From 16290a0fe5f528a8ca8ce138aefb66e4063aa9a8 Mon Sep 17 00:00:00 2001 From: Will Hunt Date: Thu, 6 May 2021 11:12:39 +0100 Subject: [PATCH] it's --- proposals/2778-appservice-login.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/proposals/2778-appservice-login.md b/proposals/2778-appservice-login.md index 5ec933507..5b9e0a48a 100644 --- a/proposals/2778-appservice-login.md +++ b/proposals/2778-appservice-login.md @@ -49,7 +49,7 @@ If one of the following conditions are true: Then the servers MUST reject with HTTP 403, with an `errcode` of `"M_FORBIDDEN"`. -If the access token DOES correspond to a appservice but the user is not inside it's namespace, +If the access token DOES correspond to a appservice but the user is not inside its namespace, then the `errcode` should be `"M_EXCLUSIVE"`. Homeservers should ignore the `access_token` parameter if a type other than @@ -108,7 +108,7 @@ Furthermore, the ability to generate access tokens for real users who registered ## Security considerations -Appservices could use this new functionality to generate devices for any userId that are within it's namespace e.g. setting the +Appservices could use this new functionality to generate devices for any userId that are within its namespace e.g. setting the user namespace regex to `@.*:example.com` would allow appservice to control anyone on the homeserver. While this sounds scary, in practise this is not a problem because: