Merge 70f6749c92 into b6a127b5cb

Signed-off-by: famfo <famfo@famfo.xyz>

changelogs/room_versions/newsfragments/2220.clarification

@@ -0,0 +1 @@
+In room versions 8 through 12, clarify that "sufficient permission to invite users" on restricted joins also includes being a joined member of the room.

changelogs/server_server/newsfragments/2191.clarification

@@ -0,0 +1 @@
+Clarify what the minimum_valid_until_ts field means when it is set in key queries.

content/rooms/fragments/v8-auth-rules.md

@@ -74,7 +74,7 @@ The rules are as follows:
             1.  If membership state is `join` or `invite`, allow.
             2.  If the `join_authorised_via_users_server` key in `content`
                 is not a user with sufficient permission to invite other
-                users, reject.
+                users or is not a joined member of the room, reject.
             3.  Otherwise, allow.
         6.  If the `join_rule` is `public`, allow.
         7.  Otherwise, reject.

content/rooms/v10.md

@@ -150,7 +150,7 @@ The rules are as follows:
             1.  If membership state is `join` or `invite`, allow.
             2.  If the `join_authorised_via_users_server` key in `content`
                 is not a user with sufficient permission to invite other
-                users, reject.
+                users or is not a joined member of the room, reject.
             3.  Otherwise, allow.
         6.  If the `join_rule` is `public`, allow.
         7.  Otherwise, reject.

content/rooms/v11.md

@@ -157,7 +157,7 @@ The rules are as follows:
             1.  If membership state is `join` or `invite`, allow.
             2.  If the `join_authorised_via_users_server` key in `content`
                 is not a user with sufficient permission to invite other
-                users, reject.
+                users or is not a joined member of the room, reject.
             3.  Otherwise, allow.
         6.  If the `join_rule` is `public`, allow.
         7.  Otherwise, reject.

content/rooms/v12.md

@@ -141,7 +141,7 @@ The rules are as follows:
             1.  If membership state is `join` or `invite`, allow.
             2.  If the `join_authorised_via_users_server` key in `content`
                 is not a user with sufficient permission to invite other
-                users, reject.
+                users or is not a joined member of the room, reject.
             3.  Otherwise, allow.
         6.  If the `join_rule` is `public`, allow.
         7.  Otherwise, reject.

data/api/server-server/keys_query.yaml

@@ -34,8 +34,8 @@ paths:
         - in: query
           name: minimum_valid_until_ts
           description: |-
-            A millisecond POSIX timestamp in milliseconds indicating when the returned
+            A millisecond POSIX timestamp. The returned keys MUST be valid
-            certificates will need to be valid until to be useful to the requesting server.
+            until at least this timestamp.
 
             If not supplied, the current time as determined by the notary server is used.
           required: false
@@ -98,9 +98,8 @@ paths:
                           type: integer
                           format: int64
                           description: |-
-                            A millisecond POSIX timestamp in milliseconds indicating when
+                            A millisecond POSIX timestamp. The returned keys
-                            the returned certificates will need to be valid until to be
+                            MUST be valid until at least this timestamp.
-                            useful to the requesting server.
 
                             If not supplied, the current time as determined by the notary
                             server is used.