Disable room list publication by default (#18175)
This is in line with our general policy of ensuring that the default config is reasonably locked down. SyTest PR to fix tests: https://github.com/matrix-org/sytest/pull/1396
This commit is contained in:
Erik Johnston
1
changelog.d/18175.misc
Normal file
1
changelog.d/18175.misc
Normal file
@@ -0,0 +1 @@
|
|||||||
|
Disable room list publication by default.
|
||||||
@@ -139,4 +139,9 @@ caches:
|
|||||||
sync_response_cache_duration: 0
|
sync_response_cache_duration: 0
|
||||||
|
|
||||||
|
|
||||||
|
# Complement assumes that it can publish to the room list by default.
|
||||||
|
room_list_publication_rules:
|
||||||
|
- action: allow
|
||||||
|
|
||||||
|
|
||||||
{% include "shared-orig.yaml.j2" %}
|
{% include "shared-orig.yaml.j2" %}
|
||||||
|
|||||||
@@ -117,6 +117,26 @@ each upgrade are complete before moving on to the next upgrade, to avoid
|
|||||||
stacking them up. You can monitor the currently running background updates with
|
stacking them up. You can monitor the currently running background updates with
|
||||||
[the Admin API](usage/administration/admin_api/background_updates.html#status).
|
[the Admin API](usage/administration/admin_api/background_updates.html#status).
|
||||||
|
|
||||||
|
# Upgrading to v1.126.0
|
||||||
|
|
||||||
|
## Room list publication rules change
|
||||||
|
|
||||||
|
The default [`room_list_publication_rules`] setting was changed to disallow
|
||||||
|
anyone (except server admins) from publishing to the room list by default.
|
||||||
|
|
||||||
|
This is in line with Synapse policy of locking down features by default that can
|
||||||
|
be abused without moderation.
|
||||||
|
|
||||||
|
To keep the previous behavior of allowing publication by default, add the
|
||||||
|
following to the config:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
room_list_publication_rules:
|
||||||
|
- "action": "allow"
|
||||||
|
```
|
||||||
|
|
||||||
|
[`room_list_publication_rules`]: usage/configuration/config_documentation.md#room_list_publication_rules
|
||||||
|
|
||||||
# Upgrading to v1.122.0
|
# Upgrading to v1.122.0
|
||||||
|
|
||||||
## Dropping support for PostgreSQL 11 and 12
|
## Dropping support for PostgreSQL 11 and 12
|
||||||
|
|||||||
@@ -4245,8 +4245,8 @@ unwanted entries from being published in the public room list.
|
|||||||
|
|
||||||
The format of this option is the same as that for
|
The format of this option is the same as that for
|
||||||
[`alias_creation_rules`](#alias_creation_rules): an optional list of 0 or more
|
[`alias_creation_rules`](#alias_creation_rules): an optional list of 0 or more
|
||||||
rules. By default, no list is provided, meaning that all rooms may be
|
rules. By default, no list is provided, meaning that no one may publish to the
|
||||||
published to the room list.
|
room list (except server admins).
|
||||||
|
|
||||||
Otherwise, requests to publish a room are matched against each rule in order.
|
Otherwise, requests to publish a room are matched against each rule in order.
|
||||||
The first rule that matches decides if the request is allowed or denied. If no
|
The first rule that matches decides if the request is allowed or denied. If no
|
||||||
@@ -4272,6 +4272,10 @@ Note that the patterns match against fully qualified IDs, e.g. against
|
|||||||
of `alice`, `room` and `abcedgghijk`.
|
of `alice`, `room` and `abcedgghijk`.
|
||||||
|
|
||||||
|
|
||||||
|
_Changed in Synapse 1.126.0: The default was changed to deny publishing to the
|
||||||
|
room list by default_
|
||||||
|
|
||||||
|
|
||||||
Example configuration:
|
Example configuration:
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
|
|||||||
@@ -54,9 +54,7 @@ class RoomDirectoryConfig(Config):
|
|||||||
for rule in room_list_publication_rules
|
for rule in room_list_publication_rules
|
||||||
]
|
]
|
||||||
else:
|
else:
|
||||||
self._room_list_publication_rules = [
|
self._room_list_publication_rules = []
|
||||||
_RoomDirectoryRule("room_list_publication_rules", {"action": "allow"})
|
|
||||||
]
|
|
||||||
|
|
||||||
def is_alias_creation_allowed(self, user_id: str, room_id: str, alias: str) -> bool:
|
def is_alias_creation_allowed(self, user_id: str, room_id: str, alias: str) -> bool:
|
||||||
"""Checks if the given user is allowed to create the given alias
|
"""Checks if the given user is allowed to create the given alias
|
||||||
|
|||||||
@@ -587,6 +587,7 @@ class TestRoomListSearchDisabled(unittest.HomeserverTestCase):
|
|||||||
self.room_list_handler = hs.get_room_list_handler()
|
self.room_list_handler = hs.get_room_list_handler()
|
||||||
self.directory_handler = hs.get_directory_handler()
|
self.directory_handler = hs.get_directory_handler()
|
||||||
|
|
||||||
|
@unittest.override_config({"room_list_publication_rules": [{"action": "allow"}]})
|
||||||
def test_disabling_room_list(self) -> None:
|
def test_disabling_room_list(self) -> None:
|
||||||
self.room_list_handler.enable_room_list_search = True
|
self.room_list_handler.enable_room_list_search = True
|
||||||
self.directory_handler.enable_room_list_search = True
|
self.directory_handler.enable_room_list_search = True
|
||||||
|
|||||||
@@ -6,6 +6,7 @@ from synapse.rest.client import directory, login, room
|
|||||||
from synapse.types import JsonDict
|
from synapse.types import JsonDict
|
||||||
|
|
||||||
from tests import unittest
|
from tests import unittest
|
||||||
|
from tests.utils import default_config
|
||||||
|
|
||||||
|
|
||||||
class RoomListHandlerTestCase(unittest.HomeserverTestCase):
|
class RoomListHandlerTestCase(unittest.HomeserverTestCase):
|
||||||
@@ -30,6 +31,11 @@ class RoomListHandlerTestCase(unittest.HomeserverTestCase):
|
|||||||
assert channel.code == HTTPStatus.OK, f"couldn't publish room: {channel.result}"
|
assert channel.code == HTTPStatus.OK, f"couldn't publish room: {channel.result}"
|
||||||
return room_id
|
return room_id
|
||||||
|
|
||||||
|
def default_config(self) -> JsonDict:
|
||||||
|
config = default_config("test")
|
||||||
|
config["room_list_publication_rules"] = [{"action": "allow"}]
|
||||||
|
return config
|
||||||
|
|
||||||
def test_acls_applied_to_room_directory_results(self) -> None:
|
def test_acls_applied_to_room_directory_results(self) -> None:
|
||||||
"""
|
"""
|
||||||
Creates 3 rooms. Room 2 has an ACL that only permits the homeservers
|
Creates 3 rooms. Room 2 has an ACL that only permits the homeservers
|
||||||
|
|||||||
@@ -1282,6 +1282,7 @@ class RoomTestCase(unittest.HomeserverTestCase):
|
|||||||
self.admin_user = self.register_user("admin", "pass", admin=True)
|
self.admin_user = self.register_user("admin", "pass", admin=True)
|
||||||
self.admin_user_tok = self.login("admin", "pass")
|
self.admin_user_tok = self.login("admin", "pass")
|
||||||
|
|
||||||
|
@unittest.override_config({"room_list_publication_rules": [{"action": "allow"}]})
|
||||||
def test_list_rooms(self) -> None:
|
def test_list_rooms(self) -> None:
|
||||||
"""Test that we can list rooms"""
|
"""Test that we can list rooms"""
|
||||||
# Create 3 test rooms
|
# Create 3 test rooms
|
||||||
@@ -1795,6 +1796,7 @@ class RoomTestCase(unittest.HomeserverTestCase):
|
|||||||
self.assertEqual(room_id, channel.json_body["rooms"][0].get("room_id"))
|
self.assertEqual(room_id, channel.json_body["rooms"][0].get("room_id"))
|
||||||
self.assertEqual("ж", channel.json_body["rooms"][0].get("name"))
|
self.assertEqual("ж", channel.json_body["rooms"][0].get("name"))
|
||||||
|
|
||||||
|
@unittest.override_config({"room_list_publication_rules": [{"action": "allow"}]})
|
||||||
def test_filter_public_rooms(self) -> None:
|
def test_filter_public_rooms(self) -> None:
|
||||||
self.helper.create_room_as(
|
self.helper.create_room_as(
|
||||||
self.admin_user, tok=self.admin_user_tok, is_public=True
|
self.admin_user, tok=self.admin_user_tok, is_public=True
|
||||||
@@ -1872,6 +1874,7 @@ class RoomTestCase(unittest.HomeserverTestCase):
|
|||||||
self.assertEqual(1, response.json_body["total_rooms"])
|
self.assertEqual(1, response.json_body["total_rooms"])
|
||||||
self.assertEqual(1, len(response.json_body["rooms"]))
|
self.assertEqual(1, len(response.json_body["rooms"]))
|
||||||
|
|
||||||
|
@unittest.override_config({"room_list_publication_rules": [{"action": "allow"}]})
|
||||||
def test_single_room(self) -> None:
|
def test_single_room(self) -> None:
|
||||||
"""Test that a single room can be requested correctly"""
|
"""Test that a single room can be requested correctly"""
|
||||||
# Create two test rooms
|
# Create two test rooms
|
||||||
|
|||||||
@@ -67,6 +67,7 @@ from tests.http.server._base import make_request_with_cancellation_test
|
|||||||
from tests.storage.test_stream import PaginationTestCase
|
from tests.storage.test_stream import PaginationTestCase
|
||||||
from tests.test_utils.event_injection import create_event
|
from tests.test_utils.event_injection import create_event
|
||||||
from tests.unittest import override_config
|
from tests.unittest import override_config
|
||||||
|
from tests.utils import default_config
|
||||||
|
|
||||||
PATH_PREFIX = b"/_matrix/client/api/v1"
|
PATH_PREFIX = b"/_matrix/client/api/v1"
|
||||||
|
|
||||||
@@ -2565,6 +2566,11 @@ class PublicRoomsRoomTypeFilterTestCase(unittest.HomeserverTestCase):
|
|||||||
tok=self.token,
|
tok=self.token,
|
||||||
)
|
)
|
||||||
|
|
||||||
|
def default_config(self) -> JsonDict:
|
||||||
|
config = default_config("test")
|
||||||
|
config["room_list_publication_rules"] = [{"action": "allow"}]
|
||||||
|
return config
|
||||||
|
|
||||||
def make_public_rooms_request(
|
def make_public_rooms_request(
|
||||||
self,
|
self,
|
||||||
room_types: Optional[List[Union[str, None]]],
|
room_types: Optional[List[Union[str, None]]],
|
||||||
|
|||||||
Reference in New Issue
Block a user