Skip to main content

Custom room access rules for Tchap

Project description

Room Access rules

This module implements handling around the im.vector.room.access_rules state event. A specification for this event is described below.

im.vector.room.access_rules

Restricts the access to a room based on the selected preset. Body:

{
    "rule": "<rule>"
}

<rule> is either restricted, unrestricted or direct.

The implementation of the different presets lives in the synapse.third_party_rules.access_rules module.

restricted preset

Default preset for non-direct rooms (i.e. rooms not created with "is_direct": true).

Forbids any invite and membership update for users that belong to a server that is in the blacklist provided by the module's configuration (domains_forbidden_when_restricted). If the invite is a 3PID invite, queries a custom /_matrix/identity/api/v1/info endpoint of the configured identity server to check if the invited email address belongs to a blacklisted server, in which case the invite is denied.

unrestricted preset

Doesn't apply any restriction on who can join the room.

Forbids any m.room.power_levels event that either:

  • change the users_default power level to a non-0 value, or
  • change the power level for a user from a blacklisted server (see details about the restricted preset) to a non-default value

direct preset

Default preset for direct rooms (i.e. rooms created with "is_direct": true).

Only allow two members in the room by running the following algorithm for each new event of type m.room.member or m.room.third_party_invite sent into the room:

  1. retrieve the list of memberships and 3PID invite tokens from the room's state, which in practice means retrieving the state key of every m.room.member or m.room.third_party_invite event present in the room's state (ignoring 3PID invite events with an empty content)

  2. if the event is of type m.room.third_party_invite, and there are already events of the same type in the room's state, reject the new event if its state key doesn't match the state key of one of the existing events.

  3. else, if there are already two members in the room:

    2.1. if the event is a 3PID invite, reject it

    2.2. if the event is a membership update, reject it if the target isn't one of the room's current members

  4. else, if there is one membership event and one 3PID invite in the room's state:

    3.1. if the event is a membership event, reject it if it's not an invite exchanged from the 3PID invite that's in the room's state

    3.2. otherwise, reject the event

  5. else, accept the event

Also forbids sending an event of the type m.room.name, m.room.avatar_url or m.room.topic into the room.

Interaction with m.room.join_rules

When the preset of the room is something other than restricted, changing the room's join rule to public is forbidden. This is to ensure users on blacklisted servers (see details about the restricted preset) can't join a room unless they have been invited.

Installation

TODO

Config

Add the following to your Synapse config:

modules:
  - module: room_access_rules.RoomAccessRules
    config:
        # List of domains (server names) that can't be invited to rooms if the
        # "restricted" rule is set. Defaults to an empty list.
        domains_forbidden_when_restricted: []
    
        # Identity server to use when checking the homeserver an email address belongs to
        # using the /info endpoint. Required.
        id_server: "vector.im"

Development and Testing

This repository uses tox to run tests.

Tests

This repository uses unittest to run the tests located in the tests directory. They can be ran with tox -e tests.

Making a release

git tag -s vX.Y
python3 setup.py sdist
twine upload dist/synapse-room-access-rules-X.Y.tar.gz
git push origin vX.Y

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

synapse-room-access-rules-1.0.0.tar.gz (19.2 kB view details)

Uploaded Source

File details

Details for the file synapse-room-access-rules-1.0.0.tar.gz.

File metadata

  • Download URL: synapse-room-access-rules-1.0.0.tar.gz
  • Upload date:
  • Size: 19.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.6.0 importlib_metadata/4.8.1 pkginfo/1.7.1 requests/2.26.0 requests-toolbelt/0.9.1 tqdm/4.62.3 CPython/3.9.7

File hashes

Hashes for synapse-room-access-rules-1.0.0.tar.gz
Algorithm Hash digest
SHA256 4a45eccb233e7479e1c18a8f4037b926c54b390aa82e16e7ed7a6601830c2dfa
MD5 be0c0995ebbffb5a8bc80efa51c8c767
BLAKE2b-256 843d7367e24b0a0f49c445d62463866d90f75d29ca0bd2068f3549aeb89fc2fd

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page