privacy by default for room dir (#6355)
Ensure that the the default settings for the room directory are that the it is hidden from public view by default.pull/6468/head
parent
0120875462
commit
cb0aeb147e
17
UPGRADE.rst
17
UPGRADE.rst
|
@ -75,6 +75,23 @@ for example:
|
||||||
wget https://packages.matrix.org/debian/pool/main/m/matrix-synapse-py3/matrix-synapse-py3_1.3.0+stretch1_amd64.deb
|
wget https://packages.matrix.org/debian/pool/main/m/matrix-synapse-py3/matrix-synapse-py3_1.3.0+stretch1_amd64.deb
|
||||||
dpkg -i matrix-synapse-py3_1.3.0+stretch1_amd64.deb
|
dpkg -i matrix-synapse-py3_1.3.0+stretch1_amd64.deb
|
||||||
|
|
||||||
|
Upgrading to v1.7.0
|
||||||
|
===================
|
||||||
|
|
||||||
|
In an attempt to configure Synapse in a privacy preserving way, the default
|
||||||
|
behaviours of ``allow_public_rooms_without_auth`` and
|
||||||
|
``allow_public_rooms_over_federation`` have been inverted. This means that by
|
||||||
|
default, only authenticated users querying the Client/Server API will be able
|
||||||
|
to query the room directory, and relatedly that the server will not share
|
||||||
|
room directory information with other servers over federation.
|
||||||
|
|
||||||
|
If your installation does not explicitly set these settings one way or the other
|
||||||
|
and you want either setting to be ``true`` then it will necessary to update
|
||||||
|
your homeserver configuration file accordingly.
|
||||||
|
|
||||||
|
For more details on the surrounding context see our `explainer
|
||||||
|
<https://matrix.org/blog/2019/11/09/avoiding-unwelcome-visitors-on-private-matrix-servers>`_.
|
||||||
|
|
||||||
|
|
||||||
Upgrading to v1.5.0
|
Upgrading to v1.5.0
|
||||||
===================
|
===================
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
Configure privacy preserving settings by default for the room directory.
|
|
@ -54,15 +54,16 @@ pid_file: DATADIR/homeserver.pid
|
||||||
#
|
#
|
||||||
#require_auth_for_profile_requests: true
|
#require_auth_for_profile_requests: true
|
||||||
|
|
||||||
# If set to 'false', requires authentication to access the server's public rooms
|
# If set to 'true', removes the need for authentication to access the server's
|
||||||
# directory through the client API. Defaults to 'true'.
|
# public rooms directory through the client API, meaning that anyone can
|
||||||
|
# query the room directory. Defaults to 'false'.
|
||||||
#
|
#
|
||||||
#allow_public_rooms_without_auth: false
|
#allow_public_rooms_without_auth: true
|
||||||
|
|
||||||
# If set to 'false', forbids any other homeserver to fetch the server's public
|
# If set to 'true', allows any other homeserver to fetch the server's public
|
||||||
# rooms directory via federation. Defaults to 'true'.
|
# rooms directory via federation. Defaults to 'false'.
|
||||||
#
|
#
|
||||||
#allow_public_rooms_over_federation: false
|
#allow_public_rooms_over_federation: true
|
||||||
|
|
||||||
# The default room version for newly created rooms.
|
# The default room version for newly created rooms.
|
||||||
#
|
#
|
||||||
|
|
|
@ -118,15 +118,16 @@ class ServerConfig(Config):
|
||||||
self.allow_public_rooms_without_auth = False
|
self.allow_public_rooms_without_auth = False
|
||||||
self.allow_public_rooms_over_federation = False
|
self.allow_public_rooms_over_federation = False
|
||||||
else:
|
else:
|
||||||
# If set to 'False', requires authentication to access the server's public
|
# If set to 'true', removes the need for authentication to access the server's
|
||||||
# rooms directory through the client API. Defaults to 'True'.
|
# public rooms directory through the client API, meaning that anyone can
|
||||||
|
# query the room directory. Defaults to 'false'.
|
||||||
self.allow_public_rooms_without_auth = config.get(
|
self.allow_public_rooms_without_auth = config.get(
|
||||||
"allow_public_rooms_without_auth", True
|
"allow_public_rooms_without_auth", False
|
||||||
)
|
)
|
||||||
# If set to 'False', forbids any other homeserver to fetch the server's public
|
# If set to 'true', allows any other homeserver to fetch the server's public
|
||||||
# rooms directory via federation. Defaults to 'True'.
|
# rooms directory via federation. Defaults to 'false'.
|
||||||
self.allow_public_rooms_over_federation = config.get(
|
self.allow_public_rooms_over_federation = config.get(
|
||||||
"allow_public_rooms_over_federation", True
|
"allow_public_rooms_over_federation", False
|
||||||
)
|
)
|
||||||
|
|
||||||
default_room_version = config.get("default_room_version", DEFAULT_ROOM_VERSION)
|
default_room_version = config.get("default_room_version", DEFAULT_ROOM_VERSION)
|
||||||
|
@ -620,15 +621,16 @@ class ServerConfig(Config):
|
||||||
#
|
#
|
||||||
#require_auth_for_profile_requests: true
|
#require_auth_for_profile_requests: true
|
||||||
|
|
||||||
# If set to 'false', requires authentication to access the server's public rooms
|
# If set to 'true', removes the need for authentication to access the server's
|
||||||
# directory through the client API. Defaults to 'true'.
|
# public rooms directory through the client API, meaning that anyone can
|
||||||
|
# query the room directory. Defaults to 'false'.
|
||||||
#
|
#
|
||||||
#allow_public_rooms_without_auth: false
|
#allow_public_rooms_without_auth: true
|
||||||
|
|
||||||
# If set to 'false', forbids any other homeserver to fetch the server's public
|
# If set to 'true', allows any other homeserver to fetch the server's public
|
||||||
# rooms directory via federation. Defaults to 'true'.
|
# rooms directory via federation. Defaults to 'false'.
|
||||||
#
|
#
|
||||||
#allow_public_rooms_over_federation: false
|
#allow_public_rooms_over_federation: true
|
||||||
|
|
||||||
# The default room version for newly created rooms.
|
# The default room version for newly created rooms.
|
||||||
#
|
#
|
||||||
|
|
|
@ -0,0 +1,52 @@
|
||||||
|
# -*- coding: utf-8 -*-
|
||||||
|
# Copyright 2019 The Matrix.org Foundation C.I.C.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
|
||||||
|
from twisted.internet import defer
|
||||||
|
|
||||||
|
from synapse.config.ratelimiting import FederationRateLimitConfig
|
||||||
|
from synapse.federation.transport import server
|
||||||
|
from synapse.util.ratelimitutils import FederationRateLimiter
|
||||||
|
|
||||||
|
from tests import unittest
|
||||||
|
from tests.unittest import override_config
|
||||||
|
|
||||||
|
|
||||||
|
class RoomDirectoryFederationTests(unittest.HomeserverTestCase):
|
||||||
|
def prepare(self, reactor, clock, homeserver):
|
||||||
|
class Authenticator(object):
|
||||||
|
def authenticate_request(self, request, content):
|
||||||
|
return defer.succeed("otherserver.nottld")
|
||||||
|
|
||||||
|
ratelimiter = FederationRateLimiter(clock, FederationRateLimitConfig())
|
||||||
|
server.register_servlets(
|
||||||
|
homeserver, self.resource, Authenticator(), ratelimiter
|
||||||
|
)
|
||||||
|
|
||||||
|
@override_config({"allow_public_rooms_over_federation": False})
|
||||||
|
def test_blocked_public_room_list_over_federation(self):
|
||||||
|
request, channel = self.make_request(
|
||||||
|
"GET", "/_matrix/federation/v1/publicRooms"
|
||||||
|
)
|
||||||
|
self.render(request)
|
||||||
|
self.assertEquals(403, channel.code)
|
||||||
|
|
||||||
|
@override_config({"allow_public_rooms_over_federation": True})
|
||||||
|
def test_open_public_room_list_over_federation(self):
|
||||||
|
request, channel = self.make_request(
|
||||||
|
"GET", "/_matrix/federation/v1/publicRooms"
|
||||||
|
)
|
||||||
|
self.render(request)
|
||||||
|
self.assertEquals(200, channel.code)
|
Loading…
Reference in New Issue