MSC4155: Invite filtering #4155
Conversation
Signed-off-by: Johannes Marbach <[email protected]>
Johennes
force-pushed
the
johannes/invite-filtering
branch
from
ddd43ec to
6adc165
Compare
clokep
added
proposal
There was a problem hiding this comment.
Implementation requirements:
- Client supporting the feature, and using it
There was a problem hiding this comment.
Since I believe all the gematik implementations will be closed source, I'll reference #3860 (comment) as an example for how cases like this were handled in the past. Thanks @clokep for digging it up.
There was a problem hiding this comment.
element-hq/synapse#18288 is a serverside implementation, albeit with #4155 (comment) "corrected"
There was a problem hiding this comment.
element-hq/element-web#29603 exposes the serverside settings in the client, but does no filtering of itself. @Johennes does this evoke any worries from you if the invite filtering is done server-side?
There was a problem hiding this comment.
No, I this is fine and consistent with the proposal which allows but doesn't enforce the filtering on either the client or the server. Now that I think of it, we might need a capability so that the client knows when the server does not filter in which case the client needs to filter itself.
There was a problem hiding this comment.
Since I believe all the gematik implementations will be closed source,
Since it sounds like the biggest concern is whether a reasonable UI can be implemented, maybe a screenshot would suffice?
The gematik implementations are based on the initial version of this proposal where we had a base setting of either "allow all" or "block all" and exceptions for users and servers applied on top of it. It also didn't include any globbing.
FWIW, this is how my own health insurance has implemented it:
Main screen with radio buttons for the base setting at the top ("Alle" = "(Allow) everyone" / "Niemand" = "(Allow) noone"). Below that are two buttons to add exceptions for users ("Benutzer") and servers.
For adding user exceptions, they pop up a bottom sheet with a few options ("Teilnehmende hinzufügen"). The first two are for obtaining the MXID by searching gematik-specific directories. The third option scans the MXID from a QR code. And the last one lets you input it manually.
For server exceptions, the only option is to enter the server name manually.
Once entered, the exceptions show in a list at the bottom of the main screen.
There was a problem hiding this comment.
Thanks @Johennes, that's extremely helpful. I'm concerned, however, that it only (appears to) offer controls for blocked_users and blocked_servers (i.e, it does not expose allowed_users, ignored_users, allowed_servers or ignored_servers), and nor does it expose globbing.
It is the interplay between these settings that I think makes this proposal complicated to implement in a client, and my concern remains that we don't yet have a viable client implementation.
There was a problem hiding this comment.
[...] it only (appears to) offer controls for
blocked_usersandblocked_servers(i.e, it does not exposeallowed_users,ignored_users,allowed_serversorignored_servers), and nor does it expose globbing.
Yes, the gematik implementations are based on the initial version of this MSC which used the following scheme:
{
"type": "m.invite_permission_config",
"content": {
"default": "allow | block",
"user_exceptions": {
"@someone:example.org": {},
...
},
"server_exceptions": {
"example.org": {},
...
}
}
}I think the only apparent UX problem this has is that when you flip default, your previous exceptions suddenly apply the other way around.
There was a problem hiding this comment.
I suppose a client can help manage that UX problem by clearing user_exceptions and server_exceptions at the same time as changing default? That doesn't feel too bad to me, tbh.
(I'm sorry you've been sent so far around the houses on this, @Johennes. For now I'm going to focus on landing something in the spec, and then we can come back here and see if we can figure out a plausible way forward.)
There was a problem hiding this comment.
No worries at all. 👍
turt2live
added
implementation-needs-checking
github-project-automation
bot
moved this to Needs idea feedback / initial review
in Spec Core Team Workflow
turt2live
moved this from Needs idea feedback / initial review
to Ready for FCP ticks
in Spec Core Team Workflow
turt2live
moved this from Ready for FCP ticks
to Proposed for FCP readiness
in Spec Core Team Workflow
turt2live
left a comment
turt2live
left a comment
There was a problem hiding this comment.
other than the confusion of block versus ignore, this looks good to me - thank you!
If we do switch to using split out fields, supporting globs would be ideal.
turt2live
left a comment
turt2live
left a comment
There was a problem hiding this comment.
thanks for updating this! I'll do some implementation review then hopefully send this for FCP (with the assumption that the listed suggestions aren't too controversial 😇 )
Signed-off-by: Johannes Marbach <[email protected]>
turt2live
added
the
00-weekly-pings
turt2live
removed
the
00-weekly-pings
Signed-off-by: Johannes Marbach <[email protected]>
turt2live
added
the
00-weekly-pings
uhoreg
left a comment
uhoreg
left a comment
There was a problem hiding this comment.
A couple of nits and a minor concern, but otherwise looks reasonable.
Co-authored-by: Hubert Chathi <[email protected]>
Co-authored-by: Hubert Chathi <[email protected]>
proposals/4155-invite-filtering.md
Outdated
| 1. Verify the invite against each `*_users` setting: | ||
| 1. If it matches `allowed_users`, stop processing and allow. | ||
| 2. If it matches `ignored_users`, stop processing and ignore. | ||
| 3. If it matches `blocked_users`, stop processing and block. | ||
| 2. Verify the invite against each `*_servers` setting: | ||
| 1. If it matches `allowed_servers`, stop processing and allow. | ||
| 2. If it matches `ignored_servers`, stop processing and ignore. | ||
| 3. If it matches `blocked_servers`, stop processing and block. | ||
| 3. Otherwise, allow. |
There was a problem hiding this comment.
I notice this thread hasn't been addressed. For my part, I'm not sold on the importance of the ordering here matching that in server ACLs, but we need to agree it one way or the other.
(Further, this has been in production on matrix.org for months, much to my irritation, so it's a bit late to start changing it now :/)
proposals/4155-invite-filtering.md
Outdated
| 1. Verify the invite against each `*_users` setting: | ||
| 1. If it matches `allowed_users`, stop processing and allow. | ||
| 2. If it matches `ignored_users`, stop processing and ignore. | ||
| 3. If it matches `blocked_users`, stop processing and block. | ||
| 2. Verify the invite against each `*_servers` setting: | ||
| 1. If it matches `allowed_servers`, stop processing and allow. | ||
| 2. If it matches `ignored_servers`, stop processing and ignore. | ||
| 3. If it matches `blocked_servers`, stop processing and block. | ||
| 3. Otherwise, allow. |
There was a problem hiding this comment.
Consider the following issue1.
1. `@alice:example.com` is added to `allowed_users`. 2. `example.com` becomes hostile. 3. `example.com` is added to `blocked_servers`. 4. `@alice:example.com` sends malicious invitations.When
example.comis added toblocked_servers, the entry for each user from that server inallowed_usersbecomes stale.
That looks like an expected consequence of the decision to let user-level rules override server-level rules (#4155 (comment)). It is also called out under "Potential issues". No changes are needed here IMHO.
| and domain). Any `*_servers` glob is to be matched against server names / domain parts of user IDs after | ||
| stripping any port suffix. This matches the way the globs from [server ACLs] are applied. |
There was a problem hiding this comment.
this does not match the current implementation in Synapse, which matches the entire domain.
| `enabled` is a boolean property and defaults to `true` if omitted. It provides clients with a convenience on/off | ||
| toggle that lets them deactivate the configuration without purging it. |
There was a problem hiding this comment.
AFAICT, enabled does not exist in the sample implementation in synapse
There was a problem hiding this comment.
I remain somewhat concerned that nobody has implemented a useful UI for all these settings. Element Web has a very coarse "Allow invites: Y/N" which toggles whether * appears in the blocked_users list, but that's a far cry from a full UI.
As an example of the sort of things I'm worried about: what happens if one client decides to implement "block invites" by setting blocked_servers: ["*"], while EW continues to do it via blocked_users? The two will be out of sync and give a very poor experience.
Honestly, if we're not expecting clients to implement a full UI, then I think we should scale back the specced proposal so that it only implements the bits that we do expect clients to implement.
|
Following up on @turt2live's outstanding concerns:
I think this is referring to #4155 (review), though I wouldn't characterise that thread as being primarily about forward compatibility: indeed I'm not sure we have any practical proposals to provide forward compatibility.
I think this is referring to #4155 (comment); the proposal has been updated, but the sample implementation is still lacking support. |
Co-authored-by: Richard van der Hoff <[email protected]>
Co-authored-by: Richard van der Hoff <[email protected]>
Co-authored-by: Richard van der Hoff <[email protected]>
Co-authored-by: Richard van der Hoff <[email protected]>
| ``` | ||
|
|
||
| `enabled` is a boolean property and defaults to `true` if omitted. It provides clients with a convenience on/off | ||
| toggle that lets them deactivate the configuration without purging it. |
There was a problem hiding this comment.
I think this maybe needs more clarification as to what exactly "deactivate the configuration" means.
After discussion, and reading the associated thread, it seems like the intention is that enabled: false should block all invites. (i.e. it is equivalent to blocked_users: *, but at higher priority than allowed_users)
There was a problem hiding this comment.
Also (h/t @clokep here), could we have a more descriptive name? block_all, maybe?
There was a problem hiding this comment.
Oh! I had interpreted it exactly the opposite way. This is why the proposal text says
If
enabledisfalse, stop processing and allow.`
Upon re-reading the thread, I think your interpretation is correct though. 🤦♂️
Putting this into perspective with your concern about the UI in clients, I wonder if we should drop enabled as well given that you can do the same thing with blocked_users: *? The only downside is that you have to empty your allowed_users setting at the same time. We may be able to avoid this if we switched to the processing order used in server ACLs (as suggested in #4155 (comment)). I think you could just temporarily prepend * to your blocked_users then without touching the rest of your configuration.
There was a problem hiding this comment.
@Half-Shot, @turt2live: as those arguing for enabled: false to be a high-level "block all invites": can you weigh in on this please?
There was a problem hiding this comment.
Coming back to this months later, I think the block_all was intended for clients who didn't support the full filtering spec to still have a block/unblock toggle in settings.
Element Web at the moment implements this by adding * to blocked_users (https://github.com/element-hq/element-web/blob/develop/src/settings/controllers/InviteRulesConfigController.ts#L77). I'm unconvinced that block_all is necessary.
Signed-off-by: Johannes Marbach <[email protected]>
| Splitting them is more explicit and prevents unintended globbing mistakes, however. The fact that | ||
| a user glob and a server glob can overlap does not seem problematic because this proposal includes | ||
| a deterministic processing order for all settings. |
There was a problem hiding this comment.
It's absolutely a problem, because presenting a meaningful UX for multiple overlapping settings is very difficult.
AFAICT, nobody has yet done so, which does little to persuade me it's possible.
|
This MSC appears to be stuck in a cycle of debate, so to allow those conversations to happen without the pressure of FCP looming overhead, I'm pulling this back to the in-review stages. @mscbot fcp cancel |
mscbot
added
proposal-in-review
and removed
proposed-final-comment-period
|
I don't feel like this MSC is ready for FCP. We are still trying to figure out what we really want from it, and we don't have viable client-side implementations of the proposal as it stands. I don't think that minor alterations are going to change this. @Johennes previously suggested removing the Meanwhile, we have the problem that this has been (prematurely) rolled out on My solution, therefore, is that I'm going to write yet another MSC to add to the long list on MSC4192, that just exposes the |
17 participants
Rendered
In line with matrix-org/matrix-spec#1700, the following disclosure applies:
I am a Systems Architect at gematik, Software Engineer at Unomed, Matrix community member and former Element employee. This proposal was written and published with my gematik hat on.
SCT stuff:
MSC checklist
FCP tickyboxes