Skip to content

MSC3911 AP8: Expose restrictions over federation #101

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 10, 2025
Merged

MSC3911 AP8: Expose restrictions over federation #101

merged 2 commits into from
Sep 10, 2025

Conversation

@itsoyou
Copy link
Contributor

@itsoyou itsoyou commented Sep 8, 2025
edited by nico-famedly
Loading

Linked Media MSC3911 AP8: Expose restrictions over federation #3358

fixes #3358

If restrictions are present, they should be exposed in the first part of the https://spec.matrix.org/v1.14/server-server-api/#get_matrixfederationv1mediadownloadmediaid response.

Acceptance criteria

  • Expose the restrictions json key in https://spec.matrix.org/v1.14/server-server-api/#get_matrixfederationv1mediadownloadmediaid

  • This should only be returned, if the msc is enabled.

  • The key is prefixed: org.matrix.msc3911.restrictions (event_id and profile_user_id are not prefixed)

  • If the server has no way to be able to see the media, an error should be returned instead of the media. (this is quite tricky, see https://github.com/famedly/product-management/issues/3357 )

  • The /_matrix/federation/v1/media/download and /_matrix/federation/v1/media/thumbnail endpoints specified by MSC3916: Authentication for media matrix-org/matrix-spec-proposals#3916 are extended: the returned json object may have a property restrictions.

  • If there is no restrictions property, the media is a legacy "unrestricted" media. Otherwise, restrictions should be a JSON object with one of the following properties: event_id, profile_user_id.

  • It is invalid for both event_id and profile_user_id to be set.

  • If neither event_id nor profile_user_id are present, the requesting user should assume that an unknown restriction is present, and not allow access to any user.

Open Questions

Which permission checks over federation are actually feasible, if the server wants to join the room for example?

@itsoyou itsoyou requested a review from a team as a code owner September 8, 2025 14:45
@itsoyou itsoyou marked this pull request as draft September 8, 2025 14:50
@itsoyou itsoyou marked this pull request as ready for review September 8, 2025 15:12
nico-famedly
nico-famedly reviewed Sep 9, 2025
View reviewed changes
nico-famedly
nico-famedly reviewed Sep 9, 2025
View reviewed changes
@nico-famedly nico-famedly merged commit e4b8ea6 into msc3911 Sep 10, 2025
19 of 22 checks passed
@nico-famedly nico-famedly deleted the syk/ap8-expose-restrictions-over-federation branch September 10, 2025 12:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jason-famedly jason-famedly jason-famedly left review comments

@nico-famedly nico-famedly nico-famedly approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@itsoyou @nico-famedly @jason-famedly