WIP: feat: Port room takeover and shutdown commands from continuwuity.rocks #1375

Draft

nex wants to merge 4 commits from nex/feat/room-shutdown into main

nex commented

2026-02-14 14:13:41 +00:00

Owner

This pull request ports over the !admin rooms moderation takeover and !admin rooms moderation shutdown commands from continuwuity.rocks: nex/continuwuity@8754479e96

The first command works by finding any local user in the target room that can modify the m.room.power_levels event, and uses their account to increase the invoking admin's power level to match their own. For rooms where we have local creators or admin users, this can allow server admins to commandeer a room and do whatever with it, such as assigning new moderators to an abandoned room. This is similar in behaviour to Synapse's "assign admin" function.

The second command does the following:

If --force is passed, join the privileged user to the room so they can send events
If the power levels have not yet been restricted, set the user_default level to -2^53-1 (as low as it can go) and raise the requirement of every specified event, ban, kick, events_default, and state_default to admin_user_pl, and remove all other users with a power level below the admin user's own
If the join rules have not yet been changed, change them to the custom rule org.continuwuity.shutdown. This prevents people joining in the future, even if they have been invited, as the unrecognised rule prevents any further join authorisation.
If the history visibility has not yet been changed, the history visibility is set to joined
All users in the room, excluding server admins, are banned, or if the admin user being puppetted cannot ban, kicked. The MSC4293 redact_events flag is set on these events if --redact is passed, preventing clients from rendering sent messages afterwards.
Finally, an m.room.tombstone event is sent, preventing most clients from allowing the room to be used again, even in the event of a state reset.

This is a very powerful command designed to be used to disband offensive/illegal rooms. It is not uncommon for bad users to sign up on public or restricted homeservers, create or join rooms with illegal content, and then assign a power level to their accounts on other servers in order to retain control over said rooms when their accounts get banned from other servers. This feature takes advantage of this trend to ruin their day.
It is worth mentioning: the shutdown command performs exactly the same functions any user with an elevated power level can do, meaning even if this command was ultimately dropped, you could still perform these actions manually after takeover. And without takeover, you could always just !admin users reset-password and log in to the target user.

Pull request checklist:

This pull request targets the main branch, and the branch is named something other than
main.
I have written an appropriate pull request title and my description is clear.
I understand I am responsible for the contents of this pull request.
I have followed the contributing guidelines:
- My contribution follows the code style, if applicable.
- I ran pre-commit checks before opening/drafting this pull request.
- I have tested my contribution (or proof-read it for documentation-only changes)
  myself, if applicable. This includes ensuring code compiles.
- My commit messages follow the commit message format and are descriptive.
- I have written a news fragment for this PR, if applicable.

This pull request ports over the `!admin rooms moderation takeover` and `!admin rooms moderation shutdown` commands from continuwuity.rocks: https://forgejo.ellis.link/nex/continuwuity/commit/8754479e96df93c1a23bbd9dc9171be8a154238f The first command works by finding any local user in the target room that can modify the `m.room.power_levels` event, and uses their account to increase the invoking admin's power level to match their own. For rooms where we have local creators or admin users, this can allow server admins to commandeer a room and do whatever with it, such as assigning new moderators to an abandoned room. This is similar in behaviour to [Synapse's "assign admin" function](https://element-hq.github.io/synapse/latest/admin_api/rooms.html#make-room-admin-api). The second command does the following: 1. If `--force` is passed, join the privileged user to the room so they can send events 2. If the power levels have not yet been restricted, set the `user_default` level to -2^53-1 (as low as it can go) and raise the requirement of every specified event, `ban`, `kick`, `events_default`, and `state_default` to `admin_user_pl`, and remove all other users with a power level below the admin user's own 3. If the join rules have not yet been changed, change them to the custom rule `org.continuwuity.shutdown`. This prevents people joining in the future, even if they have been invited, as the unrecognised rule prevents any further join authorisation. 4. If the history visibility has not yet been changed, the history visibility is set to `joined` 5. All users in the room, excluding server admins, are banned, or if the admin user being puppetted cannot ban, kicked. The MSC4293 `redact_events` flag is set on these events if `--redact` is passed, preventing clients from rendering sent messages afterwards. 6. Finally, an `m.room.tombstone` event is sent, preventing most clients from allowing the room to be used again, even in the event of a state reset. This is a very powerful command designed to be used to disband offensive/illegal rooms. It is not uncommon for bad users to sign up on public or restricted homeservers, create or join rooms with illegal content, and then assign a power level to their accounts on other servers in order to retain control over said rooms when their accounts get banned from other servers. This feature takes advantage of this trend to ruin their day. It is worth mentioning: the `shutdown` command performs exactly the same functions any user with an elevated power level can do, meaning even if this command was ultimately dropped, you could still perform these actions manually after `takeover`. And without takeover, you could always just `!admin users reset-password` and log in to the target user. **Pull request checklist:**  - [x] This pull request targets the `main` branch, and the branch is named something other than `main`. - [x] I have written an appropriate pull request title and my description is clear. - [x] I understand I am responsible for the contents of this pull request. - I have followed the [contributing guidelines][c1]: - [x] My contribution follows the [code style][c2], if applicable. - [x] I ran [pre-commit checks][c1pc] before opening/drafting this pull request. - [ ] I have [tested my contribution][c1t] (or proof-read it for documentation-only changes) myself, if applicable. This includes ensuring code compiles. - [x] My commit messages follow the [commit message format][c1cm] and are descriptive. - [ ] I have written a [news fragment][n1] for this PR, if applicable.  [c1]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/CONTRIBUTING.md [c2]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/docs/development/code_style.mdx [c1pc]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/CONTRIBUTING.md#pre-commit-checks [c1t]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/CONTRIBUTING.md#running-tests-locally [c1cm]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/CONTRIBUTING.md#commit-messages [n1]: https://towncrier.readthedocs.io/en/stable/tutorial.html#creating-news-fragments