Alter ACL behaviour to prevent abuse

[catfromplan9]

Description:

Right now, when I ACL a server from my room on matrix, the users of that server are still in the room and able to join the room. This leads to an alternate copy of the room being propagated to all the servers that are blocked. I cannot see or moderate what is going on in this alternate copy of the room. The servers I block range from servers with rules that are not compatible with my own, to homeservers refusing to moderate CP. Having all these blocked servers able to communicate with eachother in a copy room is a problem for the matrix ecosystem and I have no doubt it leads to many new users abandoning the platform. If my room blocks matrix.org and some CP spammer servers, any matrix.org user will join and see CP, and I'd rather not have this happen.

Perhaps, instead, when a homeserver is added to the ACL list, all members from that server can first be kicked? The issue, as I understand it, is that accounts from the blocked homeserver remain in the room, and are merely unable to communicate to the unblocked ones. Thus, the blocked server is able to allow other accounts from the same server to join, and to federate to other blocked servers. New joins from a blocked server is permitted if there is one account from the blocked server in the room. If we kick them all first, then no accounts will manage to join in the future

I look forward to hearing your thoughts on this topic, and perhaps better ways to resolve this problem.

[catfromplan9]

Copied this issue from matrix-org/matrix-spec#1613, as richvdh suggested

[reivilibre]

Does 'ACLing a server' here just mean changing the ACL state event using the normal state event sending APIs?

Without being too in the know, this sounds like something that should be handled first through another mechanism, either a more intentful 'kick and ACL a server' action or client-side.

Personally I think it'd actually be beneficial if the ACL didn't apply to the ACL event itself, so that the banned servers would receive the ACL state telling them they are banned — then they could restrict themselves from creating a splitbrained room if they wanted to play along with the rules.

There's probably still a concern or two left over after that, such as what happens if a new homeserver joins via one of the homeservers that is banned (but not self-restricting)?
Not sure this would be a new problem compared to today even if such a problem would exist though.
It's also not that likely given that most ACL'd rooms will be public rooms and then users will be joining through some less-dodgy means like a known room alias or a space, so being introduced by one of the 'good' servers is more likely than not.

[catfromplan9]

Does 'ACLing a server' here just mean changing the ACL state event using the normal state event sending APIs?

Without being too in the know, this sounds like something that should be handled first through another mechanism, either a more intentful 'kick and ACL a server' action or client-side.

Personally I think it'd actually be beneficial if the ACL didn't apply to the ACL event itself, so that the banned servers would receive the ACL state telling them they are banned — then they could restrict themselves from creating a splitbrained room if they wanted to play along with the rules.

There's probably still a concern or two left over after that, such as what happens if a new homeserver joins via one of the homeservers that is banned (but not self-restricting)? Not sure this would be a new problem compared to today even if such a problem would exist though. It's also not that likely given that most ACL'd rooms will be public rooms and then users will be joining through some less-dodgy means like a known room alias or a space, so being introduced by one of the 'good' servers is more likely than not.

Yeah, perhaps the spec could then be modified and servers can be told to remove their local users from the room when it is detected to be ACL'd?