Disable room list publication by default (#18175)

This is in line with our general policy of ensuring that the default
config is reasonably locked down.

SyTest PR to fix tests: https://github.com/matrix-org/sytest/pull/1396
This commit is contained in:
Erik Johnston 2025-02-24 13:06:16 +01:00 committed by GitHub
parent 8fd7148e6a
commit b2a187f49b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
9 changed files with 49 additions and 5 deletions

1
changelog.d/18175.misc Normal file
View file

@ -0,0 +1 @@
Disable room list publication by default.

View file

@ -139,4 +139,9 @@ caches:
sync_response_cache_duration: 0
# Complement assumes that it can publish to the room list by default.
room_list_publication_rules:
- action: allow
{% include "shared-orig.yaml.j2" %}

View file

@ -117,6 +117,26 @@ each upgrade are complete before moving on to the next upgrade, to avoid
stacking them up. You can monitor the currently running background updates with
[the Admin API](usage/administration/admin_api/background_updates.html#status).
# Upgrading to v1.126.0
## Room list publication rules change
The default [`room_list_publication_rules`] setting was changed to disallow
anyone (except server admins) from publishing to the room list by default.
This is in line with Synapse policy of locking down features by default that can
be abused without moderation.
To keep the previous behavior of allowing publication by default, add the
following to the config:
```yaml
room_list_publication_rules:
- "action": "allow"
```
[`room_list_publication_rules`]: usage/configuration/config_documentation.md#room_list_publication_rules
# Upgrading to v1.122.0
## Dropping support for PostgreSQL 11 and 12

View file

@ -4245,8 +4245,8 @@ unwanted entries from being published in the public room list.
The format of this option is the same as that for
[`alias_creation_rules`](#alias_creation_rules): an optional list of 0 or more
rules. By default, no list is provided, meaning that all rooms may be
published to the room list.
rules. By default, no list is provided, meaning that no one may publish to the
room list (except server admins).
Otherwise, requests to publish a room are matched against each rule in order.
The first rule that matches decides if the request is allowed or denied. If no
@ -4272,6 +4272,10 @@ Note that the patterns match against fully qualified IDs, e.g. against
of `alice`, `room` and `abcedgghijk`.
_Changed in Synapse 1.126.0: The default was changed to deny publishing to the
room list by default_
Example configuration:
```yaml

View file

@ -54,9 +54,7 @@ class RoomDirectoryConfig(Config):
for rule in room_list_publication_rules
]
else:
self._room_list_publication_rules = [
_RoomDirectoryRule("room_list_publication_rules", {"action": "allow"})
]
self._room_list_publication_rules = []
def is_alias_creation_allowed(self, user_id: str, room_id: str, alias: str) -> bool:
"""Checks if the given user is allowed to create the given alias

View file

@ -587,6 +587,7 @@ class TestRoomListSearchDisabled(unittest.HomeserverTestCase):
self.room_list_handler = hs.get_room_list_handler()
self.directory_handler = hs.get_directory_handler()
@unittest.override_config({"room_list_publication_rules": [{"action": "allow"}]})
def test_disabling_room_list(self) -> None:
self.room_list_handler.enable_room_list_search = True
self.directory_handler.enable_room_list_search = True

View file

@ -6,6 +6,7 @@ from synapse.rest.client import directory, login, room
from synapse.types import JsonDict
from tests import unittest
from tests.utils import default_config
class RoomListHandlerTestCase(unittest.HomeserverTestCase):
@ -30,6 +31,11 @@ class RoomListHandlerTestCase(unittest.HomeserverTestCase):
assert channel.code == HTTPStatus.OK, f"couldn't publish room: {channel.result}"
return room_id
def default_config(self) -> JsonDict:
config = default_config("test")
config["room_list_publication_rules"] = [{"action": "allow"}]
return config
def test_acls_applied_to_room_directory_results(self) -> None:
"""
Creates 3 rooms. Room 2 has an ACL that only permits the homeservers

View file

@ -1282,6 +1282,7 @@ class RoomTestCase(unittest.HomeserverTestCase):
self.admin_user = self.register_user("admin", "pass", admin=True)
self.admin_user_tok = self.login("admin", "pass")
@unittest.override_config({"room_list_publication_rules": [{"action": "allow"}]})
def test_list_rooms(self) -> None:
"""Test that we can list rooms"""
# Create 3 test rooms
@ -1795,6 +1796,7 @@ class RoomTestCase(unittest.HomeserverTestCase):
self.assertEqual(room_id, channel.json_body["rooms"][0].get("room_id"))
self.assertEqual("ж", channel.json_body["rooms"][0].get("name"))
@unittest.override_config({"room_list_publication_rules": [{"action": "allow"}]})
def test_filter_public_rooms(self) -> None:
self.helper.create_room_as(
self.admin_user, tok=self.admin_user_tok, is_public=True
@ -1872,6 +1874,7 @@ class RoomTestCase(unittest.HomeserverTestCase):
self.assertEqual(1, response.json_body["total_rooms"])
self.assertEqual(1, len(response.json_body["rooms"]))
@unittest.override_config({"room_list_publication_rules": [{"action": "allow"}]})
def test_single_room(self) -> None:
"""Test that a single room can be requested correctly"""
# Create two test rooms

View file

@ -67,6 +67,7 @@ from tests.http.server._base import make_request_with_cancellation_test
from tests.storage.test_stream import PaginationTestCase
from tests.test_utils.event_injection import create_event
from tests.unittest import override_config
from tests.utils import default_config
PATH_PREFIX = b"/_matrix/client/api/v1"
@ -2565,6 +2566,11 @@ class PublicRoomsRoomTypeFilterTestCase(unittest.HomeserverTestCase):
tok=self.token,
)
def default_config(self) -> JsonDict:
config = default_config("test")
config["room_list_publication_rules"] = [{"action": "allow"}]
return config
def make_public_rooms_request(
self,
room_types: Optional[List[Union[str, None]]],