From 01300dbce7912aee747b1f149f04be85fc0e4589 Mon Sep 17 00:00:00 2001 From: Johannes Marbach Date: Thu, 13 Mar 2025 10:58:44 +0100 Subject: [PATCH 1/3] MSC4260: Reporting users (Client-Server API) Signed-off-by: Johannes Marbach --- .../modules/report_content.md | 17 +++++ data/api/client-server/report_content.yaml | 73 +++++++++++++++++-- 2 files changed, 84 insertions(+), 6 deletions(-) diff --git a/content/client-server-api/modules/report_content.md b/content/client-server-api/modules/report_content.md index 6f34e938..ec9f101b 100644 --- a/content/client-server-api/modules/report_content.md +++ b/content/client-server-api/modules/report_content.md @@ -29,3 +29,20 @@ is in before accepting a report. based on whether or not the reporting user is joined to the room. This is because users can be exposed to harmful content without being joined to a room. For instance, through room directories or invites. + +{{% added-in v="1.14" %}} Similarly, servers MUST NOT restrict user reports +based on whether or not the reporting user is joined to any rooms that the +reported user is joined to. This is because users can be exposed to harmful +content without being joined to a room. For instance, through user +directories or invites. + +Clients can infer whether a reported event, room or user exists based on the +404 responses of the reporting endpoints. Homeservers that wish to conceal +this information MAY return 200 responses regardless of the existence of the +reported subject. + +Furthermore, it might be possible for clients to deduce whether a reported +event, room or user exists by timing the response. This is because only a +report for an existing subject will require the homeserver to do further +processing. To combat this, homeserver implementations MAY add a random +delay when generating a response. diff --git a/data/api/client-server/report_content.yaml b/data/api/client-server/report_content.yaml index 654784ca..d502033f 100644 --- a/data/api/client-server/report_content.yaml +++ b/data/api/client-server/report_content.yaml @@ -88,12 +88,6 @@ paths: Reports an event as inappropriate to the server, which may then notify the appropriate people. The caller must be joined to the room to report it. - - It might be possible for clients to deduce whether an event exists by - timing the response, as only a report for an event that does exist - will require the homeserver to check whether a user is joined to - the room. To combat this, homeserver implementations should add - a random delay when generating a response. operationId: reportEvent parameters: - in: path @@ -164,6 +158,73 @@ paths: } tags: - Reporting content + "/users/{userId}/report": + post: + x-addedInMatrixVersion: "1.14" + summary: Report a user as inappropriate. + description: |- + Reports a user as inappropriate to the server, which may then notify + the appropriate people. How such information is delivered is left up to + implementations. The caller is not required to be joined to any rooms + that the reported user is joined to. + + Clients may wish to [ignore](#ignoring-users) users after reporting them. + operationId: reportUser + parameters: + - in: path + name: userId + description: The user being reported. + required: true + example: "@someguy:example.com" + schema: + type: string + requestBody: + content: + application/json: + schema: + type: object + example: { + "reason": "this makes me sad" + } + properties: + reason: + type: string + description: The reason the room is being reported. + required: true + security: + - accessTokenQuery: [] + - accessTokenBearer: [] + responses: + "200": + description: The user has been reported successfully. + content: + application/json: + schema: + type: object + examples: + response: + value: {} + "404": + description: |- + The user was not found on the homeserver. + content: + application/json: + schema: + $ref: definitions/errors/error.yaml + examples: + response: + value: { + "errcode": "M_NOT_FOUND", + "error": "The user was not found." + } + "429": + description: This request was rate-limited. + content: + application/json: + schema: + $ref: definitions/errors/rate_limited.yaml + tags: + - Reporting content servers: - url: "{protocol}://{hostname}{basePath}" variables: From e664075ba5866d42ade3b608115586624f21b64b Mon Sep 17 00:00:00 2001 From: Johannes Marbach Date: Thu, 13 Mar 2025 11:06:33 +0100 Subject: [PATCH 2/3] Add changelog --- changelogs/client_server/newsfragments/2093.new | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelogs/client_server/newsfragments/2093.new diff --git a/changelogs/client_server/newsfragments/2093.new b/changelogs/client_server/newsfragments/2093.new new file mode 100644 index 00000000..28c03ffc --- /dev/null +++ b/changelogs/client_server/newsfragments/2093.new @@ -0,0 +1 @@ +Add `POST /_matrix/client/v3/users/{userId}/report` as per [MSC4260](https://github.com/matrix-org/matrix-spec-proposals/pull/4260). \ No newline at end of file From ebc71218d28e50a28ff7c4bf9bedbad419e656aa Mon Sep 17 00:00:00 2001 From: Johannes Marbach Date: Thu, 13 Mar 2025 17:57:13 +0100 Subject: [PATCH 3/3] Update data/api/client-server/report_content.yaml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Kévin Commaille <76261501+zecakeh@users.noreply.github.com> --- data/api/client-server/report_content.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/data/api/client-server/report_content.yaml b/data/api/client-server/report_content.yaml index d502033f..7afe5cec 100644 --- a/data/api/client-server/report_content.yaml +++ b/data/api/client-server/report_content.yaml @@ -178,6 +178,8 @@ paths: example: "@someguy:example.com" schema: type: string + format: mx-user-id + pattern: "^@" requestBody: content: application/json: