From 15994c61a54c1010a7a422ce9e39ca04db422bdf Mon Sep 17 00:00:00 2001 From: Luca Becker Date: Tue, 16 Jul 2019 17:33:13 +0200 Subject: [PATCH 1/6] Clarification regarding authorisation rules The rules for m.room.power_levels power were somewhat unclear regarding the behaviour towards the always present keys, such as kick and ban. Additionally, it is now also clarified that in the users and events dictionary also added and removed keys are taken into consideration. --- specification/rooms/v1.rst | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/specification/rooms/v1.rst b/specification/rooms/v1.rst index b5ef217a5..ba25fa21d 100644 --- a/specification/rooms/v1.rst +++ b/specification/rooms/v1.rst @@ -243,14 +243,15 @@ The rules are as follows: #. If there is no previous ``m.room.power_levels`` event in the room, allow. - #. For each of the keys ``users_default``, ``events_default``, - ``state_default``, ``ban``, ``redact``, ``kick``, ``invite``, as well as - each entry being changed under the ``events`` or ``users`` keys: + #. For the keys ``users_default``, ``events_default``, + ``state_default``, ``ban``, ``redact``, ``kick``, ``invite`` check if they were changed. + For each of the changed keys, as well as + each entry being added, changed or removed under the ``events`` or ``users`` keys: - i. If the current value is higher than the ``sender``'s current power level, + i. If the current value is present and higher than the ``sender``'s current power level, reject. - #. If the new value is higher than the ``sender``'s current power level, + #. If the new value is present and higher than the ``sender``'s current power level, reject. #. For each entry being changed under the ``users`` key, other than the From 8aece4f6448394ca9dc8635b0d6c1b89809e07e4 Mon Sep 17 00:00:00 2001 From: Luca Becker Date: Wed, 17 Jul 2019 23:26:10 +0200 Subject: [PATCH 2/6] Incorporated @richvdh suggestions --- specification/rooms/v1.rst | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/specification/rooms/v1.rst b/specification/rooms/v1.rst index ba25fa21d..6d79323f8 100644 --- a/specification/rooms/v1.rst +++ b/specification/rooms/v1.rst @@ -245,14 +245,23 @@ The rules are as follows: #. For the keys ``users_default``, ``events_default``, ``state_default``, ``ban``, ``redact``, ``kick``, ``invite`` check if they were changed. - For each of the changed keys, as well as - each entry being added, changed or removed under the ``events`` or ``users`` keys: + For each of the changed keys: - i. If the current value is present and higher than the ``sender``'s current power level, + i. If the current value is higher than the ``sender``'s current power level, reject. - #. If the new value is present and higher than the ``sender``'s current power level, + #. If the new value is higher than the ``sender``'s current power level, reject. + + #. For each entry being added, changed or removed in both the ``events`` and ``users`` keys: + + i. If the current value is higher than the ``sender``'s current power level, + reject. + + #. If the new value is higher than the ``sender``'s current power level, + reject. + + #. (Note: current/new value can also denote the inferred value from either ``users_default``, ``events_default`` or ``state_default``) #. For each entry being changed under the ``users`` key, other than the ``sender``'s own entry: From 094005dca1fd79796a731d5669c0fe0fe6808e0e Mon Sep 17 00:00:00 2001 From: Luca Becker Date: Thu, 18 Jul 2019 08:55:58 +0200 Subject: [PATCH 3/6] Incorporated @turt2live suggestions. Added missing added and removed to the rule, because these keys are not required for m.room.power_levels. Also moved the note down to the Note section. --- specification/rooms/v1.rst | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/specification/rooms/v1.rst b/specification/rooms/v1.rst index 6d79323f8..eb453b582 100644 --- a/specification/rooms/v1.rst +++ b/specification/rooms/v1.rst @@ -244,8 +244,8 @@ The rules are as follows: #. If there is no previous ``m.room.power_levels`` event in the room, allow. #. For the keys ``users_default``, ``events_default``, - ``state_default``, ``ban``, ``redact``, ``kick``, ``invite`` check if they were changed. - For each of the changed keys: + ``state_default``, ``ban``, ``redact``, ``kick``, ``invite`` check if they + were added, changed or removed. For each found alteration: i. If the current value is higher than the ``sender``'s current power level, reject. @@ -253,15 +253,14 @@ The rules are as follows: #. If the new value is higher than the ``sender``'s current power level, reject. - #. For each entry being added, changed or removed in both the ``events`` and ``users`` keys: + #. For each entry being added, changed or removed in both the ``events`` and + ``users`` keys: i. If the current value is higher than the ``sender``'s current power level, reject. #. If the new value is higher than the ``sender``'s current power level, reject. - - #. (Note: current/new value can also denote the inferred value from either ``users_default``, ``events_default`` or ``state_default``) #. For each entry being changed under the ``users`` key, other than the ``sender``'s own entry: @@ -285,15 +284,19 @@ The rules are as follows: .. NOTE:: - Some consequences of these rules: + * Some consequences of these rules: - * Unless you are a member of the room, the only permitted operations (apart - from the initial create/join) are: joining a public room; accepting or - rejecting an invitation to a room. + * Unless you are a member of the room, the only permitted operations (apart + from the initial create/join) are: joining a public room; accepting or + rejecting an invitation to a room. - * To unban somebody, you must have power level greater than or equal to both - the kick *and* ban levels, *and* greater than the target user's power - level. + * To unban somebody, you must have power level greater than or equal to both + the kick *and* ban levels, *and* greater than the target user's power + level. + + * Power levels may also be inferred from defaults. So, mentions of, for example, + the ``sender``'s power level might also refer to a default power level that is + applied. The same holds true for events. Event format ~~~~~~~~~~~~ From d43111cdd2cbfa56f1f3113443b2cf8a1fe30b1d Mon Sep 17 00:00:00 2001 From: Luca Becker Date: Tue, 23 Jul 2019 11:25:34 +0200 Subject: [PATCH 4/6] Incorporated @turt2live suggestions. Used **Note** to describe notes around the authorisation rules. Otherwise restored the original state for the consequences from the auth rules. Moved the clarification regarding default power levels up above the auth rules. Removed third sentence. And followed @turt2live's example, but opted for "for users in that room" because the default user power level is applied to all users. --- specification/rooms/v1.rst | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/specification/rooms/v1.rst b/specification/rooms/v1.rst index eb453b582..0b4e4f65e 100644 --- a/specification/rooms/v1.rst +++ b/specification/rooms/v1.rst @@ -109,6 +109,8 @@ The types of state events that affect authorization are: - ``m.room.power_levels`` - ``m.room.third_party_invite`` +**Note:** Power levels are inferred from defaults when not explicitly supplied. For example, mentions of the ``sender``'s power level can also refer to the default power level for users in the room. + The rules are as follows: 1. If type is ``m.room.create``: @@ -282,21 +284,17 @@ The rules are as follows: #. Otherwise, allow. -.. NOTE:: - * Some consequences of these rules: - * Unless you are a member of the room, the only permitted operations (apart - from the initial create/join) are: joining a public room; accepting or - rejecting an invitation to a room. + **Note:** Some consequences of these rules: - * To unban somebody, you must have power level greater than or equal to both - the kick *and* ban levels, *and* greater than the target user's power - level. - - * Power levels may also be inferred from defaults. So, mentions of, for example, - the ``sender``'s power level might also refer to a default power level that is - applied. The same holds true for events. + * Unless you are a member of the room, the only permitted operations (apart + from the initial create/join) are: joining a public room; accepting or + rejecting an invitation to a room. + + * To unban somebody, you must have power level greater than or equal to both + the kick *and* ban levels, *and* greater than the target user's power + level. Event format ~~~~~~~~~~~~ From c7a23557d4f4f88e09d15317861164db1b2a97b6 Mon Sep 17 00:00:00 2001 From: Luca Becker Date: Tue, 23 Jul 2019 17:57:22 +0200 Subject: [PATCH 5/6] Last cosmetic changes switched back to the use of `.. NOTE::` --- specification/rooms/v1.rst | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/specification/rooms/v1.rst b/specification/rooms/v1.rst index 0b4e4f65e..02e4f3e4d 100644 --- a/specification/rooms/v1.rst +++ b/specification/rooms/v1.rst @@ -109,7 +109,11 @@ The types of state events that affect authorization are: - ``m.room.power_levels`` - ``m.room.third_party_invite`` -**Note:** Power levels are inferred from defaults when not explicitly supplied. For example, mentions of the ``sender``'s power level can also refer to the default power level for users in the room. +.. NOTE:: + + Power levels are inferred from defaults when not explicitly supplied. + For example, mentions of the ``sender``'s power level can also refer + to the default power level for users in the room. The rules are as follows: @@ -284,11 +288,11 @@ The rules are as follows: #. Otherwise, allow. +.. NOTE:: + Some consequences of these rules: - **Note:** Some consequences of these rules: - - * Unless you are a member of the room, the only permitted operations (apart + * Unless you are a member of the room, the only permitted operations (apart from the initial create/join) are: joining a public room; accepting or rejecting an invitation to a room. From f4d6b6c26124de47c88ed4c73f788864fb37b97c Mon Sep 17 00:00:00 2001 From: Luca Becker Date: Tue, 23 Jul 2019 17:58:40 +0200 Subject: [PATCH 6/6] Fixed broken indentations --- specification/rooms/v1.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/specification/rooms/v1.rst b/specification/rooms/v1.rst index 02e4f3e4d..a720b41a5 100644 --- a/specification/rooms/v1.rst +++ b/specification/rooms/v1.rst @@ -292,7 +292,7 @@ The rules are as follows: Some consequences of these rules: - * Unless you are a member of the room, the only permitted operations (apart + * Unless you are a member of the room, the only permitted operations (apart from the initial create/join) are: joining a public room; accepting or rejecting an invitation to a room.