add lockdown_public_room_directory config option

Signed-off-by: strawberry <strawberry@puppygock.gay>

add lockdown_public_room_directory config option
72b60c47 · 🥺 · 🥺 · 00ddc1c8 · 72b60c47 · 72b60c47
Commit 72b60c47 authored 11 months ago by 🥺 Committed by 🥺 11 months ago
--- a/conduwuit-example.toml
+++ b/conduwuit-example.toml
@@ -217,6 +217,12 @@ allow_public_room_directory_over_federation = false
 # authentication (access token) through the Client APIs. Set this to false to protect against /publicRooms spiders.
 allow_public_room_directory_without_auth = false

+# Set this to true to lock down your server's public room directory and only allow admins to publish rooms to the room directory.
+# Unpublishing is still allowed by all users with this enabled.
+#
+# Defaults to false
+lockdown_public_room_directory = false
+
 # Set this to true to allow federating device display names / allow external users to see your device display name.
 # If federation is disabled entirely (`allow_federation`), this is inherently false. For privacy, this is best disabled.
 allow_device_name_federation = false

--- a/src/api/client_server/directory.rs
+++ b/src/api/client_server/directory.rs
@@ -102,8 +102,21 @@ pub async fn set_room_visibility_route(

 	match &body.visibility {
 		room::Visibility::Public => {
+			if services().globals.config.lockdown_public_room_directory && !services().users.is_admin(sender_user)? {
+				info!(
+					"Non-admin user {sender_user} tried to publish {0} to the room directory while \
+					 \"lockdown_public_room_directory\" is enabled",
+					body.room_id
+				);
+
+				return Err(Error::BadRequest(
+					ErrorKind::Forbidden,
+					"Publishing rooms to the room directory is not allowed",
+				));
+			}
+
 			services().rooms.directory.set_public(&body.room_id)?;
-			info!("{} made {} public", sender_user, body.room_id);
+			info!("{sender_user} made {0} public", body.room_id);
 		},
 		room::Visibility::Private => services().rooms.directory.set_not_public(&body.room_id)?,
 		_ => {

--- a/src/config/mod.rs
+++ b/src/config/mod.rs
@@ -117,6 +117,8 @@ pub struct Config {
 	#[serde(default)]
 	pub allow_public_room_directory_without_auth: bool,
 	#[serde(default)]
+	pub lockdown_public_room_directory: bool,
+	#[serde(default)]
 	pub allow_device_name_federation: bool,
 	#[serde(default = "true_fn")]
 	pub allow_room_creation: bool,
@@ -420,6 +422,10 @@ fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
 				"Allow public room directory without authentication",
 				&self.allow_public_room_directory_without_auth.to_string(),
 			),
+			(
+				"Lockdown public room directory (only allow admins to publish)",
+				&self.lockdown_public_room_directory.to_string(),
+			),
 			(
 				"JWT secret",
 				match self.jwt_secret {