Skip to content

MSC3993: Room takeover #3993

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
+170 −0
Open

MSC3993: Room takeover #3993

Changes from 4 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
23439c7
Add MSC3993: Room takeover
jaller94 Apr 5, 2023
3e1721e
depromote -> demote
jaller94 Apr 5, 2023
9674859
Typo: everone -> everyone
jaller94 Apr 8, 2023
25dbd5c
takeover_owners -> takeover_users
jaller94 Apr 8, 2023
ee199b2
Merge remote-tracking branch 'origin/main' into room-takeover
jaller94 May 17, 2023
a188ffb
depromote -> demote 2
jaller94 May 17, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
170 changes: 170 additions & 0 deletions proposals/3993-room-takeovers.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,170 @@
# MSC3991: Room takeover
Copy link
Contributor

@babolivier babolivier Apr 11, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Kind of already implied in the "Unstable room version" section, but it could be helpful to make it obvious that each proposed solution requires a new room version (as they are changing the authorization rules of the room).


In the current Spec, room members with the same power level cannot decrease or remove each other's power level.
However, a room admin may wish to legitimately demote another room admin.

For this proposal a "room admin" is a user with the highest power level in a room. For the use case this MSC addresses, a room must have two or more room admins.

There are multiple scenarios of why one room admin wishes to demote another room admin:

* The home server admin of a room admin can no longer be trusted.
* "I no longer want room admins with an account on evil.com, because their home server admin started messing with rooms."
* The home server of a room admin has been compromised.
* "I no longer want room admins with an account on compromised.com, because their home server has been hacked."
* The home server of a room admin went offline and cannot be recovered.
* "I no longer want room admins with an account on foo.com, because the domain is available for sale and a new domain owner could use the custom power level for evil."
* The account of a room admin has been compromised.
* "I want to demote Alice, because her account got hacked. She now has a new account."
* The account of a room admin is no longer in use or deactivated.
* "I want to demote Bob, because he left the company."
* A room admin can no longer be trusted.
* "I want to demote Charles, because they left their role as an organiser."

Use cases:
* The IT department of an organisation wants to demote a room admin when or after the person leaves the company.
* A meetup group with multiple organisers wants to deprom
* An organisation migrates from one domain to another. To avoid having to ask every room admin to demote themselves while promoting their new accounts, they want one account that has the permission to do so.
* To ensure my ownership of a room, I added multiple of my accounts as room admins to a room. One of the accounts is no longer accessible to me and I want to demote that account.

## Proposal 1 (simplest: `allow_depromotions`)
Copy link
Member

@richvdh richvdh Apr 5, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is equivalent to #3510, which got rejected?

Copy link
Contributor Author

@jaller94 jaller94 May 17, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR is different from #3510 in the following ways:

  • This PR only allows joined members with the highest power level to demote each other. Members with a lower power level (e.g. "moderators") are not allowed to demote each other.
  • This PR does not change the default behaviour, but makes it a room setting.
    • This is relevant if the joined members with the highest power level don't have the permission to change the m.room.power_levels event. Otherwise, they can enable the setting themselves.


This MSC proposes an optional boolean `allow_depromotions` to be added to the `m.room.power_levels` state event. Its default value is `false` to be compatible with the current behaviour.
Copy link
Contributor Author

@jaller94 jaller94 Apr 5, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All three proposals currently add the permission to the m.room.power_levels state event type.
As a consequence, anyone who can edit this state event, can take over the room.
This essentially breaks the current truth that no room admin can demote another room admin.

I'm open to other suggestions, like adding a separate state event type, which could be configured to have a separate power level.

Copy link

@Sleuth56 Sleuth56 Apr 11, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What if there was an additional room power level higher than admin. The owner power level. This would make the admin power level not the highest and it would be "best practice" or maybe even forced to only allow one account to have this level . The admin power level could be kept the same or it could be set to have all powers except for deletion of the room.

This way there is an account that can remove admins as a last resort but there can be more than one admin and sense they would have all the powers there would be no reason to make anyone else owner.

Copy link
Contributor Author

@jaller94 jaller94 May 17, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The idea of one owner is contrary to my MSC.

I want to ensure a room can be continued by other admin accounts, if one admin account becomes untrusted/unavailable.


If `true`, a room member with the highest power level can lower (or remove) the power level of other room members with the same power level.

```json
{
"allow_depromotions": true,
"ban": 50,
"events": {
"m.room.name": 100,
"m.room.power_levels": 100
},
"events_default": 0,
"invite": 50,
"kick": 50,
"notifications": {
"room": 20
},
"redact": 50,
"state_default": 50,
"users": {
"@alice:localhost": 100,
"@bob:localhost": 100,
"@charles:localhost": 50,
"@delilah:localhost": 50
},
"users_default": 0
}
```

* Alice and Bob can lower each other's power level. _(this is the change!)_
* Charles and Delilah can not lower each other's power level, because they don't have the highest power level.

## Proposal 2 (simple: `owner`)

This MSC proposes an optional string array `owners` to be added to the `m.room.power_level` state event. Its default value is an empty array to be compatible with the current behaviour.

Any Matrix user listed in the array can lower (or remove) the power level of any member. They cannot raise their own power level based on this, to prevent an ambiguity of their actual power level.
Copy link
Contributor

@babolivier babolivier Apr 11, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can an owner also demote another owner?

Copy link
Contributor Author

@jaller94 jaller94 May 17, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, an owner can demote other owners, as implied by "any member".


```json
{
"ban": 50,
"events": {
"m.room.name": 100,
"m.room.power_levels": 100
},
"events_default": 0,
"invite": 50,
"kick": 50,
"notifications": {
"room": 20
},
"owners": [
"@delilah:localhost"
],
"redact": 50,
"state_default": 50,
"users": {
"@alice:localhost": 100,
"@bob:localhost": 100,
"@charles:localhost": 50,
"@delilah:localhost": 50
},
"users_default": 0
}
```

* Alice and Bob can not lower each other's power level.
Copy link
Contributor

@babolivier babolivier Apr 11, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can Alice and Bob remove Delilah from the owners? Who can actually edit that list?

Copy link
Contributor Author

@jaller94 jaller94 May 17, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can Alice and Bob remove Delilah from the owners?

Yes, Alice can remove Bob from the list of owners, because with her PL 100 she can replace the m.room.power_levels state event.

Who can actually edit that list?

Every joined member with the PL to set the m.room.power_levels state event.

I did consider adding owners to its own state event, however, it would only make a difference in practice, if owners could be changed with a lower power level (e.g. a moderator being allowed to recover a (half-broken) room where all admins have left).

* Charles can not lower Delilah's power level.
* Delilah can lower everyone's power level. She could demote Alice to allow Bob to take over the room. _(this is the change!)_
* She could also demote everyone but herself. This would decrease the highest power level of the room to 50 which is her own.

## Proposal 3 (complex: `takeover_users`)

This MSC proposes an optional array `takeover_users` to be added to the `m.room.power_level` state event. Its default value is an empty array to be compatible with the current behaviour.

Any Matrix user listed in the array can lower (or remove) the power level of any member. They cannot raise their own power level based on this, to prevent an ambiguity of their actual power level.

```json
{
"ban": 50,
"events": {
"m.room.name": 100,
"m.room.power_levels": 100
},
"events_default": 0,
"invite": 50,
"kick": 50,
"notifications": {
"room": 20
},
"redact": 50,
"state_default": 50,
"takeover_users": {
"@charles:localhost": [
"@alice:localhost"
],
"@delilah:localhost"
},
"users": {
"@alice:localhost": 100,
"@bob:localhost": 100,
"@charles:localhost": 100,
"@delilah:localhost": 50
},
"users_default": 0
}
```

* Alice and Bob can not lower each other's power level.
* Charles can lower the power level of Alice, but not the other room admins. _(this is different!)_
* Delilah can lower everyone's power level. She could demote Alice and Charles to allow Bob to take over the room. _(this is different!)_

## Potential issues

Simplest: It's simple but might not cover more complex use cases. It could be that one wishes to only allow a subset of room admins to take over a room.

Simple: It covers more use cases and also allows a room owner who can demote admins while not being allowed to otherwise change the power levels state event.
Copy link
Contributor

@babolivier babolivier Apr 11, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What happens if every owner leave the room?

In the case of your example above (with owners having lower PL than admins), what if the admins want to rebel and ban all owners? Though in this case I guess they might as well remove the owner (which does not seem to be forbidden under this spec).

Copy link
Contributor Author

@jaller94 jaller94 May 17, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What happens if every owner leave the room?

It becomes a regular Matrix room as we know it today (implying the onwers can't join or manage to be invited again).

In the case of your example above (with owners having lower PL than admins), what if the admins want to rebel and ban all owners?

Admins can rebel. They (in most cases) have the power to ban members (owners don't have a special protection) and remove owners by changing the m.room.power_levels state event.


Complex: It covers even more cases but might introduce more complexity than needed. On the Other hand it allows fine tuning over who is allowed to demote which other user.

## Similar but different MSCs

* [MSC3915: Owner power level](https://github.com/matrix-org/matrix-spec-proposals/pull/3915) introduces a new named power level 150, however, it does not solve the use case of depromoting rogue users.
* [MSC3991: Power level up! Taking the room to new heights
](https://github.com/matrix-org/matrix-spec-proposals/pull/3991) allows room admins to raise their power level, however, it specifies that all members with the highest power level must be set to the new level.

## Alternatives

* I don't know of any alternatives outside of this MSC.
* While all three proposals can be implemented simultaneously, I see them as alternatives. Only one proposal should be introduced to the Matrix Spec.

## Security considerations

The current spec does not allow for a room admin to demote another admin. This MSC would allow them to become a sole room admin by upgrading the room, changing the state event for them to take over the room and then depromoting other admins.

## Unstable room version

While this feature is in development, the proposed behavior can be trialed with the
`org.matrix.msc3993` unstable room version, etc as we develop and iterate along the way.