-
Notifications
You must be signed in to change notification settings - Fork 433
MSC4155: Invite filtering #4155
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
Johennes
wants to merge
38
commits into
matrix-org:main
Choose a base branch
from
Johennes:johannes/invite-filtering
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+227
−0
Open
Changes from 3 commits
Commits
Show all changes
38 commits
Select commit
Hold shift + click to select a range
6adc165
MSC4155: Invite filtering
Johennes 43aef70
Fix typo
Johennes b8b226a
Update proposal with feedback from pull request
Johennes dcde420
Update proposals/4155-invite-filtering.md
Johennes 04169f8
Update proposals/4155-invite-filtering.md
Johennes 8c81fd5
Update proposals/4155-invite-filtering.md
Johennes d132a13
Update proposals/4155-invite-filtering.md
Johennes 2345a5b
Update proposals/4155-invite-filtering.md
Johennes a558adb
Update proposals/4155-invite-filtering.md
Johennes a47dbce
Update proposals/4155-invite-filtering.md
Johennes e9478f0
Update proposals/4155-invite-filtering.md
Johennes 29324e9
Drop capability and enforce the config on the server only
Johennes 2f17aa7
Add missing client-side review option as a potential issue
Johennes 3b248c5
Update proposals/4155-invite-filtering.md
Johennes 230ed37
Update proposals/4155-invite-filtering.md
Johennes f916f98
Update proposals/4155-invite-filtering.md
Johennes 44ecf7e
Update proposals/4155-invite-filtering.md
Johennes 88fe9cc
Fix list indentation
Johennes be64f07
Extend alternatives
Johennes e526862
Update proposals/4155-invite-filtering.md
Johennes 52c8bd5
Clarify interaction with m.ignored_user_list
Johennes 0eee397
Fix typo
Johennes 21521f0
Spell out what the globs should operate on
Johennes 643c5bc
Avoid 'eponymous'
Johennes 5c3cab8
Avoid over-specifying null / missing behaviour
Johennes 16dd841
Update proposals/4155-invite-filtering.md
Johennes e735ee8
Add expanding m.ignored_user_list as an alternative
Johennes f65b9b2
Ignore ports when applying server globs
Johennes 8c30b56
Add enabled property
Johennes eb06849
Add potential issue about unanticipated side effects of changes
Johennes f17d2ee
Clarify how to valide array properties
Johennes 195199e
Use normative MUST
Johennes 8d87122
Clarify that ignored invites can be unignored
Johennes 64128c5
Remove dead link
Johennes e36e71d
Use normative wording
Johennes 6fada45
Fix comma error / wordsmith
Johennes 8ed8f33
Fix typo
Johennes 31bbbb6
Add unstable_features flag
Johennes File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Some comments aren't visible on the classic Files Changed page.
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,161 @@ | ||
| # MSC4155: Invite filtering | ||
|
|
||
| Matrix supports ignoring users via the eponymous [module] and the `m.ignored_user_list` account data | ||
Johennes marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| event. This is a nuclear option though and will suppress both invites and room events from the ignored | ||
| users. Additionally, the `m.ignored_user_list` event only allows for block-list configurations that ignore | ||
| specific users but doesn't have a mechanism to ignore entire servers. These shortcomings make the module | ||
Johennes marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| insufficient for use cases such as tightly locked down applications where ignoring needs to be the default | ||
| behaviour. | ||
|
|
||
| This proposal generalises the ignoring users [module] to allow filtering invites specifically. The scheme | ||
Johennes marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| outlined below was conceptually borrowed from the [gematik specification]. | ||
|
|
||
|
|
||
| ## Proposal | ||
|
|
||
| To allow users to configure which other users are allowed to invite them into rooms, a new account data | ||
| event `m.invite_permission_config` is introduced. | ||
|
|
||
| ```json5 | ||
| { | ||
| "type": "m.invite_permission_config", | ||
| "content": { | ||
| // User-level settings | ||
| "allowed_users": [ "@john:goodguys.org", ... ], | ||
| "ignored_users": [ ... ], | ||
| "blocked_users": [ ... ], | ||
| // Server-level settings | ||
turt2live marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| "allowed_servers": [ ... ], | ||
| "ignored_servers": [ ... ], | ||
| "blocked_servers": [ "*" ] // Glob expressions allowed | ||
Johennes marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| } | ||
Johennes marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| } | ||
| ``` | ||
|
|
||
| All properties in `content` are optional arrays. A missing or `null` property MUST be treated like an | ||
| empty array. The array elements are [glob expressions] to be matched against user IDs and server names, | ||
Johennes marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| respectively. | ||
|
|
||
| When evaluating an invite against the contents of `m.invite_permission_config`, implementations should | ||
Johennes marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| apply the following order: | ||
|
|
||
| 1. If the invite matches any `allow_*` setting, stop processing and allow. | ||
| 2. If the invite matches any `ignore_*` setting, stop processing and ignore. | ||
| 3. If the invite matches any `block_*` setting, stop processing and block. | ||
Johennes marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
Johennes marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| 4. Otherwise allow. | ||
|
|
||
| The semantics of "ignore" and "block" follow [MSC4283] which means ignoring hides the invite with no | ||
| feedback to the inviter whereas blocking rejects the invite. | ||
Johennes marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
| The semantics and order of evaluation enable a number of use cases, for instance: | ||
|
|
||
| ```json5 | ||
| // Invites from everyone | ||
| { | ||
| "type": "m.invite_permission_config", | ||
| "content": { } | ||
| } | ||
|
|
||
| // No invites at all | ||
| { | ||
| "type": "m.invite_permission_config", | ||
| "content": { | ||
| "blocked_servers": [ "*" ] | ||
| } | ||
| } | ||
|
|
||
| // Only invites from goodguys.org | ||
| { | ||
| "type": "m.invite_permission_config", | ||
| "content": { | ||
| "allowed_servers": [ "goodguys.org" ], | ||
| "blocked_servers": [ "*" ] | ||
| } | ||
| } | ||
|
|
||
| // Invites from everyone except badguys.org | ||
| { | ||
| "type": "m.invite_permission_config", | ||
| "content": { | ||
| "blocked_servers": [ "badguys.org" ] | ||
| } | ||
| } | ||
|
|
||
Johennes marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| // No invites from badguys.org unless it's @goodguy:badguys.org | ||
| { | ||
| "type": "m.invite_permission_config", | ||
| "content": { | ||
| "allowed_users": [ "@goodguy:badguys.org" ], | ||
| "blocked_servers": [ "badguys.org" ] | ||
| } | ||
| } | ||
|
|
||
| // Only invites from goodguys.org and don't provide feedback to reallybadguys.org | ||
| { | ||
| "type": "m.invite_permission_config", | ||
| "content": { | ||
| "allowed_servers": [ "goodguys.org" ], | ||
| "ignored_servers": [ "reallybadguys.org" ], | ||
| "blocked_servers": [ "*" ] | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
turt2live marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| Servers SHOULD enforce `m.invite_permission_config` against incoming invites but MAY also delegate | ||
| the task to clients to allow them to let users review ignored and blocked invites. Clients MUST | ||
| enforce the permission config, if their server doesn't do it. In either case, servers MUST communicate | ||
| their behaviour to clients through a new capability `m.invite_permission_config_enforced`. | ||
Johennes marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
| ```json5 | ||
| { | ||
| "capabilities": { | ||
| "m.invite_permission_config_enforced": { | ||
| "enabled": true | ||
| } | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
| If `enabled` is set to `true`, the server enforces the permission config. If the capability is missing, | ||
turt2live marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| clients SHOULD behave as if `enabled` was set to `false`. | ||
|
|
||
|
|
||
| ## Potential issues | ||
|
|
||
| None. | ||
|
|
||
turt2live marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| ## Alternatives | ||
|
|
||
| A comprehensive comparison of existing invite filtering proposals may be found in [MSC4192]. The | ||
| present proposal is functionally inferior to some of the alternatives outline there. It does, for | ||
| instance, not cover the change history of the permission config or sharing the config among different | ||
| users. The proposal is, however, a straightforward and easy to implement extension of the existing | ||
| `m.ignored_user_list` mechanism. See also [this comment] for further details. | ||
Johennes marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
|
|
||
| ## Security considerations | ||
|
|
||
| None. | ||
|
|
||
|
|
||
| ## Unstable prefix | ||
|
|
||
| Until this proposal is accepted into the spec, implementations should refer to `m.invite_permission_config` | ||
| and `m.invite_permission_config_enforced` as `org.matrix.msc4155.invite_permission_config` and | ||
| `org.matrix.msc4155.invite_permission_config_enforced`, respectively. Note that the [gematik specification], | ||
| which predates this MSC, uses an event type of `de.gematik.tim.account.permissionconfig.v1` and | ||
| a different event schema. | ||
|
|
||
|
|
||
Johennes marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| ## Dependencies | ||
|
|
||
| This proposal depends on [MSC4283] for the semantics of "ignore" and "block". | ||
Johennes marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
|
|
||
| [gematik specification]: https://github.com/gematik/api-ti-messenger/blob/9b9f21b87949e778de85dbbc19e25f53495871e2/src/schema/permissionConfig.json | ||
| [glob expressions]: https://spec.matrix.org/v1.14/appendices/#glob-style-matching | ||
| [MSC4192]: https://github.com/matrix-org/matrix-spec-proposals/pull/4192 | ||
| [MSC4283]: https://github.com/matrix-org/matrix-spec-proposals/pull/4283 | ||
| [module]: https://spec.matrix.org/v1.10/client-server-api/#ignoring-users | ||
| [this comment]: https://github.com/matrix-org/matrix-spec-proposals/pull/4192#discussion_r2025188127 | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Implementation requirements:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since I believe all the gematik implementations will be closed source, I'll reference #3860 (comment) as an example for how cases like this were handled in the past. Thanks @clokep for digging it up.
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
element-hq/synapse#18288 is a serverside implementation, albeit with #4155 (comment) "corrected"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
element-hq/element-web#29603 exposes the serverside settings in the client, but does no filtering of itself. @Johennes does this evoke any worries from you if the invite filtering is done server-side?
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, I this is fine and consistent with the proposal which allows but doesn't enforce the filtering on either the client or the server. Now that I think of it, we might need a capability so that the client knows when the server does not filter in which case the client needs to filter itself.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The gematik implementations are based on the initial version of this proposal where we had a base setting of either "allow all" or "block all" and exceptions for users and servers applied on top of it. It also didn't include any globbing.
FWIW, this is how my own health insurance has implemented it:
Main screen with radio buttons for the base setting at the top ("Alle" = "(Allow) everyone" / "Niemand" = "(Allow) noone"). Below that are two buttons to add exceptions for users ("Benutzer") and servers.
For adding user exceptions, they pop up a bottom sheet with a few options ("Teilnehmende hinzufügen"). The first two are for obtaining the MXID by searching gematik-specific directories. The third option scans the MXID from a QR code. And the last one lets you input it manually.
For server exceptions, the only option is to enter the server name manually.
Once entered, the exceptions show in a list at the bottom of the main screen.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @Johennes, that's extremely helpful. I'm concerned, however, that it only (appears to) offer controls for
blocked_usersandblocked_servers(i.e, it does not exposeallowed_users,ignored_users,allowed_serversorignored_servers), and nor does it expose globbing.It is the interplay between these settings that I think makes this proposal complicated to implement in a client, and my concern remains that we don't yet have a viable client implementation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, the gematik implementations are based on the initial version of this MSC which used the following scheme:
I think the only apparent UX problem this has is that when you flip
default, your previous exceptions suddenly apply the other way around.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suppose a client can help manage that UX problem by clearing
user_exceptionsandserver_exceptionsat the same time as changingdefault? That doesn't feel too bad to me, tbh.(I'm sorry you've been sent so far around the houses on this, @Johennes. For now I'm going to focus on landing something in the spec, and then we can come back here and see if we can figure out a plausible way forward.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No worries at all. 👍