Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Room version 8 and 9 support #279

Merged
merged 10 commits into from
Nov 2, 2021
Merged

Room version 8 and 9 support #279

merged 10 commits into from
Nov 2, 2021

Conversation

neilalexander
Copy link
Contributor

In theory, this PR adds support for room version 8 and 9.

@neilalexander neilalexander marked this pull request as ready for review November 2, 2021 12:05
@neilalexander neilalexander requested a review from kegsay November 2, 2021 12:05
kegsay
kegsay reviewed Nov 2, 2021
View reviewed changes
kegsay
kegsay reviewed Nov 2, 2021
View reviewed changes
eventauth.go
// 'join_authorised_via_users_server' key, containing the user ID of a user
// in the room that should have a suitable power level to issue invites.
// If no such key is specified then we should reject the join.
if _, _, err := SplitID('@', m.newMember.AuthorisedVia); err != nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's stopping servers from lying about who authorised this? Can I not just be malicious and guess that "hey Alice is probably in $secret_room, let's slap an authorised key as alice and I can get in"?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, the authorising server has to have signed the event as well. I assume the malicious person could enter a different user ID from the same signing server, but unless that user has the power levels to invite, I don't suppose it'd help them at all.

@neilalexander neilalexander merged commit 2c080c1 into master Nov 2, 2021
@neilalexander neilalexander deleted the neilalexander/restrictedjoin branch November 2, 2021 13:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kegsay kegsay kegsay approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@neilalexander @kegsay