-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
Disallow randos to spam room directory by default #15722
Comments
Upon another look I would say the Configuration Manual is actually dishonest about It says "If no rules match the request is denied. An empty list means no one can xxx" but it's just not true. The reader might think "Oh I've not added any rules so the list is empty and I'm safe.. right?" but room_directory.py thinks otherwise: empty list and no list are different things, the latter opens the abuse vector. Unfortunately this is not intuitive. |
This at least makes it easier for admins to deal with situations like #15722.
Agreed on all counts. #16541 should help here. @xaur please take a look and let me know what you make of the proposed wording. |
I'm not sure what the team's conclusions were here, but the thoughts that come to my mind are:
For that reason I think we'd not be inclined to change the defaults. (That's not to say we can't do better. It might be very helpful to have different default configs for "trusted users" versus "public registration" etc.) |
Does not look like a good strategy to prevent room directory spam:
yeah now I can formulate what's wrong with the defaults in my opinion. Changing aliases or the room list looks like an admin or moderator power to me. I don't think normal users should have it by default.
Agreed it really depends on the deployment. For bigger public servers it may be a problem, in small/private groups it is not a problem.
Good point. Changing the default (in Python code) may require more work than I thought (making admins aware that if they upgrade behavior will change unless they also update their config, possibly provide a helper script to generate the config lines, etc.). If no admins complained about this so far it may be not worth the hassle.
Sounds like the best solution. Provide different config templates with Synapse and mention them in the setup docs e.g. "For a public instance with restricted user accounts use |
Someone has published a bunch of political spam to our room directory and we discovered that this is allowed by default. I suggest to disable it by default.
Looks like the "allow anyone to publish to room directory" behavior comes from here: https://github.com/matrix-org/synapse/blob/ca8906be2cb821a0fb49ad1adf8440e79e64a398/synapse/config/room_directory.py
Config documentation for
alias_creation_rules
androom_list_publication_rules
says:This is good, but the above rule is ignored if
alias_creation_rules
androom_list_publication_rules
are missing from Synapse config.Moderating the room directory admits it is an abuse vector:
So how about disable it by default before any abuse happens? Thanks.
The text was updated successfully, but these errors were encountered: