or require the user to be in the room in order to set a |
||
|
|
||
| Or we could just allow room admins to issue new `m.room.aliases` events | ||
| (possibly restricting them to removing aliases, though it's TBD if state res | ||
| would work reliably in this case). However, that seems to suffer the same | ||
| problem as above. | ||
|
|
||
| ## Potential issues | ||
|
|
||
| 1. This will bake in https://github.com/matrix-org/synapse/issues/1477 in a way | ||
| that cannot be fixed in the case that the server admin doesn't have ops in | ||
| the room. | ||
|
|
||
| 2. This would allow room operators to add 'fake' aliases: for example, I could | ||
| create a room and declare one of its aliases to be | ||
| `#matrix:matrix.org`. It's not obvious that this will cause any problems in | ||
| practice, but it might lead to some confusion. | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.