-
Notifications
You must be signed in to change notification settings - Fork 380
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MSC4167: Copy bans on room upgrade #4167
base: main
Are you sure you want to change the base?
Changes from 1 commit
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
# MSC4167: Copy bans on room upgrade | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It's unclear to me if we want to be more prescriptive in the room upgrade process: matrix-org/matrix-spec#1906 exists for discussion. |
||
|
||
When a [room upgrade](https://spec.matrix.org/v1.11/client-server-api/#room-upgrades) is performed, | ||
many state events are copied over to the new room, to minimize the amount of work the user has to do | ||
after the upgrade. However, the spec currently states that "Membership events should not be transferred | ||
to the new room due to technical limitations of servers not being able to impersonate people from other | ||
homeservers". While this is most notably true for `join` membership events, this is not true for `ban` | ||
Kladki marked this conversation as resolved.
Show resolved
Hide resolved
|
||
membership, which users likely want copied over to the new room. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. There is the argument to be made that users want the ability to control this behavior. Why? Because if the room in question uses a Bot like Draupnir or Mjolnir they have no need to clone the bans potentially as they do all their bans via the bot. If all the bans are done via the bot why clutter the room state the room might argue. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ok then, adding a query parameter like Also I'm not sure whether to mention in the MSC whether mutes should also be copied over once in the spec, and what to do about other future membership states. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. To not dig too deep into the intracies of #3909 and #4106 they have a problem in that being muted under them is counted as being a room member. Now if you copied the leave mute states that could work without issue. And you could in theory allow preemptively setting it via a trivial from my perspective change to #3909 that would be inherited by #4106 Current day mutes as in mutes before 3909 are coppied as they are baked into the powerlevels event. |
||
|
||
## Proposal | ||
|
||
When a room upgrade is performed, servers SHOULD copy membership states with the `ban` `membership` to | ||
the new room, to ensure that users banned in the old room are still banned in the new room. | ||
|
||
## Potential issues | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. There are potential safety concerns with this behaviour, fwiw. Namely:
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Its good that Draupnir and Mjolnir allows you to avoid these issues if you are willing to accept the tradeoff that comes with reactive sanctions instead of preemptive sanctions. |
||
|
||
In rooms with many banned users, it may take a while to perform the upgrade, as all the bans will need | ||
to be performed. However, not doing this would allow previously banned users to access the room, which | ||
is why this is deemed as worth it. | ||
Comment on lines
+22
to
+24
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Additional potential issue: remote servers iirc are informed of the membership change, causing the banned user to potentially receive "You were banned from : " prompts. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Why do you think that? Even if it were true, this scenario doesn't really make sense in situations where the remote server isn't even aware of a room. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. if you have There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I don't really know if there's anything in the spec that causes that behaviour or of it's all just implicit and Synapse is doing something without thinking too much, which is still a problem. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Just to check, this only happens with users on the same server as the user upgrading the room, right? Because last I checked if you There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Notifying a user that they were banned in a room they never participated in (or are not currently participating in, i.e. their There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Haven't tested.
It does happen though until there is some work to clarify or make sure that this doesn't happen (if it is even possible to do so since it might be quite hard for a server to work out the extent that a user was participating in the room or not). There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
It shouldn't be, since the server already needs to know their |
||
|
||
## Alternatives | ||
|
||
None considered. | ||
|
||
## Security considerations | ||
|
||
None considered. | ||
|
||
## Unstable prefix | ||
|
||
None required, as no new fields or endpoints are being proposed. | ||
|
||
## Dependencies | ||
|
||
None. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Implementation requirements:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Implementations: