Ensure that the the default settings for the room directory are that the it is hidden from public view by default.tags/v1.7.0rc1
@@ -75,6 +75,23 @@ for example: | |||
wget https://packages.matrix.org/debian/pool/main/m/matrix-synapse-py3/matrix-synapse-py3_1.3.0+stretch1_amd64.deb | |||
dpkg -i matrix-synapse-py3_1.3.0+stretch1_amd64.deb | |||
Upgrading to v1.7.0 | |||
=================== | |||
In an attempt to configure Synapse in a privacy preserving way, the default | |||
behaviours of ``allow_public_rooms_without_auth`` and | |||
``allow_public_rooms_over_federation`` have been inverted. This means that by | |||
default, only authenticated users querying the Client/Server API will be able | |||
to query the room directory, and relatedly that the server will not share | |||
room directory information with other servers over federation. | |||
If your installation does not explicitly set these settings one way or the other | |||
and you want either setting to be ``true`` then it will necessary to update | |||
your homeserver configuration file accordingly. | |||
For more details on the surrounding context see our `explainer | |||
<https://matrix.org/blog/2019/11/09/avoiding-unwelcome-visitors-on-private-matrix-servers>`_. | |||
Upgrading to v1.5.0 | |||
=================== | |||
@@ -0,0 +1 @@ | |||
Configure privacy preserving settings by default for the room directory. |
@@ -54,15 +54,16 @@ pid_file: DATADIR/homeserver.pid | |||
# | |||
#require_auth_for_profile_requests: true | |||
# If set to 'false', requires authentication to access the server's public rooms | |||
# directory through the client API. Defaults to 'true'. | |||
# If set to 'true', removes the need for authentication to access the server's | |||
# public rooms directory through the client API, meaning that anyone can | |||
# query the room directory. Defaults to 'false'. | |||
# | |||
#allow_public_rooms_without_auth: false | |||
#allow_public_rooms_without_auth: true | |||
# If set to 'false', forbids any other homeserver to fetch the server's public | |||
# rooms directory via federation. Defaults to 'true'. | |||
# If set to 'true', allows any other homeserver to fetch the server's public | |||
# rooms directory via federation. Defaults to 'false'. | |||
# | |||
#allow_public_rooms_over_federation: false | |||
#allow_public_rooms_over_federation: true | |||
# The default room version for newly created rooms. | |||
# | |||
@@ -118,15 +118,16 @@ class ServerConfig(Config): | |||
self.allow_public_rooms_without_auth = False | |||
self.allow_public_rooms_over_federation = False | |||
else: | |||
# If set to 'False', requires authentication to access the server's public | |||
# rooms directory through the client API. Defaults to 'True'. | |||
# If set to 'true', removes the need for authentication to access the server's | |||
# public rooms directory through the client API, meaning that anyone can | |||
# query the room directory. Defaults to 'false'. | |||
self.allow_public_rooms_without_auth = config.get( | |||
"allow_public_rooms_without_auth", True | |||
"allow_public_rooms_without_auth", False | |||
) | |||
# If set to 'False', forbids any other homeserver to fetch the server's public | |||
# rooms directory via federation. Defaults to 'True'. | |||
# If set to 'true', allows any other homeserver to fetch the server's public | |||
# rooms directory via federation. Defaults to 'false'. | |||
self.allow_public_rooms_over_federation = config.get( | |||
"allow_public_rooms_over_federation", True | |||
"allow_public_rooms_over_federation", False | |||
) | |||
default_room_version = config.get("default_room_version", DEFAULT_ROOM_VERSION) | |||
@@ -620,15 +621,16 @@ class ServerConfig(Config): | |||
# | |||
#require_auth_for_profile_requests: true | |||
# If set to 'false', requires authentication to access the server's public rooms | |||
# directory through the client API. Defaults to 'true'. | |||
# If set to 'true', removes the need for authentication to access the server's | |||
# public rooms directory through the client API, meaning that anyone can | |||
# query the room directory. Defaults to 'false'. | |||
# | |||
#allow_public_rooms_without_auth: false | |||
#allow_public_rooms_without_auth: true | |||
# If set to 'false', forbids any other homeserver to fetch the server's public | |||
# rooms directory via federation. Defaults to 'true'. | |||
# If set to 'true', allows any other homeserver to fetch the server's public | |||
# rooms directory via federation. Defaults to 'false'. | |||
# | |||
#allow_public_rooms_over_federation: false | |||
#allow_public_rooms_over_federation: true | |||
# The default room version for newly created rooms. | |||
# | |||
@@ -0,0 +1,52 @@ | |||
# -*- coding: utf-8 -*- | |||
# Copyright 2019 The Matrix.org Foundation C.I.C. | |||
# | |||
# Licensed under the Apache License, Version 2.0 (the "License"); | |||
# you may not use this file except in compliance with the License. | |||
# You may obtain a copy of the License at | |||
# | |||
# http://www.apache.org/licenses/LICENSE-2.0 | |||
# | |||
# Unless required by applicable law or agreed to in writing, software | |||
# distributed under the License is distributed on an "AS IS" BASIS, | |||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |||
# See the License for the specific language governing permissions and | |||
# limitations under the License. | |||
from twisted.internet import defer | |||
from synapse.config.ratelimiting import FederationRateLimitConfig | |||
from synapse.federation.transport import server | |||
from synapse.util.ratelimitutils import FederationRateLimiter | |||
from tests import unittest | |||
from tests.unittest import override_config | |||
class RoomDirectoryFederationTests(unittest.HomeserverTestCase): | |||
def prepare(self, reactor, clock, homeserver): | |||
class Authenticator(object): | |||
def authenticate_request(self, request, content): | |||
return defer.succeed("otherserver.nottld") | |||
ratelimiter = FederationRateLimiter(clock, FederationRateLimitConfig()) | |||
server.register_servlets( | |||
homeserver, self.resource, Authenticator(), ratelimiter | |||
) | |||
@override_config({"allow_public_rooms_over_federation": False}) | |||
def test_blocked_public_room_list_over_federation(self): | |||
request, channel = self.make_request( | |||
"GET", "/_matrix/federation/v1/publicRooms" | |||
) | |||
self.render(request) | |||
self.assertEquals(403, channel.code) | |||
@override_config({"allow_public_rooms_over_federation": True}) | |||
def test_open_public_room_list_over_federation(self): | |||
request, channel = self.make_request( | |||
"GET", "/_matrix/federation/v1/publicRooms" | |||
) | |||
self.render(request) | |||
self.assertEquals(200, channel.code) |