Mirrors
/
synapse
mirror of https://github.com/element-hq/synapse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Rework alias and public room list rules docs (#16541)

This commit is contained in:
David Robertson 2023-10-24 13:26:41 +01:00 committed by GitHub
parent ffbe9b7666
commit 6ec98810e3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 134 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
changelog.d/16541.doc Normal file
View File

@ -0,0 +1 @@
Correctly describe the meaning of unspecified rule lists in the [`alias_creation_rules`](https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#alias_creation_rules) and [`room_list_publication_rules`](https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#room_list_publication_rules) config options and improve their descriptions more generally.

168
docs/usage/configuration/config_documentation.md
View File

@ -3797,62 +3797,160 @@ enable_room_list_search: false
--- ---
### `alias_creation_rules` ### `alias_creation_rules`
The `alias_creation_rules` option controls who is allowed to create aliases The `alias_creation_rules` option allows server admins to prevent unwanted
on this server. alias creation on this server.
The format of this option is a list of rules that contain globs that This setting is an optional list of 0 or more rules. By default, no list is
match against user_id, room_id and the new alias (fully qualified with provided, meaning that all alias creations are permitted.
server name). The action in the first rule that matches is taken,
which can currently either be "allow" or "deny".
Missing user_id/room_id/alias fields default to "*". Otherwise, requests to create aliases are matched against each rule in order.
The first rule that matches decides if the request is allowed or denied. If no
rule matches, the request is denied. In particular, this means that configuring
an empty list of rules will deny every alias creation request.
If no rules match the request is denied. An empty list means no one Each rule is a YAML object containing four fields, each of which is an optional string:
can create aliases.
Options for the rules include: * `user_id`: a glob pattern that matches against the creator of the alias.
* `user_id`: Matches against the creator of the alias. Defaults to "*". * `alias`: a glob pattern that matches against the alias being created.
* `alias`: Matches against the alias being created. Defaults to "*". * `room_id`: a glob pattern that matches against the room ID the alias is being pointed at.
* `room_id`: Matches against the room ID the alias is being pointed at. Defaults to "*" * `action`: either `allow` or `deny`. What to do with the request if the rule matches. Defaults to `allow`.
* `action`: Whether to "allow" or "deny" the request if the rule matches. Defaults to allow.
Each of the glob patterns is optional, defaulting to `*` ("match anything").
Note that the patterns match against fully qualified IDs, e.g. against
`@alice:example.com`, `#room:example.com` and `!abcdefghijk:example.com` instead
of `alice`, `room` and `abcedgghijk`.
Example configuration: Example configuration:
```yaml ```yaml
# No rule list specified. All alias creations are allowed.
# This is the default behaviour.
alias_creation_rules: alias_creation_rules:
- user_id: "bad_user"
alias: "spammy_alias"
room_id: "*"
action: deny
``` ```
```yaml
# A list of one rule which allows everything.
# This has the same effect as the previous example.
alias_creation_rules:
- "action": "allow"
```
```yaml
# An empty list of rules. All alias creations are denied.
alias_creation_rules: []
```
```yaml
# A list of one rule which denies everything.
# This has the same effect as the previous example.
alias_creation_rules:
- "action": "deny"
```
```yaml
# Prevent a specific user from creating aliases.
# Allow other users to create any alias
alias_creation_rules:
- user_id: "@bad_user:example.com"
action: deny
- action: allow
```
```yaml
# Prevent aliases being created which point to a specific room.
alias_creation_rules:
- room_id: "!forbiddenRoom:example.com"
action: deny
- action: allow
```
--- ---
### `room_list_publication_rules` ### `room_list_publication_rules`
The `room_list_publication_rules` option controls who can publish and The `room_list_publication_rules` option allows server admins to prevent
which rooms can be published in the public room list. unwanted entries from being published in the public room list.
The format of this option is the same as that for The format of this option is the same as that for
`alias_creation_rules`. [`alias_creation_rules`](#alias_creation_rules): an optional list of 0 or more
rules. By default, no list is provided, meaning that all rooms may be
published to the room list.
If the room has one or more aliases associated with it, only one of Otherwise, requests to publish a room are matched against each rule in order.
the aliases needs to match the alias rule. If there are no aliases The first rule that matches decides if the request is allowed or denied. If no
then only rules with `alias: *` match. rule matches, the request is denied. In particular, this means that configuring
an empty list of rules will deny every alias creation request.
If no rules match the request is denied. An empty list means no one Each rule is a YAML object containing four fields, each of which is an optional string:
can publish rooms.
* `user_id`: a glob pattern that matches against the user publishing the room.
* `alias`: a glob pattern that matches against one of published room's aliases.
- If the room has no aliases, the alias match fails unless `alias` is unspecified or `*`.
- If the room has exactly one alias, the alias match succeeds if the `alias` pattern matches that alias.
- If the room has two or more aliases, the alias match succeeds if the pattern matches at least one of the aliases.
* `room_id`: a glob pattern that matches against the room ID of the room being published.
* `action`: either `allow` or `deny`. What to do with the request if the rule matches. Defaults to `allow`.
Each of the glob patterns is optional, defaulting to `*` ("match anything").
Note that the patterns match against fully qualified IDs, e.g. against
`@alice:example.com`, `#room:example.com` and `!abcdefghijk:example.com` instead
of `alice`, `room` and `abcedgghijk`.
Options for the rules include:
* `user_id`: Matches against the creator of the alias. Defaults to "*".
* `alias`: Matches against any current local or canonical aliases associated with the room. Defaults to "*".
* `room_id`: Matches against the room ID being published. Defaults to "*".
* `action`: Whether to "allow" or "deny" the request if the rule matches. Defaults to allow.
Example configuration: Example configuration:
```yaml ```yaml
# No rule list specified. Anyone may publish any room to the public list.
# This is the default behaviour.
room_list_publication_rules: room_list_publication_rules:
- user_id: "*" ```
alias: "*"
room_id: "*" ```yaml
action: allow # A list of one rule which allows everything.
# This has the same effect as the previous example.
room_list_publication_rules:
- "action": "allow"
```
```yaml
# An empty list of rules. No-one may publish to the room list.
room_list_publication_rules: []
```
```yaml
# A list of one rule which denies everything.
# This has the same effect as the previous example.
room_list_publication_rules:
- "action": "deny"
```
```yaml
# Prevent a specific user from publishing rooms.
# Allow other users to publish anything.
room_list_publication_rules:
- user_id: "@bad_user:example.com"
action: deny
- action: allow
```
```yaml
# Prevent publication of a specific room.
room_list_publication_rules:
- room_id: "!forbiddenRoom:example.com"
action: deny
- action: allow
```
```yaml
# Prevent publication of rooms with at least one alias containing the word "potato".
room_list_publication_rules:
- alias: "#*potato*:example.com"
action: deny
- action: allow
``` ```
--- ---