Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify access to listing members by guest users #913

Open
YousefED opened this issue Oct 22, 2021 · 3 comments
Open

Clarify access to listing members by guest users #913

YousefED opened this issue Oct 22, 2021 · 3 comments
Labels
clarification An area where the expected behaviour is understood, but the spec could do with being more explicit

Comments

@YousefED
Copy link

Both
(A): https://spec.matrix.org/unstable/client-server-api/#get_matrixclientv3roomsroomidmembers
(B): https://spec.matrix.org/unstable/client-server-api/#get_matrixclientv3roomsroomidjoined_members

Suggest you receive a 403 when You aren’t a member of the room.. This suggest to me that for these endpoints to work, you need to be a member of the room.

Upon testing against Synapse, I noticed (A) is allowed for guest users, but (B) isn't. This isn't clear in the current documentation.

Background: I was researching for a way for guest users to list room members. Based on the documentation I figured it wasn't possible, but then decided to give it a try nonetheless. For me, it's nice that A works, but it would help if it's documented accordingly
@YousefED YousefED added the clarification An area where the expected behaviour is understood, but the spec could do with being more explicit label Oct 22, 2021
@uhoreg
Copy link
Member

uhoreg commented Oct 26, 2021

Only certain endpoints are available to guest users. These are listed at https://spec.matrix.org/unstable/client-server-api/#client-behaviour-14 As you can see, /rooms/{roomId}/members is listed as being available to guests, but /rooms/{roomId}/joined_members is not.

I'm not sure why there is a discrepancy between the two, but my guess is that it's because joined_members is intended for use by application services.

@turt2live
Copy link
Member

/joined_members was indeed added after the fact for appservices, but given it's meant to be behind a high-performance cache of sorts it's probably safe for guests too. Would be a trivial MSC :)

@YousefED
Copy link
Author

Thanks, I now understand which endpoints are allowed by guest users.

Only certain endpoints are available to guest users. These are listed at https://spec.matrix.org/unstable/client-server-api/#client-behaviour-14 As you can see, /rooms/{roomId}/members is listed as being available to guests, but /rooms/{roomId}/joined_members is not.

My feedback would still be to clarify this also at the documentation of the API endpoint. E.g.:

Screenshot 2021-10-27 at 08 26 50

A: This is now technically incorrect, because as a guest account, even one that hasn't joined the room, I get all the members in the room and a 200. According to the docs, I'd expect a 403

B: It also makes me wonder whether this statement is correct: If you have left the room then this will be the members of the room when you left.. Because that would imply that a guest user who has never joined a room, gets a more accurate / up-to-date response than a user who's left the room previously. (that sounds like weird behaviour / weird spec, or a mistake in the documentation)

@richvdh richvdh transferred this issue from matrix-org/matrix-spec-proposals Mar 2, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
clarification An area where the expected behaviour is understood, but the spec could do with being more explicit
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@YousefED @uhoreg @turt2live