* develop: (45 commits)
URL preview blacklisting fixes (#5155)
Revert 085ae346ac
Add a DUMMY stage to captcha-only registration flow
Make Prometheus snippet less confusing on the metrics collection doc (#4288)
Set syslog identifiers in systemd units (#5023)
Run Black on the tests again (#5170)
Add AllowEncodedSlashes to apache (#5068)
remove instructions for jessie installation (#5164)
Run `black` on per_destination_queue
Limit the number of EDUs in transactions to 100 as expected by receiver (#5138)
Fix bogus imports in tests (#5154)
add options to require an access_token to GET /profile and /publicRooms on CS API (#5083)
Do checks on aliases for incoming m.room.aliases events (#5128)
Remove the requirement to authenticate for /admin/server_version. (#5122)
Fix spelling in server notices admin API docs (#5142)
Fix sample config
0.99.3.2
include disco in deb build target list
changelog
Debian: we now need libpq-dev.
...
Prevents a SynapseError being raised inside of a IResolutionReceiver and instead opts to just return 0 results. This thus means that we have to lump a failed lookup and a blacklisted lookup together with the same error message, but the substitute should be generic enough to cover both cases.
This allows the client to complete the email last which is more
natual for the user. Without this stage, if the client would
complete the recaptcha (and terms, if enabled) stages and then the
registration request would complete because you've now completed a
flow, even if you were intending to complete the flow that's the
same except has email auth at the end.
Adding a dummy auth stage to the recaptcha-only flow means it's
always unambiguous which flow the client was trying to complete.
Longer term we should think about changing the protocol so the
client explicitly says which flow it's trying to complete.
https://github.com/vector-im/riot-web/issues/9586
* Add AllowEncodedSlashes to apache
Add `AllowEncodedSlashes On` to apache config to support encoding for v3 rooms. "The AllowEncodedSlashes setting is not inherited by virtual hosts, and virtual hosts are used in many default Apache configurations, such as the one in Ubuntu. The workaround is to add the AllowEncodedSlashes setting inside a <VirtualHost> container (/etc/apache2/sites-available/default in Ubuntu)." Source: https://stackoverflow.com/questions/4390436/need-to-allow-encoded-slashes-on-apache
* change allowencodedslashes to nodecode
This commit adds two config options:
* `restrict_public_rooms_to_local_users`
Requires auth to fetch the public rooms directory through the CS API and disables fetching it through the federation API.
* `require_auth_for_profile_requests`
When set to `true`, requires that requests to `/profile` over the CS API are authenticated, and only returns the user's profile if the requester shares a room with the profile's owner, as per MSC1301.
MSC1301 also specifies a behaviour for federation (only returning the profile if the server asking for it shares a room with the profile's owner), but that's currently really non-trivial to do in a not too expensive way. Next step is writing down a MSC that allows a HS to specify which user sent the profile query. In this implementation, Synapse won't send a profile query over federation if it doesn't believe it already shares a room with the profile's owner, though.
Groups have been intentionally omitted from this commit.
This endpoint isn't much use for its intended purpose if you first need to get
yourself an admin's auth token.
I've restricted it to the `/_synapse/admin` path to make it a bit easier to
lock down for those concerned about exposing this information. I don't imagine
anyone is using it in anger currently.
=============================
Internal Changes
----------------
- Ensure that we have `urllib3` <1.25, to resolve incompatibility with `requests`. ([\#5135](https://github.com/matrix-org/synapse/issues/5135))
-----BEGIN PGP SIGNATURE-----
iQEzBAABCAAdFiEEv27Axt/F4vrTL/8QOSor00I9eP8FAlzMgZwACgkQOSor00I9
eP8Pxgf7BtwM5LrC/xGFKkE62U7bX4jE5EJ9gt+keN9+l5hnB75nBzyXpk0FY/CO
lWOWeT3S0Nfkx5CqVjZ9I9Q83W3CAzcRO6Og3w4QRieoW74T/biCizIsYxHSjgeA
LzwdGMMRtcoccxvi9uNgJID2LNsVHazNUKuGJNoqCXeeCkmmunSHbAb8TI9Cz7mU
0Ul8oZV8zoOaf/Nzzh7WJJ+YsxprfGmUVD1ssWYzZvGotPw/wdAhlJJA3pzjAeBZ
o94q/IMvA7baTEBUzAzMcJCEfxEueA9j/93eYJ4/dQcS6sqMN2GMTTaiXthkf2vQ
9w+SgbvJqQG14lTJqPOYTHS1oud6PA==
=3ooI
-----END PGP SIGNATURE-----
Merge tag 'v0.99.3.2'
Synapse 0.99.3.2 (2019-05-03)
=============================
Internal Changes
----------------
- Ensure that we have `urllib3` <1.25, to resolve incompatibility with `requests`. ([\#5135](https://github.com/matrix-org/synapse/issues/5135))
psycopg 2.8 is now out, which means that the C library gets built from source,
so we now need libpq-dev when building.
Turns out the need for this package is already documented in
docs/postgres.rst.