deploy: 20fc9fcc33

develop/print.html

@@ -5445,6 +5445,31 @@ into fewer transactions. Defaults to 50.</p>
 unauthenticated media endpoints (<code>/_matrix/media/(r0|v3|v1)/download</code> and <code>/_matrix/media/(r0|v3|v1)/thumbnail</code>) - requests for authenticated media over these endpoints will result in a 404. All media, including authenticated media, will be available over the authenticated media endpoints <code>_matrix/client/v1/media/download</code> and <code>_matrix/client/v1/media/thumbnail</code>. Media uploaded prior to setting this option to true will still be available over the legacy endpoints. Note if the setting is switched to false
 after enabling, media marked as authenticated will be available over legacy endpoints. Defaults to false, but
 this will change to true in a future Synapse release.</p>
+<p>In all cases, authenticated requests to download media will succeed, but for unauthenticated requests, this
+case-by-case breakdown describes whether media downloads are permitted:</p>
+<ul>
+<li><code>enable_authenticated_media = False</code>:
+<ul>
+<li>unauthenticated client or homeserver requesting local media: allowed</li>
+<li>unauthenticated client or homeserver requesting remote media: allowed as long as the media is in the cache,
+or as long as the remote homeserver does not require authentication to retrieve the media</li>
+</ul>
+</li>
+<li><code>enable_authenticated_media = True</code>:
+<ul>
+<li>unauthenticated client or homeserver requesting local media:
+allowed if the media was stored on the server whilst <code>enable_authenticated_media</code> was <code>False</code> (or in a previous Synapse version where this option did not exist);
+otherwise denied.</li>
+<li>unauthenticated client or homeserver requesting remote media: the same as for local media;
+allowed if the media was stored on the server whilst <code>enable_authenticated_media</code> was <code>False</code> (or in a previous Synapse version where this option did not exist);
+otherwise denied.</li>
+</ul>
+</li>
+</ul>
+<p>It is especially notable that media downloaded before this option existed (in older Synapse versions), or whilst this option was set to <code>False</code>,
+will perpetually be available over the legacy, unauthenticated endpoint, even after this option is set to <code>True</code>.
+This is for backwards compatibility with older clients and homeservers that do not yet support requesting authenticated media;
+those older clients or homeservers will not be cut off from media they can already see.</p>
 <p>Example configuration:</p>
 <pre><code class="language-yaml">enable_authenticated_media: true
 </code></pre>

develop/usage/configuration/config_documentation.html

@@ -1780,6 +1780,31 @@ into fewer transactions. Defaults to 50.</p>
 unauthenticated media endpoints (<code>/_matrix/media/(r0|v3|v1)/download</code> and <code>/_matrix/media/(r0|v3|v1)/thumbnail</code>) - requests for authenticated media over these endpoints will result in a 404. All media, including authenticated media, will be available over the authenticated media endpoints <code>_matrix/client/v1/media/download</code> and <code>_matrix/client/v1/media/thumbnail</code>. Media uploaded prior to setting this option to true will still be available over the legacy endpoints. Note if the setting is switched to false
 after enabling, media marked as authenticated will be available over legacy endpoints. Defaults to false, but
 this will change to true in a future Synapse release.</p>
+<p>In all cases, authenticated requests to download media will succeed, but for unauthenticated requests, this
+case-by-case breakdown describes whether media downloads are permitted:</p>
+<ul>
+<li><code>enable_authenticated_media = False</code>:
+<ul>
+<li>unauthenticated client or homeserver requesting local media: allowed</li>
+<li>unauthenticated client or homeserver requesting remote media: allowed as long as the media is in the cache,
+or as long as the remote homeserver does not require authentication to retrieve the media</li>
+</ul>
+</li>
+<li><code>enable_authenticated_media = True</code>:
+<ul>
+<li>unauthenticated client or homeserver requesting local media:
+allowed if the media was stored on the server whilst <code>enable_authenticated_media</code> was <code>False</code> (or in a previous Synapse version where this option did not exist);
+otherwise denied.</li>
+<li>unauthenticated client or homeserver requesting remote media: the same as for local media;
+allowed if the media was stored on the server whilst <code>enable_authenticated_media</code> was <code>False</code> (or in a previous Synapse version where this option did not exist);
+otherwise denied.</li>
+</ul>
+</li>
+</ul>
+<p>It is especially notable that media downloaded before this option existed (in older Synapse versions), or whilst this option was set to <code>False</code>,
+will perpetually be available over the legacy, unauthenticated endpoint, even after this option is set to <code>True</code>.
+This is for backwards compatibility with older clients and homeservers that do not yet support requesting authenticated media;
+those older clients or homeservers will not be cut off from media they can already see.</p>
 <p>Example configuration:</p>
 <pre><code class="language-yaml">enable_authenticated_media: true
 </code></pre>