synapse icon indicating copy to clipboard operation
synapse copied to clipboard
verified publisher icon matrix-org

[Idea] User permissions on a server

Open romain-neil opened this issue 5 years ago • 4 comments

I wonder how I can manage new users permissions: for example, what can do a new registered user (create a room ? ...)

A solution could be a user management panel, or something similar to this, which allow to create or delete user roles, set default roles for people which login (with ldap module for example).

For organizations, this could seriously compete with teams

As mentioned in a issue of riot-web, matrix and Synapse do not currently expose APIs to manage user permissions.

romain-neil avatar Jun 22 '20 09:06 romain-neil

I believe that this is essentially a duplicate of vector-im/element-web#6660. Or at least that would need to be fixed first before tying it into any LDAP/SSO solution.

clokep avatar Jun 22 '20 11:06 clokep

Hi, I believe this is not a duplicate of vector-im/element-web#6660, but its own unique and highly important issue. With out this feature anti-abuse with Matrix is impossible. The Synapse server my organization runs has been shut down until further notice due to the massive abusive traffic the Synapse server receives. Since the chat administrators do not have any global server permissions, they cannot ban or administrate the server when it is under attack. Therefore, it can no longer be part of our stack until we find a work around

My understanding is this:

  • If you run matrix, you may run into abusive users who:
    • Private Message users inappropriate/illegal content
    • Create Rooms with inappropriate/illegal content
  • People would like there to be a way to BAN a user by IP address (otherwise they can just keep coming back with disposable email addresses). However this feature currently does not exist because:
    • Synapse has no ALCs for users outside of the scope of rooms (no global admins), therefore the concept of "chat administrator" cannot really exist outside of a per-room basis. This is not useful when a malicious user is abusing the entire server.
    • Clients like Element Web cannot implement "chat administrator" roles until Synapse has some way of expressing permissions/ACLs on its end

Sorry to be a pain, but I work with a few different orgs, and we are no longer able to use Matrix for our chat. We need a way to administrate the chat, its just a basic feature for our use case (allowing public sign-up)

I also want to reference two Element Web bugs that could leverage this feature to implement a web-based-administrative solution:

  • https://github.com/vector-im/element-web/issues/14130 (why this issue was created)
  • https://github.com/vector-im/element-meta/issues/1237 (another related anti-abuse problem)

TL;DR abusive users can abuse our Matrix server, and our chat admin have no way of fighting it. The only recourse we have is to shut down matrix. If Synapse had the ability to have server-wide ACLs, we could advocate/volunteer to projects like Element Web to build an administrative interface.

I hope my user story shows how this feature set is long over due, and makes a strong case for having the ability to administrate your own server :)

e-lisa avatar Sep 11 '20 00:09 e-lisa

I concur that this isn't a duplicate of vector-im/element-web#6660, and sounds like useful functionality. Specifically: the ability to restrict new users creating rooms, inviting users, etc. If coupled with a timer (i.e. accounts have to be 30days old) or registration approval (#6911) this could be a useful tool to combat spam users.

erikjohnston avatar Sep 11 '20 10:09 erikjohnston

matrix-org/synapse-user-restrictions answers partly to this question.

create a room ?

This module allows restricting users, that match given regular expressions, from performing actions such as creating rooms or sending invites.

almereyda avatar Nov 15 '23 03:11 almereyda