From 97bf30b7a3eb092619bef4fc1f98c5abf9306500 Mon Sep 17 00:00:00 2001 From: Johannes Marbach Date: Fri, 21 Mar 2025 10:04:50 +0100 Subject: [PATCH] Move option to consistently respond with 200 to user reporting endpoint --- content/client-server-api/modules/report_content.md | 5 ----- data/api/client-server/report_content.yaml | 8 +++++++- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/content/client-server-api/modules/report_content.md b/content/client-server-api/modules/report_content.md index ec9f101b..8092c5bc 100644 --- a/content/client-server-api/modules/report_content.md +++ b/content/client-server-api/modules/report_content.md @@ -36,11 +36,6 @@ reported user is joined to. This is because users can be exposed to harmful content without being joined to a room. For instance, through user directories or invites. -Clients can infer whether a reported event, room or user exists based on the -404 responses of the reporting endpoints. Homeservers that wish to conceal -this information MAY return 200 responses regardless of the existence of the -reported subject. - Furthermore, it might be possible for clients to deduce whether a reported event, room or user exists by timing the response. This is because only a report for an existing subject will require the homeserver to do further diff --git a/data/api/client-server/report_content.yaml b/data/api/client-server/report_content.yaml index 7afe5cec..b21b1de5 100644 --- a/data/api/client-server/report_content.yaml +++ b/data/api/client-server/report_content.yaml @@ -169,6 +169,10 @@ paths: that the reported user is joined to. Clients may wish to [ignore](#ignoring-users) users after reporting them. + + Clients could infer whether a reported user exists based on the 404 response. + Homeservers that wish to conceal this information MAY return 200 responses + regardless of the existence of the reported user. operationId: reportUser parameters: - in: path @@ -198,7 +202,9 @@ paths: - accessTokenBearer: [] responses: "200": - description: The user has been reported successfully. + description: | + The user has been reported successfully or the server chose + to not disclose whether the users exists. content: application/json: schema: