matrix-docker-ansible-deploy icon indicating copy to clipboard operation
matrix-docker-ansible-deploy copied to clipboard

Published 20 hours ago verified publisher icon spantaleev

Documentation about permissions with matrix-bridge-mautrix-telegram could be improved

Open iikkart opened this issue 3 years ago • 4 comments

Is your feature request related to a problem? Please describe.

Setting up proper permissions to control mautrix-telegram relay with an administrator user is poorly documented. Without setting administrator rights by adding things to vars.yml, it's impossible in example unbridge rooms from Telegram. I didn't know where to look up for the solution when I was getting errors about missing administrator rights to control the bot.

Describe the solution you'd like

I think documentation should offer an example what should be added to vars.yml to get right permissions to have a functional bot and access to the administrator controls. My example would be about following:

matrix_mautrix_telegram_configuration_extension_yaml: |
  bridge:
    permissions:
      '@user:domain': admin
      '*': relaybot

I can try to do even pull request if you like my suggestion.

Describe alternatives you've considered

I understand that maybe you think that Mautrix official documentation covers this. I could not find relevant information even from there. Maybe, as an alternative I should make an issue to their repo. But on the other hand, still understanding how to set up configurations from the official Mautrix -documentation with this playbook might not be easy to understand.

iikkart avatar Mar 17 '22 00:03 iikkart

Fixing the upstream documentation (if it's lacking) would have the most impact, as that would help all users of the bridge, not just playbook users of the bridge.

We may have better documentation on our side as well though. Care to submit a PR?

It should be noted that '*': relaybot (from your configuration above) allows all Matrix users (not just the current homeserver's users) to use the Telegram bridge -- something that most homeserver administrators will not like.

spantaleev avatar Mar 17 '22 07:03 spantaleev

It should be noted that '*': relaybot (from your configuration above) allows all Matrix users (not just the current homeserver's users) to use the Telegram bridge -- something that most homeserver administrators will not like.

Not quite - it will allow use rooms with relay only, so things like channels or regular double-puppeted rooms will just kick unauthorized in telegram bridge (and you can't authorize with your telegram account with relaybot permissions)

aine-etke avatar Mar 17 '22 16:03 aine-etke

Cool! I will make a PR soon and I have to browse Mautrix-documentation maybe once more and analyze if it was the documentation or just me.

About '*': relaybot permissions, it seemed me to be level of permissions I need. Before setting that up, if I wanted to add a user from other homeserver to my Matrix-chatroom, the bot instantly kicked out the user. I didn't try all other permission options though, I don't know if there would be stricter policy that would work for my use case. I'm happy to hear if more strict permissions would allow the same.

So, @etkecc you don't see possible negative consequences from this level permissions for quite regular use cases?

EDIT: In example, Signal relay's default permissions looks like this:

permissions:
  '*': relay
  YOUR_DOMAIN: user

iikkart avatar Mar 17 '22 20:03 iikkart

Seems OK - random users will be able to join rooms with relay and that's it

rakshazi avatar Mar 17 '22 20:03 rakshazi