Doc: Make clear that sharing registration_shared_secret is dangerous

[rugk]

In the config file it reads about registration_shared_secret:

If set, allows registration by anyone who also has the shared secret, even if registration is otherwise disabled.

Especially the last part implies that this is just a secret one can share to users, who want to create an account. It then enables the registration, but only for the user, who has this secret. Also sounds very convenient.

What you do not mention there is one big fact: With that secret, you can register admin accounts!
That means that this secret is much more dangerous than one expects from reading the config description! (I also thought it is harmless.)

And, BTW, I am not the only one, who had this idea: element-hq/element-web#2090

So better adjust the text there, to specifically point that out! (and make sure that no admin shares it)

[richvdh]

a pr to reword it would be welcome.

[rugk]

When you point me to the location, that needs to be adjusted... 😃

[june07]

@rugk I'm not finding in the code where users can register as admins via the REST interface? Per your post:
"With that secret, you can register admin accounts" can you tell me how/where they would be able to do such?

And secondarily, is this the desired behavior?

[rugk]

See also the issue I linked. There someone also said one can do this. I don't know whether I tested it, but I'm actually sure it is possible this way.

And, I guess, yes, it is intended. There is this Python script for creating accounts.

[aaronraimist]

When you point me to the location, that needs to be adjusted... 😃

synapse/synapse/config/registration.py

Line 74 in d69decd

# If set, allows registration by anyone who also has the shared

and the README probably

[aaronraimist]

Also this issue is a related to #1659 but since it has more info maybe that issue should be closed in favor of this one.

[richvdh]

fixed in #4844