add lockdown_public_room_directory config option

Signed-off-by: strawberry <strawberry@puppygock.gay>
This commit is contained in:
strawberry 2024-03-30 22:58:20 -04:00 committed by June
parent 00ddc1c88e
commit 72b60c4770
3 changed files with 26 additions and 1 deletions

View file

@ -217,6 +217,12 @@ allow_public_room_directory_over_federation = false
# authentication (access token) through the Client APIs. Set this to false to protect against /publicRooms spiders.
allow_public_room_directory_without_auth = false
# Set this to true to lock down your server's public room directory and only allow admins to publish rooms to the room directory.
# Unpublishing is still allowed by all users with this enabled.
#
# Defaults to false
lockdown_public_room_directory = false
# Set this to true to allow federating device display names / allow external users to see your device display name.
# If federation is disabled entirely (`allow_federation`), this is inherently false. For privacy, this is best disabled.
allow_device_name_federation = false

View file

@ -102,8 +102,21 @@ pub async fn set_room_visibility_route(
match &body.visibility {
room::Visibility::Public => {
if services().globals.config.lockdown_public_room_directory && !services().users.is_admin(sender_user)? {
info!(
"Non-admin user {sender_user} tried to publish {0} to the room directory while \
\"lockdown_public_room_directory\" is enabled",
body.room_id
);
return Err(Error::BadRequest(
ErrorKind::Forbidden,
"Publishing rooms to the room directory is not allowed",
));
}
services().rooms.directory.set_public(&body.room_id)?;
info!("{} made {} public", sender_user, body.room_id);
info!("{sender_user} made {0} public", body.room_id);
},
room::Visibility::Private => services().rooms.directory.set_not_public(&body.room_id)?,
_ => {

View file

@ -117,6 +117,8 @@ pub struct Config {
#[serde(default)]
pub allow_public_room_directory_without_auth: bool,
#[serde(default)]
pub lockdown_public_room_directory: bool,
#[serde(default)]
pub allow_device_name_federation: bool,
#[serde(default = "true_fn")]
pub allow_room_creation: bool,
@ -420,6 +422,10 @@ impl fmt::Display for Config {
"Allow public room directory without authentication",
&self.allow_public_room_directory_without_auth.to_string(),
),
(
"Lockdown public room directory (only allow admins to publish)",
&self.lockdown_public_room_directory.to_string(),
),
(
"JWT secret",
match self.jwt_secret {