Clarify that redaction events are subject to auth rules (#1824)

Signed-off-by: Matthias Ahouansou <matthias@ahouansou.cz>
2024-05-29 09:42:19 +01:00 · 2024-05-29 09:42:19 +01:00 · 49765e0e0a
commit 49765e0e0a
parent ea781ef7b2
7 changed files with 72 additions and 36 deletions
--- a/content/rooms/v3.md
+++ b/content/rooms/v3.md
@ -89,12 +89,17 @@ The complete structure of a event in a v3 room is shown below.

 ### Authorization rules

-{{< added-in this=true >}} `m.room.redaction` events are no longer
-explicitly part of the auth rules. They are still subject to the
-minimum power level rules, but should always fall into "11. Otherwise,
-allow". Instead of being authorized at the time of receipt, they are
-authorized at a later stage: see the [Handling Redactions](#handling-redactions)
-section below for more information.
+{{% boxes/note %}}
+{{< added-in this=true >}} `m.room.redaction` events are subject to auth rules in
+the same way as any other event. In practice, that means they will normally be allowed
+by the auth rules, unless the `m.room.power_levels` event sets a power level requirement
+for `m.room.redaction`events via the `events` or `events_default` properties. In
+particular, the _redact level_ is **not** considered by the auth rules.
+
+The ability to send a redaction event does not mean that the redaction itself should
+be performed. Receiving servers must perform additional checks, as described in
+the [Handling Redactions](#handling-redactions) section.
+{{% /boxes/note %}}

 <!-- set withVersioning=true so we get all the "new in this version" stuff -->
 {{< rver-fragment name="v3-auth-rules" withVersioning=true >}}