From aea03c9d734d3dd5f0650b9d127bc9026266505c Mon Sep 17 00:00:00 2001
From: Brendan Abolivier <babolivier@matrix.org>
Date: Thu, 25 Jul 2019 10:14:41 +0200
Subject: Doc

---
 synapse/third_party_rules/access_rules.py | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/synapse/third_party_rules/access_rules.py b/synapse/third_party_rules/access_rules.py
index 786f3d9ad3..07b449ab32 100644
--- a/synapse/third_party_rules/access_rules.py
+++ b/synapse/third_party_rules/access_rules.py
@@ -123,6 +123,11 @@ class RoomAccessRules(object):
                 join_rule = event["content"].get("join_rule")
 
         if access_rule:
+            # If there's an access rules event in the initial state, check if the prefix
+            # or the join rule in use is compatible (i.e. if it involves a "public" join
+            # rule, the access rule must be "restricted"). We don't need to check that if
+            # there's no access rule provided, as in this case the access rule will
+            # default to "restricted", with which any join rule is allowed.
             if join_rule == JoinRules.PUBLIC and access_rule != ACCESS_RULE_RESTRICTED:
                 raise SynapseError(400, "Invalid access rule")
 
@@ -132,8 +137,8 @@ class RoomAccessRules(object):
             ):
                 raise SynapseError(400, "Invalid access rule")
         else:
-            # If there's no rules event in the initial state, create one with the default
-            # setting.
+            # If there's no access rules event in the initial state, create one with the
+            # default setting.
             if is_direct:
                 default_rule = ACCESS_RULE_DIRECT
             else:
@@ -437,6 +442,13 @@ class RoomAccessRules(object):
         allowed unless the new join rule is "public" and the current access rule isn't
         "restricted".
 
+        Note that we currently rely on the default access rule being "restricted": during
+        room creation, the m.room.join_rules event will be sent *before* the
+        im.vector.room.access_rules one, so the access rule that will be considered here
+        in this case will be the default "restricted" one. This is fine since the
+        "restricted" access rule allows any value for the join rule, but we should keep
+        that in mind if we need to change the default access rule in the future.
+
         Args:
             event (synapse.events.EventBase): The event to check.
             rule (str): The name of the rule to apply.
-- 
cgit 1.5.1