dendrite icon indicating copy to clipboard operation
dendrite copied to clipboard

Published 20 hours ago verified publisher icon matrix-org

spec: dendrite doesn't correctly implement m.room.power_levels defaults

Open bones-was-here opened this issue 2 years ago • 3 comments

Background information

  • Dendrite version or git SHA: 0.11.1
  • SQLite3 or Postgres?: postgres
  • Running in Docker?: no
  • go version: 1.19.5
  • Client used (if applicable): element web

Description

  • What is the problem: defaults in https://spec.matrix.org/v1.6/client-server-api/#mroompower_levels are not respected when keys have been omitted
  • Who is affected: room moderators and bots
  • How is this bug manifesting: dendrite responds with 403 to power levels changes that should be allowed
  • When did this first appear: unknown

Steps to reproduce

  • In a standard public room, give moderators access to "Change permissions" aka "events": { "m.room.power_levels": 50 }

  • Set "Change settings" above 50, eg "state_default": 90

  • by editing the room's m.room.power_levels event, remove the keys "users_default": 0 and "events_default": 0 (a bot with a json library issue did this in our rooms)

  • with an account that only has power 50 in the room, try to set (eg) "users_default": 0 or "events_default": 1 I get: Failed to send event! (M_FORBIDDEN: MatrixError: [403] eventauth: sender with level 50 is not allowed to change level from 0 to 90 because the new level is above the level of the sender (https://xonotic.org/_matrix/client/r0/rooms/!DOFMXCyGQRNdmRIH%3Axonotic.org/state/m.room.power_levels/))
    and the 90 probably comes from our "state_default": 90
    whereas according to https://spec.matrix.org/v1.6/client-server-api/#mroompower_levels the default for these is 0 and not the value of state_default.

A similar error occurs if removing a user with a power level of eg 7 from the list, which should return them to the default of 0 but instead is denied because the account making the change has power 50, not 90.

If I use a higher powered account to re-add these keys, it fixes the issues.

bones-was-here avatar Feb 21 '23 17:02 bones-was-here

Would it be possible to provide the exact old and new powerlevels? Ideally as the complete events, so I can create a test and check if it's checkUserLevels or NewPowerLevelContentFromAuthEvents (or similar) in GMSL.

S7evinK avatar Mar 10 '23 09:03 S7evinK

All those events were updated several times since patching the bot, I could get something similar for a different room where it's still visible in prev_content if that's useful? It has quite different settings though, eg state_default is not 90.

bones-was-here avatar Mar 15 '23 14:03 bones-was-here

So.. I gave It another try, but still can't reproduce the message from above. Tried to create a test for this here

=== RUN   TestPowerLevels
    eventauth_test.go:1536: Initial powerlevel event: {"auth_events":[],"content":{"ban":50,"events":null,"events_default":0,"invite":50,"kick":50,"notifications":{"room":50},"redact":50,"state_default":50,"users":{"@alice:localhost":100,"@bob:localhost":50},"users_default":0},"depth":0,"hashes":{"sha256":"mDzaoNJBgSCS5Yr4oEwEBG2iWUlAMZEfuiajfiw97Mw"},"origin":"localhost","origin_server_ts":1687355842966,"prev_events":[],"prev_state":[],"room_id":"!room:localhost","sender":"@alice:localhost","signatures":{"localhost":{"ed25519:1":"HFIVAPxZjMITVWwVIrOnb5nHfcMwbu7u1U6R2PhkTw1rnCVAwL/26EX5nIeizwSd2StWaGpl0Qd1+v4/aW1GDA"}},"state_key":"","type":"m.room.power_levels","unsigned":{}}
    eventauth_test.go:1562: Allow mods to change permissions: {"auth_events":[],"content":{"ban":50,"events":{"m.room.power_levels":50},"events_default":0,"invite":50,"kick":50,"notifications":{"room":50},"redact":50,"state_default":50,"users":{"@alice:localhost":100,"@bob:localhost":50},"users_default":0},"depth":0,"hashes":{"sha256":"scpxUgWq4zaeb1togoRpflIstERdzpKMNzvayzytVxQ"},"origin":"localhost","origin_server_ts":1687355842967,"prev_events":[],"prev_state":[],"room_id":"!room:localhost","sender":"@alice:localhost","signatures":{"localhost":{"ed25519:1":"vHv6qRzLVvxqx4PHVvkAvrsMLOIY0CNHRhPBIvV+5ZOEjBUIoBLobiHKLgFo3tofZb6MLeO2tzf+oqrPxkGCDA"}},"state_key":"","type":"m.room.power_levels","unsigned":{"prev_content":{"ban":50,"events":null,"events_default":0,"invite":50,"kick":50,"notifications":{"room":50},"redact":50,"state_default":50,"users":{"@alice:localhost":100,"@bob:localhost":50},"users_default":0}}}
    eventauth_test.go:1580: After setting state_default to 90: {"auth_events":[],"content":{"ban":50,"events":{"m.room.power_levels":50},"events_default":0,"invite":50,"kick":50,"notifications":{"room":50},"redact":50,"state_default":90,"users":{"@alice:localhost":100,"@bob:localhost":50},"users_default":0},"depth":0,"hashes":{"sha256":"b9PdbIZHRwzaK/jMyPaz9xhgv4XbyhBnnymUOBNy+cE"},"origin":"localhost","origin_server_ts":1687355842967,"prev_events":[],"prev_state":[],"room_id":"!room:localhost","sender":"@alice:localhost","signatures":{"localhost":{"ed25519:1":"kbUPzQoJiu8NSfm4Y11ETiBGVJW3QNHWmIvHck1BHzAbFVConYvhUBdCsI2tFqgt7SrH2eSl1i1bBnzXYQzQAQ"}},"state_key":"","type":"m.room.power_levels","unsigned":{"prev_content":{"ban":50,"events":{"m.room.power_levels":50},"events_default":0,"invite":50,"kick":50,"notifications":{"room":50},"redact":50,"state_default":50,"users":{"@alice:localhost":100,"@bob:localhost":50},"users_default":0}}}
    eventauth_test.go:1599: After removing users_default and events_default: {"auth_events":[],"content":{"ban":50,"events":{"m.room.power_levels":50},"invite":50,"kick":50,"notifications":{"room":50},"redact":50,"state_default":90,"users":{"@alice:localhost":100,"@bob:localhost":50}},"depth":0,"hashes":{"sha256":"zsISBV41ZnJPwqXoqUSdc9qwoyE9O0YUzSMr7+2lhZ0"},"origin":"localhost","origin_server_ts":1687355842967,"prev_events":[],"prev_state":[],"room_id":"!room:localhost","sender":"@alice:localhost","signatures":{"localhost":{"ed25519:1":"lhSCT1VHztO65s2BCpT65eKMhkxkvJYK+T2CfjV6XMCWRvCzExlTtqzVbDHXNM51v1vLr2yk58IoluaDr4HfCw"}},"state_key":"","type":"m.room.power_levels","unsigned":{"prev_content":{"ban":50,"events":{"m.room.power_levels":50},"events_default":0,"invite":50,"kick":50,"notifications":{"room":50},"redact":50,"state_default":90,"users":{"@alice:localhost":100,"@bob:localhost":50},"users_default":0}}}
    eventauth_test.go:1633: Trying to add users_default again: {"auth_events":[],"content":{"ban":50,"events":{"m.room.power_levels":50},"invite":50,"kick":50,"notifications":{"room":50},"redact":50,"state_default":90,"users":{"@alice:localhost":100,"@bob:localhost":50},"users_default":1},"depth":0,"hashes":{"sha256":"faoEjxqAo9+ULo2MJj9VcxXB/SxP+/lC6q6fDZzOjFc"},"origin":"localhost","origin_server_ts":1687355842968,"prev_events":[],"prev_state":[],"room_id":"!room:localhost","sender":"@bob:localhost","signatures":{"localhost":{"ed25519:1":"8dgEqwzs1NKCG4yrkz64DrQxoYM7qaukJiqWh6Q5V9l3ywjPbzecrRe29iyHD4f49+DjhcqE0VxqjEtIgXTHCg"}},"state_key":"","type":"m.room.power_levels","unsigned":{"prev_content":{"ban":50,"events":{"m.room.power_levels":50},"invite":50,"kick":50,"notifications":{"room":50},"redact":50,"state_default":90,"users":{"@alice:localhost":100,"@bob:localhost":50}}}}
--- PASS: TestPowerLevels (0.00s)

Aside from the test, I tried to follow your steps in Element Web, but also no issues there.

S7evinK avatar Jun 21 '23 13:06 S7evinK