admin-api: Don't Allow Admins to Invite Themselves Into Private Rooms

[f35f0ef9d0e827dae86552d3899f78fc]

I am concerned with the new capability added in this PR:
#8756

What is the need for an admin to invite themselves into private rooms? What if the room settings allowed new users access to all chat history? With this new change, is it possible for an admin to grant themselves admin access to a private room, change the chat history setting for new users, and then accept the room invitation generated by the admin API? If yes, then this functionality is really in conflict with the term private room.

[274below]

"Private" inherently isn't "private" if you don't trust the server admins. After all, someone can just run a database query to see the historical room content without inviting themselves to the room in the first place.

If this is something that is really concerning to you, then you should 1) enable E2E encryption and 2) run your own server in an environment that you trust.

[f35f0ef9d0e827dae86552d3899f78fc]

"Private" inherently isn't "private" if you don't trust the server admins. After all, someone can just run a database query to see the historical room content without inviting themselves to the room in the first place.

If this is something that is really concerning to you, then you should 1) enable E2E encryption and 2) run your own server in an environment that you trust.

You make a good point about administrative access to the infrastructure.

I'm speaking for the layman here, the folk that do not watch github releases... normal people. Matrix and Element will continue to only be for tech enthusiasts if we don't think about making the easy way the most private and secure way.

[lovelaced]

I'll be honest, I don't like this either (as a server admin). The server admin should only perhaps be able to "rescue" rooms which are left without an admin to prevent having to migrate all users to a new room to create a new admin.

[richvdh]

the design of matrix is such that any server admin will always be able to "puppet" any user on that server if they so desire. This API doesn't change that - it just means that the admin doesn't have to go digging around in the database to do so.

There's some interesting experimental work going on in peer-to-peer matrix (effectively: each client is its own server) which I think would address your concerns, but that's out of scope for synapse, so I'm going to go ahead and close this issue.