From e6a69418458d0d23ba82c2ed24a4f37604d7cae8 Mon Sep 17 00:00:00 2001 From: Richard van der Hoff Date: Wed, 11 Nov 2020 16:50:21 +0000 Subject: [PATCH] rename allowed_join again --- proposals/1772-groups-as-rooms.md | 42 ++++++++++++++++--------------- 1 file changed, 22 insertions(+), 20 deletions(-) diff --git a/proposals/1772-groups-as-rooms.md b/proposals/1772-groups-as-rooms.md index c5dd3a60e..2e2b77fd4 100644 --- a/proposals/1772-groups-as-rooms.md +++ b/proposals/1772-groups-as-rooms.md @@ -435,7 +435,7 @@ We could represent the allowed spaces with additional content in the "state_key": "", "content": { "join_rule": "public", - "allowed_join": [ + "allow": [ { "space": "!mods:example.org", "via": ["example.org"], @@ -449,14 +449,10 @@ We could represent the allowed spaces with additional content in the } ``` -XXX: would it be better to put it in a separate event? Doing so would probably -require us to come up with a new `join_rule` state to tell servers to go and -look for the allowed spaces. - -The `allowed_join` key applies a restriction to the `public` join rule, so that +The `allow` key applies a restriction to the `public` join rule, so that only users satisfying one or more of the requirements should be allowed to join. Additionally, users who have received an explicit `invite` event are -allowed to join[2](#f2). If the `allowed_join` key is an +allowed to join[2](#f2). If the `allow` key is an empty list (or not a list at all), no users are allowed to join without an invite. @@ -472,13 +468,13 @@ permitted if the user has a valid invite or is in one of the listed spaces XXX: redacting the join_rules above will reset the room to public, which feels dangerous? A new room version is not absolutely required here, but may be advisable to -ensure that servers that do not support `allowed_join` do not join the room +ensure that servers that do not support `allow` do not join the room (and would also allow us to tweak the redaction rules to avoid the foot-gun). #### Kicking users out when they leave the allowed space XXX: this will probably be a future extension, rather than part of the initial -implementation of `allowed_join`. +implementation of `allow`. In the above example, suppose `@bob:server.example` leaves `!users:example.org`: they should be removed from the room. One option is to leave the departure up @@ -488,18 +484,18 @@ the room would still see Bob in the room (and their servers would attempt to send message traffic to it). Instead, we make the removal the responsibility of the room's admin bot (see -above): the bot is expected to peek into any spaces in `allowed_join` and kick +above): the bot is expected to peek into any spaces in `allow` and kick any users who are members of the room and leave the union of the allowed spaces. (XXX: should users in a space be kicked when that space is removed from the -`allowed_join` list? We think not, by analogy with what happens when you switch +`allow` list? We think not, by analogy with what happens when you switch the join rules from `public` to `invite`.) One problem here is that it will lead to users who joined via an invite being kicked. For example: * `@bob:server.example` creates an invite-only room. - * Later, the `join_rules` are switched to `public`, with an `allowed_join` of + * Later, the `join_rules` are switched to `public`, with an `allow` of `!users:example.org`, of which Bob happens to be a member. * Later still, Bob leaves `!users:example.org`. * Bob is kicked from his own room. @@ -508,12 +504,12 @@ Fixing this is thorny. Some sort of annotation on the membership events might help. but it's unclear what the desired semantics are: * Assuming that users in a given space are *not* kicked when that space is - removed from `allowed_join`, are those users then given a pass to remain + removed from `allow`, are those users then given a pass to remain in the room indefinitely? What happens if the space is added back to - `allowed_join` and *then* the user leaves it? + `allow` and *then* the user leaves it? * Suppose a user joins a room via a space (SpaceA). Later, SpaceB is added to - the `allowed_join` list and SpaceA is removed. What should happen when the + the `allow` list and SpaceA is removed. What should happen when the user leaves SpaceB? Are they exempt from the kick? #### Alternatives @@ -530,10 +526,16 @@ help. but it's unclear what the desired semantics are: participating in the room), which feels a bit grim. We could have multiple admin bots to mitigate this, but it gets a bit messy. -* Change the way that `allowed_join` and invites interact, so that an invite - does not exempt you from the `allowed_join` requirements. This would be +* Change the way that `allow` and invites interact, so that an invite + does not exempt you from the `allow` requirements. This would be simpler to implement, but probably doesn't match the expected UX. +* Put the `allow` rules in a separate event? This is attractive because + `join_rules` are involved in event auth and hence state resolution, and the + fewer events that state res has to grapple with the better. However, doing + this would probably require us to come up with a new `join_rule` state to + tell servers to go and look for the allowed spaces. + ## Future extensions The following sections are not blocking parts of this proposal, but are @@ -606,10 +608,10 @@ These dependencies are shared with profiles-as-rooms server could lie about the space membership and add an `@evil_user:example.org`. -* The `allowed_join` feature places increased trust in the servers in the +* The `allow` feature for `join_rules` places increased trust in the servers in the room. We consider this acceptable: if you don't want evil servers randomly joining spurious users into your rooms, then a) don't let evil servers in - your room in the first place, b) don't use `allowed_join` lists, given the + your room in the first place, b) don't use `allow` lists, given the expansion increases the attack surface anyway by letting members in other rooms dictate who's allowed into your room. @@ -640,7 +642,7 @@ Proposed final identifier | Purpose | Development identifier `m.space.parent` | event type | `org.matrix.msc1772.space.parent` `m.room.power_level_mappings` | event type | `org.matrix.msc1772.room.power_level_mappings` `auto_users` | key in `m.room.power_levels` event | `org.matrix.msc1772.auto_users` -`allowed_join` | key in `m.room.join_rules` event | `org.matrix.msc1772.allowed_join` +`allow` | key in `m.room.join_rules` event | `org.matrix.msc1772.allow` ## History