Clarify how exclusive/inclusive appservice user namespaces work in terms of exposing details of a room

matrix-org / matrix-spec

The Matrix protocol specification

Apache License 2.0

197 stars 97 forks source link

Clarify how exclusive/inclusive appservice user namespaces work in terms of exposing details of a room #351

Open turt2live opened 6 years ago

turt2live commented 6 years ago

For example, the appservice can only query /joined_members if the appservice is querying with a user_id that is a resident of the room and part of an exclusive namespace

Half-Shot commented 6 years ago

Really? I assumed exclusive was just for squatting IDs rather than used for any request authing. Odd.

turt2live commented 6 years ago

Hmm... good point. Maybe permitting inclusive namespaces also makes sense? The application service won't be able to register the user, but it is obviously being permitted to act as that user so it should be able to see the graph for those rooms...

Half-Shot commented 6 years ago

That was my understanding, yeah.

turt2live commented 6 years ago

ftr, the original concern that prompted this issue was that someone put an appservice-managed alias on a room and was surprised by synapse rejecting their request to get joined members. If the room is held under the appservice's rooms namespace, that's a bit different, but the alias alone isn't enough to get into the room.