From 55b99d29e4a7df3a77e298b95d9e977882c361be Mon Sep 17 00:00:00 2001 From: Patrick Cloke Date: Mon, 19 Jul 2021 15:10:29 -0400 Subject: [PATCH] Clarify if a resident server cannot issue a join vs. if they're unsure if the user is allowed to join. --- proposals/3083-restricted-rooms.md | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/proposals/3083-restricted-rooms.md b/proposals/3083-restricted-rooms.md index d739c48e9..8e7c82fe7 100644 --- a/proposals/3083-restricted-rooms.md +++ b/proposals/3083-restricted-rooms.md @@ -67,13 +67,18 @@ It is possible for a resident homeserver (one which receives a `/make_join` / `/send_join` request to not know if the user is in some of the allowed rooms (due to not participating in them). If the user is not in any of the allowed rooms that are known to the homeserver it should return an error response with HTTP status code -of 400 with an `errcode` of `M_CANNOT_ALLOW`. The joining server should attempt to -join via another resident homeserver. If the resident homeserver knows that the -user is not in *any* of the allowed rooms it should return an error response with -HTTP status code of 403 and an `errcode` of `M_FORBIDDEN`. Note that it is a +of 400 with an `errcode` of `M_UNABLE_TO_AUTHORISE_JOIN`. The joining server should +attempt to join via another resident homeserver. If the resident homeserver knows +that the user is not in *any* of the allowed rooms it should return an error response +with HTTP status code of 403 and an `errcode` of `M_FORBIDDEN`. Note that it is a configuration error if there are allowed rooms with no participating authorised servers. +A chosen resident homeserver might also be unable to issue invites, in this case +it should return an error response with HTTP status code of 400 and an `errcode` +of `M_CANNOT_ALLOW`. The joining server should attempt to join via another +resident homeserver. + From the perspective of the [auth rules](https://spec.matrix.org/unstable/rooms/v1/#authorization-rules), the `restricted` join rule has the same behavior as `public`, with the additional caveat that servers must ensure that: