From 0f9eadd1a1f363dd5af3e80ce9efe6a661679f8a Mon Sep 17 00:00:00 2001
From: Travis Ralston <travisr@matrix.org>
Date: Wed, 2 Feb 2022 08:41:49 -0700
Subject: [PATCH] Fix knock->leave transition in auth rules (#3694)

* Fix knock->leave transition in auth rules

This was an oversight from knocking being added.

For safety, this has been verified as at least intended by Synapse to work:
https://github.com/matrix-org/synapse/blob/f5e2cde3f50c7315d4d7a69e814deb9593943318/synapse/event_auth.py#L390-L391

* changelog
---
 changelogs/room_versions/newsfragments/3694.clarification | 1 +
 content/rooms/fragments/v8-auth-rules.md                  | 3 ++-
 content/rooms/v7.md                                       | 3 ++-
 3 files changed, 5 insertions(+), 2 deletions(-)
 create mode 100644 changelogs/room_versions/newsfragments/3694.clarification

diff --git a/changelogs/room_versions/newsfragments/3694.clarification b/changelogs/room_versions/newsfragments/3694.clarification
new file mode 100644
index 00000000..cc593b0a
--- /dev/null
+++ b/changelogs/room_versions/newsfragments/3694.clarification
@@ -0,0 +1 @@
+Fix auth rules to allow membership of `knock` -> `leave` in v7, v8, and v9.
\ No newline at end of file
diff --git a/content/rooms/fragments/v8-auth-rules.md b/content/rooms/fragments/v8-auth-rules.md
index 6089663f..67fb1aae 100644
--- a/content/rooms/fragments/v8-auth-rules.md
+++ b/content/rooms/fragments/v8-auth-rules.md
@@ -91,7 +91,8 @@ The rules are as follows:
         5.  Otherwise, reject.
     5.  If `membership` is `leave`:
         1.  If the `sender` matches `state_key`, allow if and only if
-            that user's current membership state is `invite` or `join`.
+            that user's current membership state is `invite`, `join`,
+            or `knock`.
         2.  If the `sender`'s current membership state is not `join`,
             reject.
         3.  If the *target user*'s current membership state is `ban`,
diff --git a/content/rooms/v7.md b/content/rooms/v7.md
index ebe1e643..424ad739 100644
--- a/content/rooms/v7.md
+++ b/content/rooms/v7.md
@@ -114,7 +114,8 @@ The rules are as follows:
         5.  Otherwise, reject.
     4.  If `membership` is `leave`:
         1.  If the `sender` matches `state_key`, allow if and only if
-            that user's current membership state is `invite` or `join`.
+            that user's current membership state is `invite`, `join`,
+            or `knock`.
         2.  If the `sender`'s current membership state is not `join`,
             reject.
         3.  If the *target user*'s current membership state is `ban`,