Follow doc changes

element-hq · Nov 26, 2024 · b31dfcd · b31dfcd
1 parent e157a0a
commit b31dfcd
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 4 deletions.
diff --git a/docs/usage/configuration/config_documentation.md b/docs/usage/configuration/config_documentation.md
@@ -1812,7 +1812,22 @@ Config options related to Synapse's media store.
 ---
 ### `enable_authenticated_media`
 
-*(boolean)* When set to true, all subsequent media uploads will be marked as authenticated, and will not be available over legacy unauthenticated media endpoints (`/_matrix/media/(r0|v3|v1)/download` and `/_matrix/media/(r0|v3|v1)/thumbnail`) – requests for authenticated media over these endpoints will result in a 404. All media, including authenticated media, will be available over the authenticated media endpoints `_matrix/client/v1/media/download` and `_matrix/client/v1/media/thumbnail`. Media uploaded prior to setting this option to true will still be available over the legacy endpoints. Note if the setting is switched to false after enabling, media marked as authenticated will be available over legacy endpoints. Will default to true in a future Synapse release. Defaults to `false`.
+*(boolean)* When set to true, all subsequent media uploads will be marked as authenticated, and will not be available over legacy unauthenticated media endpoints (`/_matrix/media/(r0|v3|v1)/download` and `/_matrix/media/(r0|v3|v1)/thumbnail`) – requests for authenticated media over these endpoints will result in a 404. All media, including authenticated media, will be available over the authenticated media endpoints `_matrix/client/v1/media/download` and `_matrix/client/v1/media/thumbnail`. Media uploaded prior to setting this option to true will still be available over the legacy endpoints. Note if the setting is switched to false after enabling, media marked as authenticated will be available over legacy endpoints. Defaults to true (previously false). In a future release of Synapse, this option will be removed and become always-on.
+
+In all cases, authenticated requests to download media will succeed, but for unauthenticated requests, this case-by-case breakdown describes whether media downloads are permitted:
+
+* `enable_authenticated_media = False`:
+  * unauthenticated client or homeserver requesting local media: allowed
+  * unauthenticated client or homeserver requesting remote media: allowed as long as the media is in the cache, or as long as the remote homeserver does not require authentication to retrieve the media
+* `enable_authenticated_media = True`:
+  * unauthenticated client or homeserver requesting local media: allowed if the media was stored on the server whilst `enable_authenticated_media` was `False` (or in a previous Synapse version where this option did not exist); otherwise denied.
+  * unauthenticated client or homeserver requesting remote media: the same as for local media; allowed if the media was stored on the server whilst `enable_authenticated_media` was `False` (or in a previous Synapse version where this option did not exist); otherwise denied.
+
+It is especially notable that media downloaded before this option existed (in older Synapse versions), or whilst this option was set to `False`, will perpetually be available over the legacy, unauthenticated endpoint, even after this option is set to `True`. This is for backwards compatibility with older clients and homeservers that do not yet support requesting authenticated media; those older clients or homeservers will not be cut off from media they can already see.
+
+_Changed in Synapse 1.120:_ This option now defaults to `True` when not set, whereas before this version it defaulted to `False`.
+
+Defaults to `false`.
 
 Example configuration:
 ```yaml

diff --git a/schema/synapse-config.schema.json b/schema/synapse-config.schema.json
@@ -1233,7 +1233,7 @@
     },
     "enable_authenticated_media": {
       "type": "boolean",
-      "description": "When set to true, all subsequent media uploads will be marked as authenticated, and will not be available over legacy unauthenticated media endpoints (`/_matrix/media/(r0|v3|v1)/download` and `/_matrix/media/(r0|v3|v1)/thumbnail`) – requests for authenticated media over these endpoints will result in a 404. All media, including authenticated media, will be available over the authenticated media endpoints `_matrix/client/v1/media/download` and `_matrix/client/v1/media/thumbnail`. Media uploaded prior to setting this option to true will still be available over the legacy endpoints. Note if the setting is switched to false after enabling, media marked as authenticated will be available over legacy endpoints. Will default to true in a future Synapse release.",
+      "description": "When set to true, all subsequent media uploads will be marked as authenticated, and will not be available over legacy unauthenticated media endpoints (`/_matrix/media/(r0|v3|v1)/download` and `/_matrix/media/(r0|v3|v1)/thumbnail`) – requests for authenticated media over these endpoints will result in a 404. All media, including authenticated media, will be available over the authenticated media endpoints `_matrix/client/v1/media/download` and `_matrix/client/v1/media/thumbnail`. Media uploaded prior to setting this option to true will still be available over the legacy endpoints. Note if the setting is switched to false after enabling, media marked as authenticated will be available over legacy endpoints. Defaults to true (previously false). In a future release of Synapse, this option will be removed and become always-on.\n\nIn all cases, authenticated requests to download media will succeed, but for unauthenticated requests, this case-by-case breakdown describes whether media downloads are permitted:\n\n* `enable_authenticated_media = False`:\n  * unauthenticated client or homeserver requesting local media: allowed\n  * unauthenticated client or homeserver requesting remote media: allowed as long as the media is in the cache, or as long as the remote homeserver does not require authentication to retrieve the media\n* `enable_authenticated_media = True`:\n  * unauthenticated client or homeserver requesting local media: allowed if the media was stored on the server whilst `enable_authenticated_media` was `False` (or in a previous Synapse version where this option did not exist); otherwise denied.\n  * unauthenticated client or homeserver requesting remote media: the same as for local media; allowed if the media was stored on the server whilst `enable_authenticated_media` was `False` (or in a previous Synapse version where this option did not exist); otherwise denied.\n\nIt is especially notable that media downloaded before this option existed (in older Synapse versions), or whilst this option was set to `False`, will perpetually be available over the legacy, unauthenticated endpoint, even after this option is set to `True`. This is for backwards compatibility with older clients and homeservers that do not yet support requesting authenticated media; those older clients or homeservers will not be cut off from media they can already see.\n\n_Changed in Synapse 1.120:_ This option now defaults to `True` when not set, whereas before this version it defaulted to `False`.",
       "default": false,
       "examples": [true]
     },

diff --git a/schema/synapse-config.schema.yaml b/schema/synapse-config.schema.yaml
@@ -2084,8 +2084,34 @@ properties:
       `_matrix/client/v1/media/thumbnail`. Media uploaded prior to setting this
       option to true will still be available over the legacy endpoints. Note if
       the setting is switched to false after enabling, media marked as
-      authenticated will be available over legacy endpoints. Will default to
-      true in a future Synapse release.
+      authenticated will be available over legacy endpoints. Defaults to true
+      (previously false). In a future release of Synapse, this option will be
+      removed and become always-on.
+
+
+      In all cases, authenticated requests to download media will succeed, but
+      for unauthenticated requests, this case-by-case breakdown describes
+      whether media downloads are permitted:
+
+
+      * `enable_authenticated_media = False`:
+        * unauthenticated client or homeserver requesting local media: allowed
+        * unauthenticated client or homeserver requesting remote media: allowed as long as the media is in the cache, or as long as the remote homeserver does not require authentication to retrieve the media
+      * `enable_authenticated_media = True`:
+        * unauthenticated client or homeserver requesting local media: allowed if the media was stored on the server whilst `enable_authenticated_media` was `False` (or in a previous Synapse version where this option did not exist); otherwise denied.
+        * unauthenticated client or homeserver requesting remote media: the same as for local media; allowed if the media was stored on the server whilst `enable_authenticated_media` was `False` (or in a previous Synapse version where this option did not exist); otherwise denied.
+
+      It is especially notable that media downloaded before this option existed
+      (in older Synapse versions), or whilst this option was set to `False`,
+      will perpetually be available over the legacy, unauthenticated endpoint,
+      even after this option is set to `True`. This is for backwards
+      compatibility with older clients and homeservers that do not yet support
+      requesting authenticated media; those older clients or homeservers will
+      not be cut off from media they can already see.
+
+
+      _Changed in Synapse 1.120:_ This option now defaults to `True` when not
+      set, whereas before this version it defaulted to `False`.
     default: false
     examples:
       - true