-
Notifications
You must be signed in to change notification settings - Fork 434
MSC4155: Invite filtering #4155
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
Johennes
wants to merge
38
commits into
matrix-org:main
Choose a base branch
from
Johennes:johannes/invite-filtering
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+227
−0
Open
Changes from 23 commits
Commits
Show all changes
38 commits
Select commit
Hold shift + click to select a range
6adc165
MSC4155: Invite filtering
Johennes 43aef70
Fix typo
Johennes b8b226a
Update proposal with feedback from pull request
Johennes dcde420
Update proposals/4155-invite-filtering.md
Johennes 04169f8
Update proposals/4155-invite-filtering.md
Johennes 8c81fd5
Update proposals/4155-invite-filtering.md
Johennes d132a13
Update proposals/4155-invite-filtering.md
Johennes 2345a5b
Update proposals/4155-invite-filtering.md
Johennes a558adb
Update proposals/4155-invite-filtering.md
Johennes a47dbce
Update proposals/4155-invite-filtering.md
Johennes e9478f0
Update proposals/4155-invite-filtering.md
Johennes 29324e9
Drop capability and enforce the config on the server only
Johennes 2f17aa7
Add missing client-side review option as a potential issue
Johennes 3b248c5
Update proposals/4155-invite-filtering.md
Johennes 230ed37
Update proposals/4155-invite-filtering.md
Johennes f916f98
Update proposals/4155-invite-filtering.md
Johennes 44ecf7e
Update proposals/4155-invite-filtering.md
Johennes 88fe9cc
Fix list indentation
Johennes be64f07
Extend alternatives
Johennes e526862
Update proposals/4155-invite-filtering.md
Johennes 52c8bd5
Clarify interaction with m.ignored_user_list
Johennes 0eee397
Fix typo
Johennes 21521f0
Spell out what the globs should operate on
Johennes 643c5bc
Avoid 'eponymous'
Johennes 5c3cab8
Avoid over-specifying null / missing behaviour
Johennes 16dd841
Update proposals/4155-invite-filtering.md
Johennes e735ee8
Add expanding m.ignored_user_list as an alternative
Johennes f65b9b2
Ignore ports when applying server globs
Johennes 8c30b56
Add enabled property
Johennes eb06849
Add potential issue about unanticipated side effects of changes
Johennes f17d2ee
Clarify how to valide array properties
Johennes 195199e
Use normative MUST
Johennes 8d87122
Clarify that ignored invites can be unignored
Johennes 64128c5
Remove dead link
Johennes e36e71d
Use normative wording
Johennes 6fada45
Fix comma error / wordsmith
Johennes 8ed8f33
Fix typo
Johennes 31bbbb6
Add unstable_features flag
Johennes File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Some comments aren't visible on the classic Files Changed page.
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,198 @@ | ||
| # MSC4155: Invite filtering | ||
|
|
||
| Matrix supports ignoring users via the eponymous [module] and the `m.ignored_user_list` account data | ||
|
Johennes marked this conversation as resolved.
Outdated
|
||
| event. This is a nuclear option though and will suppress both invites and room events from the ignored | ||
| users. Additionally, the `m.ignored_user_list` event only allows for block-list configurations that ignore | ||
| specific users but doesn't have a mechanism to ignore entire servers. These shortcomings make the module | ||
|
Johennes marked this conversation as resolved.
|
||
| insufficient for use cases such as tightly locked down applications where ignoring needs to be the default | ||
| behaviour. | ||
|
|
||
| This proposal generalises the ignoring users [module] to allow filtering invites specifically. The scheme | ||
|
Johennes marked this conversation as resolved.
Outdated
|
||
| outlined below was conceptually borrowed from the [gematik specification]. | ||
|
|
||
|
|
||
| ## Proposal | ||
|
|
||
| To allow users to configure which other users are allowed to invite them into rooms, a new account data | ||
| event `m.invite_permission_config` is introduced. | ||
|
|
||
| ```json5 | ||
| { | ||
| "type": "m.invite_permission_config", | ||
| "content": { | ||
| // User-level settings | ||
| "allowed_users": [ "@john:goodguys.org", ... ], | ||
| "ignored_users": [ ... ], | ||
| "blocked_users": [ ... ], | ||
| // Server-level settings | ||
|
turt2live marked this conversation as resolved.
|
||
| "allowed_servers": [ ... ], | ||
| "ignored_servers": [ ... ], | ||
| "blocked_servers": [ "*" ] // A feature of all the fields at this level, globs | ||
| } | ||
|
Johennes marked this conversation as resolved.
|
||
| } | ||
| ``` | ||
|
|
||
| All properties in `content` are optional arrays. A missing or `null` property MUST be treated like an | ||
| empty array. The array elements are [glob expressions]. Any `*_users` glob is to be matched against | ||
|
Johennes marked this conversation as resolved.
Outdated
|
||
| full user IDs (localpart and domain). Any `*_servers` glob is to be matched against server names / | ||
| domain parts of user IDs. | ||
|
Johennes marked this conversation as resolved.
Outdated
|
||
|
|
||
| When evaluating an invite, implementations MUST first apply the existing `m.ignored_user_list` as per | ||
| the current spec. If the invite didn't match, implementations MUST then apply `m.invite_permission_config`. | ||
| The complete processing logic is as follows: | ||
|
|
||
| 1. Verify the invite against `m.ignored_user_list`: | ||
| 1. If it matches `ignored_users`, stop processing and ignore. | ||
| 2. Verify the invite against `m.invite_permission_config`: | ||
| 1. If it matches `allowed_users`, stop processing and allow. | ||
| 2. If it matches `ignored_users`, stop processing and ignore. | ||
| 3. If it matches `blocked_users`, stop processing and block. | ||
| 4. If it matches `allowed_servers`, stop processing and allow. | ||
| 5. If it matches `ignored_servers`, stop processing and ignore. | ||
| 6. If it matches `blocked_servers`, stop processing and block. | ||
| 3. Otherwise, allow. | ||
|
|
||
| The semantics of "ignore" and "block" follow [MSC4283] which means ignoring hides the invite with no | ||
| feedback to the inviter whereas blocking rejects (or refuses, in the case of servers) the invite. | ||
|
Johennes marked this conversation as resolved.
|
||
|
|
||
| When blocking an inviter, the server must respond to the following endpoints with an error: | ||
|
Johennes marked this conversation as resolved.
Outdated
|
||
|
|
||
| - `PUT /_matrix/federation/(v1|v2)/invite/{roomId}/{eventId}` | ||
| - `POST /_matrix/client/v3/rooms/{roomId}/invite` | ||
| - `POST /_matrix/client/v3/createRoom` (checking the `invite` list) | ||
| - `PUT /_matrix/client/v3/rooms/{roomId}/state/m.room.member/{stateKey}` (for invite membership) | ||
|
|
||
| The error SHOULD be `M_INVITE_BLOCKED` with a HTTP 403 status code. | ||
|
|
||
| When ignoring an invite, these endpoints MUST handle an invite normally as if accepted. However, the server | ||
| MUST not include the invite down client synchronization endpoints such as `GET /_matrix/client/v3/sync` or | ||
|
Johennes marked this conversation as resolved.
Outdated
|
||
| MSC4186's sliding sync endpoint. In addition, these invites MUST be ignored when calculating push notifications. | ||
|
Johennes marked this conversation as resolved.
|
||
|
|
||
| Otherwise, all other endpoints (such as `GET /_matrix/client/v3/rooms/{roomId}/state`) should work as before. | ||
|
|
||
| Servers are not expected to process these rules for appservice users when calculating events to send down | ||
| `PUT /_matrix/app/v1/transactions`. Appservices are not expected to be run directly by client users, and | ||
| should be able to handle their own spam prevention. | ||
|
|
||
| The semantics and order of evaluation enable a number of use cases, for instance: | ||
|
|
||
| ```json5 | ||
| // Invites from everyone | ||
| { | ||
| "type": "m.invite_permission_config", | ||
| "content": { } | ||
| } | ||
|
|
||
| // No invites at all | ||
| { | ||
| "type": "m.invite_permission_config", | ||
| "content": { | ||
| "blocked_servers": [ "*" ] | ||
| } | ||
| } | ||
|
|
||
| // Only invites from goodguys.org | ||
| { | ||
| "type": "m.invite_permission_config", | ||
| "content": { | ||
| "allowed_servers": [ "goodguys.org" ], | ||
| "blocked_servers": [ "*" ] | ||
| } | ||
| } | ||
|
|
||
| // Invites from everyone except badguys.org | ||
| { | ||
| "type": "m.invite_permission_config", | ||
| "content": { | ||
| "blocked_servers": [ "badguys.org" ] | ||
| } | ||
| } | ||
|
|
||
|
Johennes marked this conversation as resolved.
|
||
| // Only invites from goodguys.org except for @notactuallyguy:goodguys.org | ||
| { | ||
| "type": "m.invite_permission_config", | ||
| "content": { | ||
| "blocked_users": [ "@notactuallyguy:goodguys.org" ], | ||
| "allowed_servers": [ "goodguys.org" ] | ||
| "blocked_servers": [ "*" ] | ||
| } | ||
| } | ||
|
|
||
| // No invites from badguys.org unless it's @goodguy:badguys.org | ||
| { | ||
| "type": "m.invite_permission_config", | ||
| "content": { | ||
| "allowed_users": [ "@goodguy:badguys.org" ], | ||
| "blocked_servers": [ "badguys.org" ] | ||
| } | ||
| } | ||
|
|
||
| // Only invites from goodguys.org and don't provide feedback to reallybadguys.org | ||
| { | ||
| "type": "m.invite_permission_config", | ||
| "content": { | ||
| "allowed_servers": [ "goodguys.org" ], | ||
| "ignored_servers": [ "reallybadguys.org" ], | ||
| "blocked_servers": [ "*" ] | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
|
turt2live marked this conversation as resolved.
|
||
| Servers MUST enforce `m.invite_permission_config` against incoming new invites. Additionally, Servers | ||
| SHOULD apply the config against existing pending invites as well. | ||
|
|
||
|
|
||
| ## Potential issues | ||
|
Johennes marked this conversation as resolved.
|
||
|
|
||
| Enforcing the permission configuration exclusively on the server means users have no way to review | ||
| processed invites. This is desirable in most cases as a spam protection measure. It does mean, however, | ||
| that if the user has accidentally blocked a good actor and is informed about it through a different | ||
| communication channel, they'll have to update their permission configuration and request a re-invite. | ||
|
|
||
|
turt2live marked this conversation as resolved.
|
||
|
|
||
| ## Alternatives | ||
|
|
||
| The split between user settings and server settings is technically not needed because glob expressions | ||
| are powerful enough to allow matching either. Splitting them is more explicit and prevents unintended | ||
| globbing mistakes, however. The fact that a user glob and a server glob can overlap does not seem | ||
| problematic because this proposal includes a deterministic processing order for all settings. | ||
|
|
||
| A previous version of this proposal included a base setting of block / allow all with user and | ||
| server exceptions applied on top. In this scheme, flipping the base setting also inverts the semantics | ||
| of all exceptions, however, which makes changing the configuration quite complicated. | ||
|
richvdh marked this conversation as resolved.
|
||
|
|
||
| A comprehensive comparison of existing invite filtering proposals may be found in [MSC4192]. The | ||
| present proposal is functionally inferior to some of the alternatives outline there. It does, for | ||
| instance, not cover the change history of the permission config or sharing the config among different | ||
| users. The proposal is, however, a straightforward and easy to implement extension of the existing | ||
| `m.ignored_user_list` mechanism. See also [this comment] for further details. This proposal is additionally | ||
| extensible for further types of blocking in the future. For example, a future MSC could create definitions | ||
| and behaviours to block/ignore/allow invites from contacts, of a particular type (DM, space, etc), | ||
| to a particular room, or even with given keywords. | ||
|
|
||
|
|
||
| ## Security considerations | ||
|
|
||
| None. | ||
|
|
||
|
|
||
| ## Unstable prefix | ||
|
|
||
| Until this proposal is accepted into the spec, implementations should refer to `m.invite_permission_config` | ||
| and `m.invite_permission_config_enforced` as `org.matrix.msc4155.invite_permission_config` and | ||
| `org.matrix.msc4155.invite_permission_config_enforced`, respectively. Note that the [gematik specification], | ||
| which predates this MSC, uses an event type of `de.gematik.tim.account.permissionconfig.v1` and | ||
| a different event schema. | ||
|
|
||
| The error `M_INVITE_BLOCKED` should be `ORG.MATRIX.MSC4155.M_INVITE_BLOCKED` until this proposal is accepted into the spec. | ||
|
Johennes marked this conversation as resolved.
|
||
| ## Dependencies | ||
|
|
||
| This proposal loosely depends on [MSC4283] for the semantics of "ignore" and "block". | ||
|
|
||
|
|
||
| [gematik specification]: https://github.com/gematik/api-ti-messenger/blob/9b9f21b87949e778de85dbbc19e25f53495871e2/src/schema/permissionConfig.json | ||
| [glob expressions]: https://spec.matrix.org/v1.14/appendices/#glob-style-matching | ||
| [MSC4192]: https://github.com/matrix-org/matrix-spec-proposals/pull/4192 | ||
| [MSC4283]: https://github.com/matrix-org/matrix-spec-proposals/pull/4283 | ||
| [module]: https://spec.matrix.org/v1.10/client-server-api/#ignoring-users | ||
| [this comment]: https://github.com/matrix-org/matrix-spec-proposals/pull/4192#discussion_r2025188127 | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Implementation requirements:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since I believe all the gematik implementations will be closed source, I'll reference #3860 (comment) as an example for how cases like this were handled in the past. Thanks @clokep for digging it up.
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
element-hq/synapse#18288 is a serverside implementation, albeit with #4155 (comment) "corrected"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
element-hq/element-web#29603 exposes the serverside settings in the client, but does no filtering of itself. @Johennes does this evoke any worries from you if the invite filtering is done server-side?
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, I this is fine and consistent with the proposal which allows but doesn't enforce the filtering on either the client or the server. Now that I think of it, we might need a capability so that the client knows when the server does not filter in which case the client needs to filter itself.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The gematik implementations are based on the initial version of this proposal where we had a base setting of either "allow all" or "block all" and exceptions for users and servers applied on top of it. It also didn't include any globbing.
FWIW, this is how my own health insurance has implemented it:
Main screen with radio buttons for the base setting at the top ("Alle" = "(Allow) everyone" / "Niemand" = "(Allow) noone"). Below that are two buttons to add exceptions for users ("Benutzer") and servers.
For adding user exceptions, they pop up a bottom sheet with a few options ("Teilnehmende hinzufügen"). The first two are for obtaining the MXID by searching gematik-specific directories. The third option scans the MXID from a QR code. And the last one lets you input it manually.
For server exceptions, the only option is to enter the server name manually.
Once entered, the exceptions show in a list at the bottom of the main screen.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @Johennes, that's extremely helpful. I'm concerned, however, that it only (appears to) offer controls for
blocked_usersandblocked_servers(i.e, it does not exposeallowed_users,ignored_users,allowed_serversorignored_servers), and nor does it expose globbing.It is the interplay between these settings that I think makes this proposal complicated to implement in a client, and my concern remains that we don't yet have a viable client implementation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, the gematik implementations are based on the initial version of this MSC which used the following scheme:
I think the only apparent UX problem this has is that when you flip
default, your previous exceptions suddenly apply the other way around.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suppose a client can help manage that UX problem by clearing
user_exceptionsandserver_exceptionsat the same time as changingdefault? That doesn't feel too bad to me, tbh.(I'm sorry you've been sent so far around the houses on this, @Johennes. For now I'm going to focus on landing something in the spec, and then we can come back here and see if we can figure out a plausible way forward.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No worries at all. 👍