MSC4155: Invite filtering #4155
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,208 @@ | ||
| # MSC4155: Invite filtering | ||
|
|
||
| Matrix supports ignoring users via the ["Ignoring Users" module] and the `m.ignored_user_list` account data | ||
| event. This is a nuclear option though and will suppress both invites and room events from the ignored | ||
| users. Additionally, the `m.ignored_user_list` event only allows for block-list configurations that ignore | ||
| specific users but doesn't have a mechanism to ignore entire servers. These shortcomings make the module | ||
Johennes marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| insufficient for use cases such as tightly locked down applications where ignoring needs to be the default | ||
| behaviour. | ||
|
|
||
| This proposal generalises the ignoring users [module] to allow filtering invites specifically. The scheme | ||
| outlined below was conceptually borrowed from the [gematik specification]. | ||
|
|
||
|
|
||
| ## Proposal | ||
|
|
||
| To allow users to configure which other users are allowed to invite them into rooms, a new account data | ||
| event `m.invite_permission_config` is introduced. | ||
|
|
||
| ```json5 | ||
| { | ||
| "type": "m.invite_permission_config", | ||
| "content": { | ||
| // User-level settings | ||
| "allowed_users": [ "@john:goodguys.org", ... ], | ||
| "ignored_users": [ ... ], | ||
| "blocked_users": [ ... ], | ||
| // Server-level settings | ||
turt2live marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| "allowed_servers": [ ... ], | ||
| "ignored_servers": [ ... ], | ||
| "blocked_servers": [ "*" ] // A feature of all the fields at this level, globs | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
| All properties in `content` are optional arrays. The array elements are [glob expressions]. Any `*_users` | ||
| glob is to be matched against full user IDs (localpart and domain). Any `*_servers` glob is to be matched | ||
| against server names / domain parts of user IDs after stripping any port suffix. This matches the way the | ||
| globs from [server ACLs] are applied. | ||
|
|
||
| When evaluating an invite, implementations MUST first apply the existing `m.ignored_user_list` as per | ||
| the current spec. If the invite didn't match, implementations MUST then apply `m.invite_permission_config`. | ||
| The complete processing logic is as follows: | ||
|
|
||
| 1. Verify the invite against `m.ignored_user_list`: | ||
| 1. If it matches `ignored_users`, stop processing and ignore. | ||
| 2. Verify the invite against `m.invite_permission_config`: | ||
| 1. If it matches `allowed_users`, stop processing and allow. | ||
| 2. If it matches `ignored_users`, stop processing and ignore. | ||
| 3. If it matches `blocked_users`, stop processing and block. | ||
| 4. If it matches `allowed_servers`, stop processing and allow. | ||
| 5. If it matches `ignored_servers`, stop processing and ignore. | ||
| 6. If it matches `blocked_servers`, stop processing and block. | ||
| 3. Otherwise, allow. | ||
|
|
||
| The semantics of "ignore" and "block" follow [MSC4283] which means ignoring hides the invite with no | ||
| feedback to the inviter whereas blocking rejects (or refuses, in the case of servers) the invite. | ||
Johennes marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| When blocking an inviter, the server must respond to the following endpoints with an error: | ||
|
|
||
| - `PUT /_matrix/federation/(v1|v2)/invite/{roomId}/{eventId}` | ||
| - `POST /_matrix/client/v3/rooms/{roomId}/invite` | ||
| - `POST /_matrix/client/v3/createRoom` (checking the `invite` list) | ||
| - `PUT /_matrix/client/v3/rooms/{roomId}/state/m.room.member/{stateKey}` (for invite membership) | ||
|
|
||
| The error SHOULD be `M_INVITE_BLOCKED` with a HTTP 403 status code. | ||
|
|
||
| When ignoring an invite, these endpoints MUST handle an invite normally as if accepted. However, the server | ||
| MUST not include the invite down client synchronization endpoints such as `GET /_matrix/client/v3/sync` or | ||
| MSC4186's sliding sync endpoint. In addition, these invites MUST be ignored when calculating push notifications. | ||
Johennes marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| For clarity, this means that the invited user will get a regular `invite` membership event in the target room | ||
| but will never be notified about that event. Similar, to `m.ignored_user_list`, clients SHOULD perform an | ||
| initial `/sync` after relaxing their ignore configuration in order to receive potentially pending invites. | ||
|
|
||
| Otherwise, all other endpoints (such as `GET /_matrix/client/v3/rooms/{roomId}/state`) should work as before. | ||
|
|
||
| Servers are not expected to process these rules for appservice users when calculating events to send down | ||
| `PUT /_matrix/app/v1/transactions`. Appservices are not expected to be run directly by client users, and | ||
| should be able to handle their own spam prevention. | ||
|
|
||
| The semantics and order of evaluation enable a number of use cases, for instance: | ||
|
|
||
| ```json5 | ||
| // Invites from everyone | ||
| { | ||
| "type": "m.invite_permission_config", | ||
| "content": { } | ||
| } | ||
|
|
||
| // No invites at all | ||
| { | ||
| "type": "m.invite_permission_config", | ||
| "content": { | ||
| "blocked_servers": [ "*" ] | ||
| } | ||
| } | ||
|
|
||
| // Only invites from goodguys.org | ||
| { | ||
| "type": "m.invite_permission_config", | ||
| "content": { | ||
| "allowed_servers": [ "goodguys.org" ], | ||
| "blocked_servers": [ "*" ] | ||
| } | ||
| } | ||
|
|
||
| // Invites from everyone except badguys.org | ||
| { | ||
| "type": "m.invite_permission_config", | ||
| "content": { | ||
| "blocked_servers": [ "badguys.org" ] | ||
| } | ||
| } | ||
|
|
||
Johennes marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| // Only invites from goodguys.org except for @notactuallyguy:goodguys.org | ||
| { | ||
| "type": "m.invite_permission_config", | ||
| "content": { | ||
| "blocked_users": [ "@notactuallyguy:goodguys.org" ], | ||
| "allowed_servers": [ "goodguys.org" ] | ||
| "blocked_servers": [ "*" ] | ||
| } | ||
| } | ||
|
|
||
| // No invites from badguys.org unless it's @goodguy:badguys.org | ||
| { | ||
| "type": "m.invite_permission_config", | ||
| "content": { | ||
| "allowed_users": [ "@goodguy:badguys.org" ], | ||
| "blocked_servers": [ "badguys.org" ] | ||
| } | ||
| } | ||
|
|
||
| // Only invites from goodguys.org and don't provide feedback to reallybadguys.org | ||
| { | ||
| "type": "m.invite_permission_config", | ||
| "content": { | ||
| "allowed_servers": [ "goodguys.org" ], | ||
| "ignored_servers": [ "reallybadguys.org" ], | ||
| "blocked_servers": [ "*" ] | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
turt2live marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| Servers MUST enforce `m.invite_permission_config` against incoming new invites. Additionally, Servers | ||
| SHOULD apply the config against existing pending invites as well. | ||
|
|
||
|
|
||
| ## Potential issues | ||
|
There was a problem hiding this comment. Last point from the T&S meeting: from a UX perspective, where clients expose more complicated interfaces for managing these settings, they SHOULD also inform users of changes. For example, if the user already allowed |
||
|
|
||
| Enforcing the permission configuration exclusively on the server means users have no way to review | ||
| processed invites. This is desirable in most cases as a spam protection measure. It does mean, however, | ||
| that if the user has accidentally blocked a good actor and is informed about it through a different | ||
| communication channel, they'll have to update their permission configuration and request a re-invite. | ||
|
|
||
turt2live marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| ## Alternatives | ||
|
|
||
| Instead of introducing a separate account data event, the existing `m.ignored_user_list` could have | ||
| been expanded. This would, however, not only effect invites but also events in existing rooms which | ||
| makes it a much more nuclear option. Additionally, the existing schema of `m.ignored_user_list` | ||
| complicates morphing it into something that optionally supports allow-list semantics. | ||
|
|
||
| Regarding `m.invite_permission_config`, the split between user settings and server settings is | ||
| technically not needed because glob expressions are powerful enough to allow matching either. | ||
| Splitting them is more explicit and prevents unintended globbing mistakes, however. The fact that | ||
| a user glob and a server glob can overlap does not seem problematic because this proposal includes | ||
| a deterministic processing order for all settings. | ||
|
|
||
| A previous version of this proposal included a base setting of block / allow all with user and | ||
| server exceptions applied on top. In this scheme, flipping the base setting also inverts the semantics | ||
| of all exceptions, however, which makes changing the configuration quite complicated. | ||
|
Comment on lines
+169
to
+171
There was a problem hiding this comment. Further in the T&S discussion of this MSC, it was expressed that having a "simple" on/off toggle would be good to ensure the user can hit a single button without destroying/losing their other settings. This would be the most specific flag available, and cause all of the other properties to become ignored. For example: {
"enabled": false,
"allowed_users": ["@alice:example.org"],
"blocked_users": ["@*:example.org"]
}This does not allow Alice to send invites to the user, because Clients which change |
||
|
|
||
| A comprehensive comparison of existing invite filtering proposals may be found in [MSC4192]. The | ||
| present proposal is functionally inferior to some of the alternatives outline there. It does, for | ||
| instance, not cover the change history of the permission config or sharing the config among different | ||
| users. The proposal is, however, a straightforward and easy to implement extension of the existing | ||
| `m.ignored_user_list` mechanism. See also [this comment] for further details. This proposal is additionally | ||
| extensible for further types of blocking in the future. For example, a future MSC could create definitions | ||
| and behaviours to block/ignore/allow invites from contacts, of a particular type (DM, space, etc), | ||
| to a particular room, or even with given keywords. | ||
|
|
||
|
|
||
| ## Security considerations | ||
|
|
||
| None. | ||
|
|
||
|
|
||
| ## Unstable prefix | ||
|
|
||
| Until this proposal is accepted into the spec, implementations should refer to `m.invite_permission_config` | ||
| and `m.invite_permission_config_enforced` as `org.matrix.msc4155.invite_permission_config` and | ||
| `org.matrix.msc4155.invite_permission_config_enforced`, respectively. Note that the [gematik specification], | ||
| which predates this MSC, uses an event type of `de.gematik.tim.account.permissionconfig.v1` and | ||
| a different event schema. | ||
|
|
||
| The error `M_INVITE_BLOCKED` should be `ORG.MATRIX.MSC4155.M_INVITE_BLOCKED` until this proposal is accepted into the spec. | ||
| ## Dependencies | ||
|
|
||
| This proposal loosely depends on [MSC4283] for the semantics of "ignore" and "block". | ||
|
|
||
|
|
||
| [gematik specification]: https://github.com/gematik/api-ti-messenger/blob/9b9f21b87949e778de85dbbc19e25f53495871e2/src/schema/permissionConfig.json | ||
| [glob expressions]: https://spec.matrix.org/v1.14/appendices/#glob-style-matching | ||
| [MSC4192]: https://github.com/matrix-org/matrix-spec-proposals/pull/4192 | ||
| [MSC4283]: https://github.com/matrix-org/matrix-spec-proposals/pull/4283 | ||
| ["Ignoring Users" module]: https://spec.matrix.org/v1.10/client-server-api/#ignoring-users | ||
| [this comment]: https://github.com/matrix-org/matrix-spec-proposals/pull/4192#discussion_r2025188127 | ||
| [server ACLs]: https://spec.matrix.org/v1.15/client-server-api/#mroomserver_acl | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Implementation requirements:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since I believe all the gematik implementations will be closed source, I'll reference #3860 (comment) as an example for how cases like this were handled in the past. Thanks @clokep for digging it up.
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
element-hq/synapse#18288 is a serverside implementation, albeit with #4155 (comment) "corrected"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
element-hq/element-web#29603 exposes the serverside settings in the client, but does no filtering of itself. @Johennes does this evoke any worries from you if the invite filtering is done server-side?
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, I this is fine and consistent with the proposal which allows but doesn't enforce the filtering on either the client or the server. Now that I think of it, we might need a capability so that the client knows when the server does not filter in which case the client needs to filter itself.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With my SCT hat:
The following implementations demonstrate the desire for filtering, and experiment with different ordering, but all demonstrate that the code is more than possible:
The following implementations show that there's desire, but don't do much with the actual config:
Collectively, I feel this satisfies the implementation component, though we should monitor for user feedback if the rule processing order feels wrong. If so, we can correct it with a future MSC relatively easily (it'll suck for people on implementations which use the 'old' rules, but as those implementations update users will see the changes).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wish I shared your confidence. Won't it (also) suck for people who have set up rules with the "old" system, which suddenly don't work because the ordering has changed? And then they'll change the rules and get something that works with their client but not their server.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I cannot think of a good way to prevent that other than blocking this MSC to let implementations try out the currently proposed ordering in practice. That'll involve exactly the same migration pain for users if the proposal changes, just that people will (hopefully consciously) have opted into an explicitly unstable implementation at their own risk.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah I don't disagree with you there. At some point we're going to have to just decide that we have enough confidence in the ordering that it's worth shipping. I just think it's worth having our eyes open to the fact that changing it later is going to be a bit of a buttpain, rather than "relatively easy" as Travis claimed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
T&S discussed this MSC at its last meeting, and ultimately decided that "specific beats general" ordering would be best. It's unclear if future rules would be more or less specific than the rules proposed here, but possibly we need to explore what those rules would be in order to decide.
Overall, T&S is happy that clients (and servers) are exposing the option to users, but would like to push the MSC through the process so it's not a tech debt disaster. How to both unblock the ordering (and forwards-compatibility) discussion and MSC as a whole is not overly clear - suggestions welcome.