-
Notifications
You must be signed in to change notification settings - Fork 383
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Redacting a kick/ban shouldn't redact the reason #1996
Comments
I'm not convinced this is the right approach. Things that are protected from the redaction algorithm should be limited to those which are key to the structure of the room. I worry that if we start opening it up in this way, we'll end up with a huge and unwieldy list. Also: what a rogue moderator bans somebody with an offensive ban reason? Wouldn't you like to be able to redact the reason? An alternative approach might be for clients to make sure that, when a join event is redacted (so the displayname is redacted), any places where that displayname is displayed should be updated. In other words: can this problem be solved at the client level rather than the protocol level? |
Rogue moderators are not a protocol problem to solve: our threat model already acknowledges that moderators can do things to rooms which can be considered undesirable or dangerous. I'm really not convinced that this can be solved at the client level, as they'd be sending a |
My question is: why are you redacting the ban in the first place? I contend it is a workaround for a client bug. |
(This is fair. I use the example more as a thought experiment in the things that redacts should or not redact in the theoretical sense than as an actual problem I want to solve.) |
After re-reading what Travis gave as the original case, I also become unconvinced that redacting the ban/kick itself should be a means to an end. It's not even about rogue moderators or something but the very action of redacting the ban looks a bit counter-intuitive. In particular, I don't think all moderators would readily understand that redacting a ban doesn't lift it (judging by my own experience - it took me quite many months to get to that idea) - so likely to just curse the stupid client (or even the Matrix protocol) that it doesn't "just work". Maybe let's just clarify the proper behaviour for client authors? This is not quite straightforward either, in fact - what if not the displayname but the user id is offensive? Should it be something like "MrModerator banned , reason: offensive user id"? |
Because as a moderator it's easier to ban first (stop the spam) then deal with the user's profile later. Yes, clients should be adding all the appropriate flags for overflow handling, however that doesn't feel like a good enough justification to not be helpful at the protocol level. It sounds like I'm the only one arguing for this though, even external to this issue, so closing as won't fix. |
Banning someone for a giant display name can go wrong because clients will be inclined to say "TravisR banned <6000 characters> for: spam", which the moderator probably wants to redact because spam. The reason is currently lost in that redaction, so the record forever shows that the moderator banned someone for no reason.
The text was updated successfully, but these errors were encountered: