From 02409c06b869f521e017aa164f880ae4dcc8952f Mon Sep 17 00:00:00 2001 From: new-years-eve Date: Tue, 28 Apr 2026 09:19:27 +0000 Subject: [PATCH] feat: Add config check to make sure default ACL doesn't self-ban the server --- src/core/config/check.rs | 38 +++++++++++++++++++++++++++++++++----- 1 file changed, 33 insertions(+), 5 deletions(-) diff --git a/src/core/config/check.rs b/src/core/config/check.rs index d2293e368..bc9878598 100644 --- a/src/core/config/check.rs +++ b/src/core/config/check.rs @@ -2,6 +2,7 @@ use std::env::consts::OS; use either::Either; use figment::Figment; +use ruma::events::room::server_acl::RoomServerAclEventContent; use super::DEPRECATED_KEYS; use crate::{Config, Err, Result, Server, debug, debug_info, debug_warn, error, warn}; @@ -254,11 +255,38 @@ pub fn check(config: &Config) -> Result { )); } - if config.default_room_acl_allow.is_some() && config.default_room_acl_deny.is_some() { - return Err!(Config( - "default_room_acl_deny", - "Cannot provide a value for both default_room_acl_allow and default_room_acl_deny" - )); + match (&config.default_room_acl_allow, &config.default_room_acl_deny) { + | (Some(_), Some(_)) => { + return Err!(Config( + "default_room_acl_deny", + "Cannot provide a value for both default_room_acl_allow and \ + default_room_acl_deny." + )); + }, + | (Some(allow), None) => { + if !RoomServerAclEventContent::new(true, allow.clone(), vec![]) + .is_allowed(&config.server_name) + { + return Err!(Config( + "default_room_acl_allow", + "The default room Access Control List does not allow this server in the \ + rooms it creates. Note that when using an allow list, servers are denied \ + unless they match an allow value." + )); + } + }, + | (None, Some(deny)) => { + if !RoomServerAclEventContent::new(true, vec!["*".to_owned()], deny.clone()) + .is_allowed(&config.server_name) + { + return Err!(Config( + "default_room_acl_deny", + "The default room Access Control List denies this server access to the \ + rooms it creates." + )); + } + }, + | _ => (), } Ok(())