Re-word auth rule section on handling each target separately

Co-authored-by: Jason Volk <jason@zemos.net>
Signed-off-by: Tulir Asokan <tulir@maunium.net>
Signed-off-by: Jason Volk <jason@zemos.net>
pull/2244/head
Tulir Asokan 5 years ago
parent ec38013daa
commit 984e0af7b2

@ -23,17 +23,21 @@ limit would cap a single redaction event at a bit less than 1500 targets.
Redactions are not intrinsically heavy, so a separate limit should not be
necessary.
### Auth rules
### Client behavior
Clients shall apply existing `m.room.redaction` target behavior over an array
of event ID strings.
### Server behavior
The redaction auth rules should change to iterate the array and check if the
sender has the privileges to redact each event.
There are at least two potential ways to handle targets that are not found or
rejected: soft failing until all targets are found and handling each target
rejected: soft failing until all targets are found or handling each target
separately.
#### Soft fail
Soft fail the event until all targets are found, then accept only if the sender
has the privileges to redact every listed event. This is how redactions
[Soft fail] the event until all targets are found, then accept only if the
sender has the privileges to redact every listed event. This is how redactions
currently work.
This has the downside of requiring servers to fetch all the target events (and
@ -41,19 +45,27 @@ possibly forward them to clients) before being able to process and forward the
redaction event.
#### Handle each target separately
Handle each target separately: if some targets are not found, remember the
redaction and check auth rules when the target is received. This option brings
some complexities, but might be more optimal in situations such as a spam
attack.
The target events of an `m.room.redaction` shall no longer be considered when
deciding the authenticity of an `m.room.redaction` event. Any other existing
rules remain unchanged.
When a server accepts an `m.room.redaction` using the modified auth rules, it
evaluates targets individually for authenticity under the existing auth rules.
Servers MUST NOT include failing and unknown entries to clients.
> Servers do not know whether redaction targets are authorized at the time they
receive the `m.room.redaction` unless they are in possession of the target
event. Implementations retain entries in the original list which were not
shared with clients to later evaluate the target's redaction status.
When receiving a redaction event:
* Ignore illegal targets
* "Remember" targets that can't be found
* Send legal target event IDs to clients in the redaction event.
When the implementation receives a belated target from an earlier
`m.room.redaction`, it evaluates at that point whether the redaction is
authorized.
When receiving an event that is "remembered" to be possibly redacted by an
earlier redaction, check if the redaction was legal, and if it was, do not
send the event to clients.
> Servers should not send belated target events to clients if their redaction
was found to be authentic, as clients were not made aware of the redaction.
That fact is also used to simply ignore unauthorized targets and send the
events to clients normally.
## Tradeoffs
@ -64,3 +76,4 @@ send the event to clients.
[1]: https://img.mau.lu/hEqqt.png
[MSC2174]: https://github.com/matrix-org/matrix-doc/pull/2174
[Soft fail]: https://matrix.org/docs/spec/server_server/r0.1.3#soft-failure

Loading…
Cancel
Save