Element-web: User should not be able to redact other user's messages in 1-1 chats

I can see your reasoning, this is because a 1:1 is really no different to any room, and the initial two members are given admin status (PL100) which means they can do anything to that room

I've tagged this as a minor bug, but really I think it's an awkward side-effect of our permissions model.

As I understand it, there's no way to support the more expected behaviour of DM users' _not_ being able to redact each others' messages as it would require setting the message redaction power level to be higher than 100, which isn't possible.

I can't think of a quick fix to this; it might require a radical review of permissions :\

Short of a permissions overhaul, there's the option of hacking your way through supporting this:

• Restructure the room creation to lower applicable power level requirements to 99
• Set both parties to PL99

However, that would result in people losing the Admin flag. A special case could be made to show the admin flag for PL99 in 1:1 chats.

This does however make the room harder to maintain if it ends up becoming a group chat.

Other than a permission overhaul, there is the option of treating 1-1 chats different to "rooms", i.e. having a completely different chat "type". Though I'm not sure what kind of new problems that will create.

Here's a radical thought:

How about _if_ we have the right to redact other's messages in the first place, only be allowed to redact messages of those whose power level is lower than ours, at the time the message was posted?

Not sure how viable the last part is as the PL change event can be redacted without undoing the PL change itself so the there's no surefire way of knowing the PL at a given time afaik

If that is possible, that surely must be a bug in the server/protocol. Redacting should only strip state events of any ancillary data, but leave the core state change intact.

maybe during room creation we can ask synapse initial state to have PL(redact) set to 101?

@t3chguy how would users lower it again? I think the PL being taken into account when redacting is really the best option.

This actually bit me today. Someone I had a chat going with decided to redact every event in the room, including all of the room's state. Was really hard to answer their question when the context was completely missing :(

this is going to be weird in general with the purge API... I wonder how other chat apps handle this.

it's worth noting we have three different types of erasure in Matrix atm:

1. redactions (where the message gets removed from the timeline, and (shortly) the data gets flushed from disk after 30 days or whatever the server admin configures)
2. purging (where a server admin removes arbitrary events from their diskspace to save space, but they can be backfilled again)
3. gdpr erasure (where events are kept visible to those who saw them in the first place, but withheld from others. if all users are erased then they are rm'd entirely).

I agree that 1 and 3 are pretty much contradictory to one another, as 1 lets you destroy someone's conversation timeline but 3 doesn't. However, I really do see an argument for users being able to self-redact when they copy-paste something embarassing into a 1:1.

tl;dr: unsure what the right solution is.

Users should absolutely be able to redact their own messages. I brought this up again because someone redacted my messages in a 1:1, including my join event. It's not very fun when it happens :(

tl;dr: unsure what the right solution is.

having it configurable at room-create time at the very least (and probably the only way to do it without changing proto)

redact: 101 would mean people can only redact their own
events: {"m.room.redaction": 101} would mean no one can redact
I'd assume both can be inserted at room creation time