Restrict entity acl content

Description

Please do the following:
1. Disallow anonymous user from any acl.
2. Disallow anything but read from public group (unsure if system conforms to this rule today, so there may be additional migration work).

Environment

None

Activity

Show:
Jay Hodgson
February 23, 2020, 12:11 AM

Tried to add the anonymous user to an ACL on staging, and received a nice/informative error message:

Cannot assign permissions to anonymous. To share resources with anonymous users, use the PUBLIC group id (273949)

 

And when I try to assign an access type set other than Can View (READ) to the public group, then I receive a nice error in this case too:

Only READ permissions can be assigned to the public group

 

Closing, thank you !

Marco Marasca
February 14, 2020, 3:06 AM

PR for disallowing anonymous user ACL and <> READ on public group: .

We will run the following in prod to remove the ACL:

 

Marco Marasca
February 14, 2020, 3:00 AM

Current ACL for public group with access <> ‘READ’ and anonymous:

 

Bruce Hoff
September 28, 2018, 7:09 PM

's work doesn't affect this. His work allows us to cluster, collect incoming requests by user even when the user is working anonymously and this allows us to throttle users individually (even if they're anonymous). That's different from this issue, which is about preventing nonsensical permissions settings.

Ziming Dong
September 28, 2018, 6:31 PM


The work with session Ids still make use of the Anonymous userId. We are changing api call throttling from being based off the user's ID to being based off a concatenation of each connected device's IP address, userId (including anonymous id) and a sessionId provided by the backend.

Fixed

Assignee

Marco Marasca

Reporter

Jay Hodgson

Validator

Jay Hodgson

Priority

Minor

Labels

Development Area

Synapse Core Infrastructure

Sprint

None

Fix versions

Release Version History

None

Story Points

None

Epic Link

Slack Channel

None