MSC2938: Report content to moderators #2938
Conversation
Half-Shot
changed the title
turt2live
added
kind:maintenance
| If `target` is `"room-moderators"`, the message is intended to be propagated as a server notice to | ||
| moderators and administrators of this room. |
There was a problem hiding this comment.
"moderators and administrators of this room" should probably be defined precisely, e.g. with a specific power level (some key in the power level event, not a hardcoded value)
There was a problem hiding this comment.
Good point.
I've added the definition "moderator == someone who can both kick and ban" and removed the word "administrator" entirely. Do you feel it's now clear enough?
There was a problem hiding this comment.
Should they also be able to redact the reported messages?
|
I have added a first draft of how to make this work with federation. |
| ---------------------------------- | ||
| | target | string | One of "room-moderators", "homeserver-admins". | | ||
|
|
||
| If `target` is `"homeserver-admins"` or unspecified, the behavior is unchanged. |
There was a problem hiding this comment.
Potentially tricky because the spec doesn't actually a concept of a homeserver admin. Technically reports can be read by admins because they end up in the report table, but I wonder if we need to further define the role of a homeserver ad min. This is probably something for the spec team to think about.
There was a problem hiding this comment.
Well the client-server spec already mentions "server administrator" 10 times. It just doesn't say how that must be implemented.
There was a problem hiding this comment.
I could easily rename this server-administrator, it it changes anything.
There was a problem hiding this comment.
I think we've informally referred to it as "a implementation may have a server admin that may do blah if they like", but I've not seen it referred to explicitly in the keys and strings of the spec, which is my concern here.
There was a problem hiding this comment.
Well, we could rename it to homeserver, without mentioning a specific role.
|
|
||
| | Parameter | Type | Description | | ||
| ---------------------------------- | ||
| | target | string | One of "room-moderators", "homeserver-admins". | |
There was a problem hiding this comment.
Part of me wonders if this would be suited to an integer field, where users with a PL above this number will get the report. It might make things more flexible
There was a problem hiding this comment.
It probably would but it would also open this API to sending notices to everyone in the room. Is this something we want?
There was a problem hiding this comment.
I'm not convinced it should be tied to PLs.
On the other hand hyphen-separated identifiers are not something the matrix spec uses anywhere else, afaik: we use underscores to separate words.
There was a problem hiding this comment.
Or we could make this "admin.room" vs. "admin.server".
| homeserver as the user. This is a limitation that needs to be fixed before merging this proposal. | ||
| However, it may be possible to run an experiment before this limitation is fixed. | ||
|
|
||
| This proposal may end up being used for spamming the moderators of rooms. We believe |
There was a problem hiding this comment.
I do have concerns about this, as previously the homeserver would just stick events into a table and essentially making it a poor spam vector (due to lack of vis for most people) especially when rate limited. This PR changes the reports from being invisible-by-default to visible-by-default which IS making the problem worse as it stands.
The other problem is that one report presumably causes a message to be sent to N moderators, which can be used as an amplification attack generally mass spamy thing.
There was a problem hiding this comment.
I do have concerns about this, as previously the homeserver would just stick events into a table and essentially making it a poor spam vector (due to lack of vis for most people) especially when rate limited. This PR changes the reports from being invisible-by-default to visible-by-default which IS making the problem worse as it stands.
That is true.
A few ideas from the top of my head:
- we could rate-limit this;
- we could make spam-checkers able to inspect these reports.
| "reason": "{reason}" // From JSON body parameter | ||
| } | ||
| ``` | ||
| 3. for all homeservers other than local with at least one moderator in room `roomId`: |
There was a problem hiding this comment.
This would send the report into the room as it stands, which would out the reporter to the whole room? :(
There was a problem hiding this comment.
There is the "When a server receives a PDU with the following content" section below, but any server admins (= users with their own server in the room) could trivially bypass that and read all reports even if they're not a room admin.
There was a problem hiding this comment.
This would send the report into the room as it stands, which would out the reporter to the whole room? :(
I don't understand. What should I change to make it visible only to moderators?
There was a problem hiding this comment.
There is the "When a server receives a PDU with the following content" section below, but any server admins (= users with their own server in the room) could trivially bypass that and read all reports even if they're not a room admin.
Yes, is that something we should defend against?
There was a problem hiding this comment.
We could use encryption to solve this. Just e2e encrypt it to the mods. Although this still leaks that you are messaging the mods and would require some sort of UX to hide this from clients who are not mods. Also need to deal with the UX of what sessions for which mods you trust.
Otherwise this is hard because it requires bypassing the regular room sync protocol IIUC. Basically we would need to replicate this report only to servers where at least one user is an admin.
One option would be to create a new room with the mods, but then you need to define a lot of metadata to link that chat back to the originating room and the client UX would probably want to display it as events in the original room rather than a new room. This approach does have some advantages though such as allowing e2ee even in non-encrypted rooms and a natural place for follow up discussion about the report.
There was a problem hiding this comment.
A new room, world-writable but only readable by mods?
Sounds like e-mail :)
I'm open to exploring this (hopefully in a followup) but this raises quite a few questions:
- which user opened the room?
- assuming that we wish to reuse rooms across reports, how do we find out (across federation) about the already opened room?
- should we kick moderators from the room when they lose moderator status?
- etc.
There was a problem hiding this comment.
I don't think it should be only readable to mods because then they can't ask follow up questions. Right now it seems like opening a new room per report would be the best option. (Maybe reusing if the same user reports again to the same mods? Or the user can reuse the room but update the mod list?)
|
Leaving my thoughts here like i did in the synapse-dev room: I think the best course of action would be to make this an (This room would establish a DM with another homeserver "server" user (e.g. |
I have no problem with using the |
| | Parameter | Type | Description | | ||
| ---------------------------------- | ||
| | target | string | One of "room-moderators", "homeserver-admins". | |
There was a problem hiding this comment.
please can you fix the formatting on this table? (see https://github.com/Yoric/matrix-doc/blob/master/proposals/2938-report-content-to-moderators.md#client-api)
| | Parameter | Type | Description | | ||
| ---------------------------------- | ||
| | body | string | **Required** A human-readable description of the problem, generated by the server (e.g. "User %s has reported that '%s'"). | | ||
| | msgtype | enum | **Required** In this case, `m.server_notice.content_report`. | | ||
| | roomId | string | **Required** The id of the room being reported. | | ||
| | eventId | string | **Required** The id of the event being reported. | | ||
| | userId | string | **Required** The id of the user reporting the event. | | ||
| | score | integer | The score to rate this content as where -100 is most offensive and 0 is inoffensive, as given by the reporting user. | | ||
| | reason | string | The reason given by the reporting user. | | ||
|
|
There was a problem hiding this comment.
please can you fix the formatting on this one too?
| 1. ignore the message if `eventId` is not an event in `roomId` or if the user is not a member of `roomId`; otherwise | ||
| 2. for all moderators in room `roomId` *on the local homeserver*: | ||
| 1. send a server notice | ||
| ```json |
There was a problem hiding this comment.
can you use jsonc for these code blocks to stop github making them all bright red?
There was a problem hiding this comment.
| ```json | |
| ```jsonc |
|
|
||
| | Parameter | Type | Description | | ||
| ---------------------------------- | ||
| | target | string | One of "room-moderators", "homeserver-admins". | |
There was a problem hiding this comment.
I'm not convinced it should be tied to PLs.
On the other hand hyphen-separated identifiers are not something the matrix spec uses anywhere else, afaik: we use underscores to separate words.
| "roomId": "{roomId}", // From path parameter | ||
| "eventId": "{eventId}", // From path parameter | ||
| "userId": "{userId}", // From authentication token |
There was a problem hiding this comment.
please do NOT use camel-case in json. Per https://matrix.org/docs/spec/client_server/r0.6.1#api-standards
The names of the API endpoints for the HTTP transport follow a convention of using underscores to separate words (for example /delete_devices). The key names in JSON objects passed over the API also follow this convention.
| @@ -0,0 +1,222 @@ | |||
| # MSC2938: Report Content to Moderators | |||
There was a problem hiding this comment.
can you add an Unstable prefix section to this doc? (see https://github.com/matrix-org/matrix-doc/blob/master/proposals/0000-proposal-template.md#unstable-prefix)
| 1. ignore the message if `eventId` is not an event in `roomId` or if the user is not a member of `roomId`; otherwise | ||
| 2. for all moderators in room `roomId` *on the local homeserver*: | ||
| 1. send a server notice | ||
| ```json |
There was a problem hiding this comment.
| ```json | |
| ```jsonc |
| "reason": "{reason}" // From JSON body parameter | ||
| } | ||
| ``` | ||
| 3. for all homeservers other than local with at least one moderator in room `roomId`: |
There was a problem hiding this comment.
We could use encryption to solve this. Just e2e encrypt it to the mods. Although this still leaks that you are messaging the mods and would require some sort of UX to hide this from clients who are not mods. Also need to deal with the UX of what sessions for which mods you trust.
Otherwise this is hard because it requires bypassing the regular room sync protocol IIUC. Basically we would need to replicate this report only to servers where at least one user is an admin.
One option would be to create a new room with the mods, but then you need to define a lot of metadata to link that chat back to the originating room and the client UX would probably want to display it as events in the original room rather than a new room. This approach does have some advantages though such as allowing e2ee even in non-encrypted rooms and a natural place for follow up discussion about the report.
turt2live
added
the
needs-implementation
|
|
||
| | Parameter | Type | Description | | ||
| | --------- |------- | ----------- | | ||
| | target | string | One of "server-notice", "homeserver_admins". | |
There was a problem hiding this comment.
As below
| | target | string | One of "server-notice", "homeserver_admins". | | |
| | target | string | One of "room_moderators", "homeserver_admins". | |
As a followup to element-hq/element-meta#1848, this proposal introduces a mechanism to report content to room moderators instead of reporting it to homeserver administrators.
Rendered: https://github.com/Yoric/matrix-doc/blob/master/proposals/2938-report-content-to-moderators.md