From 6f44ee6fa5fd66c506a406c17fa3fec3d710854d Mon Sep 17 00:00:00 2001 From: Valentin Lorentz Date: Thu, 25 May 2023 20:44:10 +0200 Subject: [PATCH 01/29] First draft of message-redaction --- extensions/message-redaction.md | 177 ++++++++++++++++++++++++++++++++ 1 file changed, 177 insertions(+) create mode 100644 extensions/message-redaction.md diff --git a/extensions/message-redaction.md b/extensions/message-redaction.md new file mode 100644 index 000000000..2cc91d27b --- /dev/null +++ b/extensions/message-redaction.md @@ -0,0 +1,177 @@ +--- +title: Message redaction +layout: spec +work-in-progress: true +copyrights: + - + name: "James Wheare" + email: "james@irccloud.com" + period: "2020" + - + name: "Val Lorentz" + email: "progval+ircv3@progval.net" + period: "2023" +--- + +## Notes for implementing work-in-progress version + +This is a work-in-progress specification. + +Software implementing this work-in-progress specification MUST NOT use the +unprefixed `message-redaction` capability name. +Instead, implementations SHOULD use the `draft/message-redaction` capability +name to be interoperable with other software implementing a compatible +work-in-progress version. + +The final version of the specification will use an unprefixed capability name. + +## Introduction + +This specification enables messages to be deleted. +Use cases include retracting accidentally sent messages and moderation, +removing a [`+draft/react` client tag][], amongst others. +These are cosmetic use cases and do not provide any operational security +guarantees. + +## Architecture + +### Dependencies + +Clients wishing to use these capabilities MUST negotiate the [`message-tags`][] +capability with the server. +Additionally, this capability relies on messages being sent with the +[`msgid`][] tag, and message ids MUST NOT contain spaces. +Clients SHOULD negotiate the [`echo-message`][] and [`labeled-response`][] +capabilities in order to receive message IDs for their own messages, to allow +them to be redacted. + + +### Capability + +This specification adds the `draft/message-redaction` capability. + +Implementations that negotiate these capabilities indicate that they are +capable of handling the respective commands and message tags described below. + + +### Command + +To redact a message, a client MUST negotiate the `draft/message-redaction` +capability and send a `REDACT` command to a target nickname or channel. +The command is defined as follows: + + REDACT [:reason] + +Where `` is the id of the message to be redacted. + +If the client is authorised to delete the message, the server: + +* SHOULD forward this `REDACT`, with an appropriate prefix, to the target + recipients which negotiated the `draft/message-redaction` capability, in the + same way as PRIVMSG messages. +* MUST not forward this `REDACT` to target recipients which did not negotiated + this capability (see "Fallback" below) + +### Chat history + +After a message is redacted, [`chathistory`][] responses SHOULD either: + +* exclude it entirely +* replace it with the `REDACT` message with the same value as `@msgid` tag +* add the `REDACT` message to the response (not counting toward message limits) + +### Errors + +This specification defines `FAIL` messages using the [standard replies][] +framework for notifying clients of errors with message editing and deletion. +The following codes are defined, with sample plain text descriptions. + +* `FAIL REDACT REDACT_FORBIDDEN :You are not authorised to delete this message` +* `FAIL REDACT REDACT_WINDOW_EXPIRED :You can no longer edit this message` + +## Client implementation considerations + +It is strongly RECOMMENDED that clients provide visible redaction history to users. +This helps ensure accountability, and mitigates abuse through malicious or +surreptitious redaction. This could be done via a tool tip, or a separate log. +Redacted messages MAY be hidden entirely from the primary message log, +but a deletion log SHOULD be made available. + +For the purposes of user interface, clients MAY assume that their own messages +are editable. +However, this will not always be the case, and there could be other messages +that they have permission to act on. +Pending a mechanism for discovering redaction permissions, clients SHOULD +allow users to attempt to delete any message via some mechanism. + +Clients SHOULD NOT provide a default reason if users do not provide one. + +## Server implementation considerations + +*This section is non-normative.* + +A key motivation for specifying this capability as a server tag, rather than +a client-only message tag, is to enable more granular redaction permissions. +Clients might be able to determine which messages are their own, but other +use cases would not be feasible without server validation. + +Such use cases might include: + +* Allowing channel moderators or server admins to delete unwelcome messages from others +* Specifying a cut-off time after which message edits are no longer allowed + +### Fallback + +Server implementations might choose to inform clients that haven't negotiated +the capability that an edit or deletion has taken place. +The fallback method used (if any) is left up to server implementations, but +could take the form of a standard NOTICE or PRIVMSG with information about the +action. +It might be preferable to use relative time descriptions if referring to +messages in the past, for example: + + :irc.example.com NOTICE #channel :nickname redacted a message from othernick from 5 seconds ago: spam + +Implementations might also choose not to send a fallback, if this behaviour +is considered too noisy for users. + +## Security considerations + +The ability to delete messages does not offer any information or operational +security guarantees. +Once a message has been sent, assume that it will remain visible to any +recipients or servers, whether or not it is subsequently redacted. +Above all else, clients that do not support this specification will not see +any changes to the original message. + +## Examples + +Deleting a PRIVMSG: + + C: PRIVMSG #channel :an example + S: @msgid=123 :nick!u@h PRIVMSG #channel :an example + C: DELETE #channel 123 :bad example + S: @msgid=124 :nick!u@h DELETE #channel 123 :bad example + +Deleting a TAGMSG: + + C: @draft/react=🤞TAGMSG #channel + S: @msgid=123;draft/react=🤞TAGMSG #channel + C: DELETE #channel 123 + S: @msgid=124 :nick@u@h DELETE #channel 123 + +Deleting someone else's PRIVMSG: + + C: PRIVMSG #channel :join my network for cold hard chats + S: @msgid=123 :nick!u@h PRIVMSG #channel :join my network for cold hard chats + C: DELETE #channel 123 spam + S: @msgid=124 :nick!u@h DELETE #channel 123 spam + + +[`echo-message`]: ../extensions/echo-message.html +[`+draft/react` client tag]: ../client-tags/react.html +[`labeled-response`]: ../extensions/labeled-response.html +[standard replies]: ../extensions/standard-replies.html +[`message-tags`]: ../extensions/message-tags.html +[`msgid`]: ../extensions/message-tags.html +[`chathistory`]: ../extensions/message-tags.html From d6d45f613560bf9b3ca44a3d3736536e38e09248 Mon Sep 17 00:00:00 2001 From: Valentin Lorentz Date: Thu, 25 May 2023 22:31:43 +0200 Subject: [PATCH 02/29] Add UNKNOWN_MSGID fail code --- extensions/message-redaction.md | 1 + 1 file changed, 1 insertion(+) diff --git a/extensions/message-redaction.md b/extensions/message-redaction.md index 2cc91d27b..5bc7a0ca0 100644 --- a/extensions/message-redaction.md +++ b/extensions/message-redaction.md @@ -88,6 +88,7 @@ The following codes are defined, with sample plain text descriptions. * `FAIL REDACT REDACT_FORBIDDEN :You are not authorised to delete this message` * `FAIL REDACT REDACT_WINDOW_EXPIRED :You can no longer edit this message` +* `FAIL REDACT UNKNOWN_MSGID :This message does not exist or is too old` ## Client implementation considerations From b092e88da69dd626dde432fd2629306643788f75 Mon Sep 17 00:00:00 2001 From: Valentin Lorentz Date: Fri, 26 May 2023 19:12:54 +0200 Subject: [PATCH 03/29] must ignore the cap's value --- extensions/message-redaction.md | 1 + 1 file changed, 1 insertion(+) diff --git a/extensions/message-redaction.md b/extensions/message-redaction.md index 5bc7a0ca0..73d7d2b23 100644 --- a/extensions/message-redaction.md +++ b/extensions/message-redaction.md @@ -49,6 +49,7 @@ them to be redacted. ### Capability This specification adds the `draft/message-redaction` capability. +Clients MUST ignore this capability's value, if any. Implementations that negotiate these capabilities indicate that they are capable of handling the respective commands and message tags described below. From 0e0f71c8870231da1d8c61763ec1d7d9c178c3de Mon Sep 17 00:00:00 2001 From: Valentin Lorentz Date: Fri, 26 May 2023 20:48:48 +0200 Subject: [PATCH 04/29] Mention sending REDACT in chathistory batches on join. --- extensions/message-redaction.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/extensions/message-redaction.md b/extensions/message-redaction.md index 73d7d2b23..fb40a8879 100644 --- a/extensions/message-redaction.md +++ b/extensions/message-redaction.md @@ -122,6 +122,10 @@ Such use cases might include: * Allowing channel moderators or server admins to delete unwelcome messages from others * Specifying a cut-off time after which message edits are no longer allowed +If a message is redacted while a client is disconnected (or parted from a channel) while +a message it saw is redacted, servers may send the `REDACT` command in a `chathistory` +batch when it re-joins the channel. + ### Fallback Server implementations might choose to inform clients that haven't negotiated From 323454d262ce9598edcdb407bed5d71895fb4fbb Mon Sep 17 00:00:00 2001 From: Val Lorentz Date: Sat, 27 May 2023 08:07:18 +0200 Subject: [PATCH 05/29] s/DELETE/REDACT/ in examples Co-authored-by: delthas <1863865+delthas@users.noreply.github.com> --- extensions/message-redaction.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/extensions/message-redaction.md b/extensions/message-redaction.md index fb40a8879..61d14c81a 100644 --- a/extensions/message-redaction.md +++ b/extensions/message-redaction.md @@ -156,22 +156,22 @@ Deleting a PRIVMSG: C: PRIVMSG #channel :an example S: @msgid=123 :nick!u@h PRIVMSG #channel :an example - C: DELETE #channel 123 :bad example - S: @msgid=124 :nick!u@h DELETE #channel 123 :bad example + C: REDACT #channel 123 :bad example + S: @msgid=124 :nick!u@h REDACT #channel 123 :bad example Deleting a TAGMSG: C: @draft/react=🤞TAGMSG #channel S: @msgid=123;draft/react=🤞TAGMSG #channel - C: DELETE #channel 123 - S: @msgid=124 :nick@u@h DELETE #channel 123 + C: REDACT #channel 123 + S: @msgid=124 :nick@u@h REDACT #channel 123 Deleting someone else's PRIVMSG: C: PRIVMSG #channel :join my network for cold hard chats S: @msgid=123 :nick!u@h PRIVMSG #channel :join my network for cold hard chats - C: DELETE #channel 123 spam - S: @msgid=124 :nick!u@h DELETE #channel 123 spam + C: REDACT #channel 123 spam + S: @msgid=124 :nick!u@h REDACT #channel 123 spam [`echo-message`]: ../extensions/echo-message.html From 4efeb0225c0a8945d38e65b9b21e146646be1eb0 Mon Sep 17 00:00:00 2001 From: Valentin Lorentz Date: Mon, 29 May 2023 18:40:59 +0200 Subject: [PATCH 06/29] Add a note about leaking message existence --- extensions/message-redaction.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/extensions/message-redaction.md b/extensions/message-redaction.md index 61d14c81a..a14dbb46f 100644 --- a/extensions/message-redaction.md +++ b/extensions/message-redaction.md @@ -126,6 +126,10 @@ If a message is redacted while a client is disconnected (or parted from a channe a message it saw is redacted, servers may send the `REDACT` command in a `chathistory` batch when it re-joins the channel. +If servers use predictable or guessable `msgid`s, they should considered whether errors +returned on `REDACT` may leak a message's existence to users who did not receive it +(in a channel they are/were not in or in private messages). + ### Fallback Server implementations might choose to inform clients that haven't negotiated From 4962974b9780c2a8490f6bd65b69bf316cf3e1dd Mon Sep 17 00:00:00 2001 From: Valentin Lorentz Date: Mon, 29 May 2023 22:20:40 +0200 Subject: [PATCH 07/29] fix typo in intro --- extensions/message-redaction.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/extensions/message-redaction.md b/extensions/message-redaction.md index a14dbb46f..cb9d19471 100644 --- a/extensions/message-redaction.md +++ b/extensions/message-redaction.md @@ -28,8 +28,8 @@ The final version of the specification will use an unprefixed capability name. ## Introduction This specification enables messages to be deleted. -Use cases include retracting accidentally sent messages and moderation, -removing a [`+draft/react` client tag][], amongst others. +Use cases include retracting accidentally sent messages moderation, +and removing a [`+draft/react` client tag][], amongst others. These are cosmetic use cases and do not provide any operational security guarantees. From 4432a2d6fdd5a86de6a8073904ea6798a2348240 Mon Sep 17 00:00:00 2001 From: Valentin Lorentz Date: Mon, 29 May 2023 22:26:40 +0200 Subject: [PATCH 08/29] I can't type --- extensions/message-redaction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extensions/message-redaction.md b/extensions/message-redaction.md index cb9d19471..33e60e650 100644 --- a/extensions/message-redaction.md +++ b/extensions/message-redaction.md @@ -28,7 +28,7 @@ The final version of the specification will use an unprefixed capability name. ## Introduction This specification enables messages to be deleted. -Use cases include retracting accidentally sent messages moderation, +Use cases include retracting accidentally sent, messages moderation, and removing a [`+draft/react` client tag][], amongst others. These are cosmetic use cases and do not provide any operational security guarantees. From 15f353d5daed399291c01ccecdcd6e7abfd97856 Mon Sep 17 00:00:00 2001 From: Valentin Lorentz Date: Mon, 29 May 2023 22:29:23 +0200 Subject: [PATCH 09/29] really --- extensions/message-redaction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extensions/message-redaction.md b/extensions/message-redaction.md index 33e60e650..dbff59e11 100644 --- a/extensions/message-redaction.md +++ b/extensions/message-redaction.md @@ -28,7 +28,7 @@ The final version of the specification will use an unprefixed capability name. ## Introduction This specification enables messages to be deleted. -Use cases include retracting accidentally sent, messages moderation, +Use cases include retracting accidentally sent messages, moderation, and removing a [`+draft/react` client tag][], amongst others. These are cosmetic use cases and do not provide any operational security guarantees. From 6328b52e88caf41942c0855187457e4b49de770a Mon Sep 17 00:00:00 2001 From: Valentin Lorentz Date: Tue, 30 May 2023 19:57:26 +0200 Subject: [PATCH 10/29] s/editable/redactable/ --- extensions/message-redaction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extensions/message-redaction.md b/extensions/message-redaction.md index dbff59e11..effe340a2 100644 --- a/extensions/message-redaction.md +++ b/extensions/message-redaction.md @@ -100,7 +100,7 @@ Redacted messages MAY be hidden entirely from the primary message log, but a deletion log SHOULD be made available. For the purposes of user interface, clients MAY assume that their own messages -are editable. +are redactable. However, this will not always be the case, and there could be other messages that they have permission to act on. Pending a mechanism for discovering redaction permissions, clients SHOULD From 6fe3a60ea1b1a407de67ee757ba13aea81c3df6d Mon Sep 17 00:00:00 2001 From: Valentin Lorentz Date: Tue, 30 May 2023 19:57:59 +0200 Subject: [PATCH 11/29] Mention clients should check the target matches the msgid --- extensions/message-redaction.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/extensions/message-redaction.md b/extensions/message-redaction.md index effe340a2..e5b45c4c9 100644 --- a/extensions/message-redaction.md +++ b/extensions/message-redaction.md @@ -108,6 +108,11 @@ allow users to attempt to delete any message via some mechanism. Clients SHOULD NOT provide a default reason if users do not provide one. +When a `REDACT` command's `msgid` parameter references a known message not in +the `target`'s history, clients MUST ignore it. +This allows servers to safely relay `REDACT` commands targeting messages which they +did not keep in their history. + ## Server implementation considerations *This section is non-normative.* From a70a629497e8a6b7567cd4c4cfabd4a4c3119297 Mon Sep 17 00:00:00 2001 From: Valentin Lorentz Date: Wed, 31 May 2023 08:17:49 +0200 Subject: [PATCH 12/29] Fix chanop redact example --- extensions/message-redaction.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/extensions/message-redaction.md b/extensions/message-redaction.md index e5b45c4c9..081d5eb65 100644 --- a/extensions/message-redaction.md +++ b/extensions/message-redaction.md @@ -177,10 +177,10 @@ Deleting a TAGMSG: Deleting someone else's PRIVMSG: - C: PRIVMSG #channel :join my network for cold hard chats - S: @msgid=123 :nick!u@h PRIVMSG #channel :join my network for cold hard chats - C: REDACT #channel 123 spam - S: @msgid=124 :nick!u@h REDACT #channel 123 spam + C1: PRIVMSG #channel :join my network for cold hard chats + S: @msgid=123 :nick!u@h PRIVMSG #channel :join my network for cold hard chats + C2: REDACT #channel 123 spam + S: @msgid=124 :chanop!u@h REDACT #channel 123 spam [`echo-message`]: ../extensions/echo-message.html From 4ba56db4aa3b53af3b077b97c068271a9ebf2870 Mon Sep 17 00:00:00 2001 From: Val Lorentz Date: Wed, 31 May 2023 08:30:03 +0200 Subject: [PATCH 13/29] Remove another reference to edits --- extensions/message-redaction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extensions/message-redaction.md b/extensions/message-redaction.md index 081d5eb65..49374dff2 100644 --- a/extensions/message-redaction.md +++ b/extensions/message-redaction.md @@ -138,7 +138,7 @@ returned on `REDACT` may leak a message's existence to users who did not receive ### Fallback Server implementations might choose to inform clients that haven't negotiated -the capability that an edit or deletion has taken place. +the capability that a deletion has taken place. The fallback method used (if any) is left up to server implementations, but could take the form of a standard NOTICE or PRIVMSG with information about the action. From 6b2074bc14cf0093e4364293fcf8c194ac5cec72 Mon Sep 17 00:00:00 2001 From: Valentin Lorentz Date: Wed, 31 May 2023 08:47:08 +0200 Subject: [PATCH 14/29] labeled-response isn't required --- extensions/message-redaction.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/extensions/message-redaction.md b/extensions/message-redaction.md index 49374dff2..4233bdb31 100644 --- a/extensions/message-redaction.md +++ b/extensions/message-redaction.md @@ -41,9 +41,8 @@ Clients wishing to use these capabilities MUST negotiate the [`message-tags`][] capability with the server. Additionally, this capability relies on messages being sent with the [`msgid`][] tag, and message ids MUST NOT contain spaces. -Clients SHOULD negotiate the [`echo-message`][] and [`labeled-response`][] -capabilities in order to receive message IDs for their own messages, to allow -them to be redacted. +Clients SHOULD negotiate the [`echo-message`][] capabilities in order to receive +message IDs for their own messages, to allow them to be redacted. ### Capability @@ -185,7 +184,6 @@ Deleting someone else's PRIVMSG: [`echo-message`]: ../extensions/echo-message.html [`+draft/react` client tag]: ../client-tags/react.html -[`labeled-response`]: ../extensions/labeled-response.html [standard replies]: ../extensions/standard-replies.html [`message-tags`]: ../extensions/message-tags.html [`msgid`]: ../extensions/message-tags.html From 4e0d31693726dd8af2e8b78dde58f951d988f8db Mon Sep 17 00:00:00 2001 From: Val Lorentz Date: Thu, 1 Jun 2023 20:10:33 +0200 Subject: [PATCH 15/29] Remove "replace it with the REDACT message" option As emersion pointed out, it's just too weird --- extensions/message-redaction.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/extensions/message-redaction.md b/extensions/message-redaction.md index 4233bdb31..44816abfd 100644 --- a/extensions/message-redaction.md +++ b/extensions/message-redaction.md @@ -77,7 +77,8 @@ If the client is authorised to delete the message, the server: After a message is redacted, [`chathistory`][] responses SHOULD either: * exclude it entirely -* replace it with the `REDACT` message with the same value as `@msgid` tag +* replace its second parameter and/or tags with a placeholder and + add the `REDACT` message to the response (not counting toward message limits) * add the `REDACT` message to the response (not counting toward message limits) ### Errors From d270474086e1f819f45aa4e3d2eb3e65fa5cd253 Mon Sep 17 00:00:00 2001 From: Valentin Lorentz Date: Sat, 3 Jun 2023 21:58:24 +0200 Subject: [PATCH 16/29] Add 'FAIL REDACT INVALID_TARGET' --- extensions/message-redaction.md | 1 + 1 file changed, 1 insertion(+) diff --git a/extensions/message-redaction.md b/extensions/message-redaction.md index 44816abfd..b96523472 100644 --- a/extensions/message-redaction.md +++ b/extensions/message-redaction.md @@ -87,6 +87,7 @@ This specification defines `FAIL` messages using the [standard replies][] framework for notifying clients of errors with message editing and deletion. The following codes are defined, with sample plain text descriptions. +* `FAIL REDACT INVALID_TARGET the_given_target :You cannot delete messages from the_given_target` * `FAIL REDACT REDACT_FORBIDDEN :You are not authorised to delete this message` * `FAIL REDACT REDACT_WINDOW_EXPIRED :You can no longer edit this message` * `FAIL REDACT UNKNOWN_MSGID :This message does not exist or is too old` From d5edb9bf620325c2c96e181adc8eff80cce9a7a2 Mon Sep 17 00:00:00 2001 From: Valentin Lorentz Date: Sat, 3 Jun 2023 23:15:19 +0200 Subject: [PATCH 17/29] Remove extraneous from 'FAIL REDACT UNKNOWN_MSGID' --- extensions/message-redaction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extensions/message-redaction.md b/extensions/message-redaction.md index b96523472..9721c8208 100644 --- a/extensions/message-redaction.md +++ b/extensions/message-redaction.md @@ -90,7 +90,7 @@ The following codes are defined, with sample plain text descriptions. * `FAIL REDACT INVALID_TARGET the_given_target :You cannot delete messages from the_given_target` * `FAIL REDACT REDACT_FORBIDDEN :You are not authorised to delete this message` * `FAIL REDACT REDACT_WINDOW_EXPIRED :You can no longer edit this message` -* `FAIL REDACT UNKNOWN_MSGID :This message does not exist or is too old` +* `FAIL REDACT UNKNOWN_MSGID :This message does not exist or is too old` ## Client implementation considerations From 06d4c3cc2c9ba0ce179d882d4f203c88519db0f5 Mon Sep 17 00:00:00 2001 From: Valentin Lorentz Date: Fri, 17 Nov 2023 15:04:10 +0100 Subject: [PATCH 18/29] Explicit the types of messages which can be redacted --- extensions/message-redaction.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/extensions/message-redaction.md b/extensions/message-redaction.md index 9721c8208..3905c3d9b 100644 --- a/extensions/message-redaction.md +++ b/extensions/message-redaction.md @@ -62,7 +62,8 @@ The command is defined as follows: REDACT [:reason] -Where `` is the id of the message to be redacted. +Where `` is the id of the message to be redacted, which MUST be a +`PRIVMSG`, `NOTICE`, or `TAGMSG`. If the client is authorised to delete the message, the server: From 0629dd42668bd7ea27e3da82a2b9bd228ce6af4a Mon Sep 17 00:00:00 2001 From: Val Lorentz Date: Fri, 1 Dec 2023 13:03:41 +0100 Subject: [PATCH 19/29] Fix/clarify grammar Co-authored-by: James Wheare --- extensions/message-redaction.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/extensions/message-redaction.md b/extensions/message-redaction.md index 3905c3d9b..f583250ff 100644 --- a/extensions/message-redaction.md +++ b/extensions/message-redaction.md @@ -37,12 +37,12 @@ guarantees. ### Dependencies -Clients wishing to use these capabilities MUST negotiate the [`message-tags`][] +Clients wishing to use this capability MUST negotiate the [`message-tags`][] capability with the server. Additionally, this capability relies on messages being sent with the [`msgid`][] tag, and message ids MUST NOT contain spaces. -Clients SHOULD negotiate the [`echo-message`][] capabilities in order to receive -message IDs for their own messages, to allow them to be redacted. +Clients SHOULD negotiate the [`echo-message`][] capability in order to receive +message IDs for their own messages, so they can be redacted. ### Capability @@ -50,8 +50,8 @@ message IDs for their own messages, to allow them to be redacted. This specification adds the `draft/message-redaction` capability. Clients MUST ignore this capability's value, if any. -Implementations that negotiate these capabilities indicate that they are -capable of handling the respective commands and message tags described below. +Implementations that negotiate this capability indicate that they are +capable of handling the command described below. ### Command @@ -68,9 +68,9 @@ Where `` is the id of the message to be redacted, which MUST be a If the client is authorised to delete the message, the server: * SHOULD forward this `REDACT`, with an appropriate prefix, to the target - recipients which negotiated the `draft/message-redaction` capability, in the + recipients that have negotiated the `draft/message-redaction` capability, in the same way as PRIVMSG messages. -* MUST not forward this `REDACT` to target recipients which did not negotiated +* MUST not forward this `REDACT` to target recipients that have not negotiated this capability (see "Fallback" below) ### Chat history @@ -88,7 +88,7 @@ This specification defines `FAIL` messages using the [standard replies][] framework for notifying clients of errors with message editing and deletion. The following codes are defined, with sample plain text descriptions. -* `FAIL REDACT INVALID_TARGET the_given_target :You cannot delete messages from the_given_target` +* `FAIL REDACT INVALID_TARGET :You cannot delete messages from ` * `FAIL REDACT REDACT_FORBIDDEN :You are not authorised to delete this message` * `FAIL REDACT REDACT_WINDOW_EXPIRED :You can no longer edit this message` * `FAIL REDACT UNKNOWN_MSGID :This message does not exist or is too old` @@ -117,7 +117,7 @@ did not keep in their history. ## Server implementation considerations -*This section is non-normative.* +This section is non-normative. A key motivation for specifying this capability as a server tag, rather than a client-only message tag, is to enable more granular redaction permissions. From 9a97dc1e21f66e740a70386e16b53c26d2a76d44 Mon Sep 17 00:00:00 2001 From: Valentin Lorentz Date: Fri, 1 Dec 2023 12:57:48 +0100 Subject: [PATCH 20/29] Remove redundant restriction on msgid grammar --- extensions/message-redaction.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/extensions/message-redaction.md b/extensions/message-redaction.md index f583250ff..381c59579 100644 --- a/extensions/message-redaction.md +++ b/extensions/message-redaction.md @@ -39,8 +39,6 @@ guarantees. Clients wishing to use this capability MUST negotiate the [`message-tags`][] capability with the server. -Additionally, this capability relies on messages being sent with the -[`msgid`][] tag, and message ids MUST NOT contain spaces. Clients SHOULD negotiate the [`echo-message`][] capability in order to receive message IDs for their own messages, so they can be redacted. From 0258e5209f203644bfb5710557ac3b856bdc7cde Mon Sep 17 00:00:00 2001 From: Valentin Lorentz Date: Fri, 1 Dec 2023 13:05:56 +0100 Subject: [PATCH 21/29] Clarify PRIVMSG/NOTICE content replacement --- extensions/message-redaction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extensions/message-redaction.md b/extensions/message-redaction.md index 381c59579..a5f856e48 100644 --- a/extensions/message-redaction.md +++ b/extensions/message-redaction.md @@ -76,7 +76,7 @@ If the client is authorised to delete the message, the server: After a message is redacted, [`chathistory`][] responses SHOULD either: * exclude it entirely -* replace its second parameter and/or tags with a placeholder and +* replace its second parameter (if it is a `PRIVMSG` or `NOTICE`) and/or tags with a placeholder and add the `REDACT` message to the response (not counting toward message limits) * add the `REDACT` message to the response (not counting toward message limits) From eea9ec4b583f1b58b59518931dce293946402907 Mon Sep 17 00:00:00 2001 From: Valentin Lorentz Date: Fri, 1 Dec 2023 13:08:01 +0100 Subject: [PATCH 22/29] Remove msgid from REDACT messages in examples It's distracting --- extensions/message-redaction.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/extensions/message-redaction.md b/extensions/message-redaction.md index a5f856e48..ad5efa2af 100644 --- a/extensions/message-redaction.md +++ b/extensions/message-redaction.md @@ -166,21 +166,21 @@ Deleting a PRIVMSG: C: PRIVMSG #channel :an example S: @msgid=123 :nick!u@h PRIVMSG #channel :an example C: REDACT #channel 123 :bad example - S: @msgid=124 :nick!u@h REDACT #channel 123 :bad example + S: :nick!u@h REDACT #channel 123 :bad example Deleting a TAGMSG: C: @draft/react=🤞TAGMSG #channel S: @msgid=123;draft/react=🤞TAGMSG #channel C: REDACT #channel 123 - S: @msgid=124 :nick@u@h REDACT #channel 123 + S: :nick@u@h REDACT #channel 123 Deleting someone else's PRIVMSG: C1: PRIVMSG #channel :join my network for cold hard chats S: @msgid=123 :nick!u@h PRIVMSG #channel :join my network for cold hard chats C2: REDACT #channel 123 spam - S: @msgid=124 :chanop!u@h REDACT #channel 123 spam + S: :chanop!u@h REDACT #channel 123 spam [`echo-message`]: ../extensions/echo-message.html From 1680c6b126a52562cf25084eaefc8d43a2ef5bb2 Mon Sep 17 00:00:00 2001 From: Valentin Lorentz Date: Fri, 1 Dec 2023 13:14:14 +0100 Subject: [PATCH 23/29] Fix typo --- extensions/message-redaction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extensions/message-redaction.md b/extensions/message-redaction.md index ad5efa2af..4925ddb50 100644 --- a/extensions/message-redaction.md +++ b/extensions/message-redaction.md @@ -131,7 +131,7 @@ If a message is redacted while a client is disconnected (or parted from a channe a message it saw is redacted, servers may send the `REDACT` command in a `chathistory` batch when it re-joins the channel. -If servers use predictable or guessable `msgid`s, they should considered whether errors +If servers use predictable or guessable `msgid`s, they should consider whether errors returned on `REDACT` may leak a message's existence to users who did not receive it (in a channel they are/were not in or in private messages). From 8ab12e90d4be5297f16f5dca0e65334fbdbb4757 Mon Sep 17 00:00:00 2001 From: Val Lorentz Date: Fri, 1 Dec 2023 13:16:04 +0100 Subject: [PATCH 24/29] Clarify when to send REDACT on join Co-authored-by: James Wheare --- extensions/message-redaction.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/extensions/message-redaction.md b/extensions/message-redaction.md index 4925ddb50..8255beaec 100644 --- a/extensions/message-redaction.md +++ b/extensions/message-redaction.md @@ -127,9 +127,7 @@ Such use cases might include: * Allowing channel moderators or server admins to delete unwelcome messages from others * Specifying a cut-off time after which message edits are no longer allowed -If a message is redacted while a client is disconnected (or parted from a channel) while -a message it saw is redacted, servers may send the `REDACT` command in a `chathistory` -batch when it re-joins the channel. +If a message is redacted while a client is not present in a channel, servers may send the `REDACT` command in a `chathistory` batch when it re-joins the channel. If servers use predictable or guessable `msgid`s, they should consider whether errors returned on `REDACT` may leak a message's existence to users who did not receive it From dfc1d8b8236cdd45f3af57963adee767ba716778 Mon Sep 17 00:00:00 2001 From: Val Lorentz Date: Fri, 1 Dec 2023 13:24:10 +0100 Subject: [PATCH 25/29] Describe 'reason' parameter Co-authored-by: James Wheare --- extensions/message-redaction.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/extensions/message-redaction.md b/extensions/message-redaction.md index 8255beaec..bf3ca020e 100644 --- a/extensions/message-redaction.md +++ b/extensions/message-redaction.md @@ -58,11 +58,12 @@ To redact a message, a client MUST negotiate the `draft/message-redaction` capability and send a `REDACT` command to a target nickname or channel. The command is defined as follows: - REDACT [:reason] + REDACT [] Where `` is the id of the message to be redacted, which MUST be a `PRIVMSG`, `NOTICE`, or `TAGMSG`. +An optional `` MAY be provided. As the last parameter, it MAY contain spaces. If the client is authorised to delete the message, the server: * SHOULD forward this `REDACT`, with an appropriate prefix, to the target From 89e6a3c705b83a9889808507bdef734a7a623925 Mon Sep 17 00:00:00 2001 From: Valentin Lorentz Date: Fri, 1 Dec 2023 13:25:26 +0100 Subject: [PATCH 26/29] s/second parameter/content/ --- extensions/message-redaction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extensions/message-redaction.md b/extensions/message-redaction.md index bf3ca020e..13a670cd2 100644 --- a/extensions/message-redaction.md +++ b/extensions/message-redaction.md @@ -77,7 +77,7 @@ If the client is authorised to delete the message, the server: After a message is redacted, [`chathistory`][] responses SHOULD either: * exclude it entirely -* replace its second parameter (if it is a `PRIVMSG` or `NOTICE`) and/or tags with a placeholder and +* replace its content and/or tags with a placeholder and add the `REDACT` message to the response (not counting toward message limits) * add the `REDACT` message to the response (not counting toward message limits) From 8fb0a99378cc9e52f5dbc037d93f3a143f76a65a Mon Sep 17 00:00:00 2001 From: Valentin Lorentz Date: Fri, 1 Dec 2023 13:28:38 +0100 Subject: [PATCH 27/29] Clarify the position of REDACT messages in chathistory batches --- extensions/message-redaction.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/extensions/message-redaction.md b/extensions/message-redaction.md index 13a670cd2..70754d253 100644 --- a/extensions/message-redaction.md +++ b/extensions/message-redaction.md @@ -79,7 +79,9 @@ After a message is redacted, [`chathistory`][] responses SHOULD either: * exclude it entirely * replace its content and/or tags with a placeholder and add the `REDACT` message to the response (not counting toward message limits) + after the redacted message * add the `REDACT` message to the response (not counting toward message limits) + after the redacted message ### Errors From 16ccba569431d24cba1a1af71a1af42010c0f1a9 Mon Sep 17 00:00:00 2001 From: Valentin Lorentz Date: Thu, 22 Feb 2024 23:50:30 +0100 Subject: [PATCH 28/29] Re-add 'Message validation' section --- extensions/message-redaction.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/extensions/message-redaction.md b/extensions/message-redaction.md index 70754d253..3d8496308 100644 --- a/extensions/message-redaction.md +++ b/extensions/message-redaction.md @@ -136,6 +136,20 @@ If servers use predictable or guessable `msgid`s, they should consider whether e returned on `REDACT` may leak a message's existence to users who did not receive it (in a channel they are/were not in or in private messages). +### Message validation + +To implement validation, servers require a mechanism for determining the permissions of +a particular edit or delete action. +The user requesting the action would need to be compared against properties of +the message, given only the message ID and target. + +Servers with message history storage could look up the message properties from the ID, +but this might not be possible or desirable in all cases. +Another mechanism could involve encoding any required properties within the message ID +itself, e.g. the account ID, timestamp, etc. Servers might choose to encrypt this +information if it isn't usually public facing. Any information encoded in a message ID +is still opaque and not intended to be parsed by clients. + ### Fallback Server implementations might choose to inform clients that haven't negotiated From 2ef31eb5abb992757a3276e74cfe813099e7724e Mon Sep 17 00:00:00 2001 From: Val Lorentz Date: Fri, 23 Feb 2024 00:08:01 +0100 Subject: [PATCH 29/29] fix swapped links Co-authored-by: James Wheare --- extensions/message-redaction.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/extensions/message-redaction.md b/extensions/message-redaction.md index 3d8496308..79016e477 100644 --- a/extensions/message-redaction.md +++ b/extensions/message-redaction.md @@ -202,5 +202,5 @@ Deleting someone else's PRIVMSG: [`+draft/react` client tag]: ../client-tags/react.html [standard replies]: ../extensions/standard-replies.html [`message-tags`]: ../extensions/message-tags.html -[`msgid`]: ../extensions/message-tags.html -[`chathistory`]: ../extensions/message-tags.html +[`msgid`]: ../extensions/message-ids.html +[`chathistory`]: ../extensions/chathistory.html