Upgrading a room promotes mod to admin

[Bubu]

Description

(Note: This is a apparently a known problem, but there's no issue for it we could find.)

When upgrading a room the user doing the upgrade gets promoted to admin in the old and new room.

Steps to reproduce

• create a new room
• invite user X
• grant moderator permissions to user X
• user X upgrades the room
• user X is now admin in the old and new room

I'd have expected that either the room upgrade is only allowed for admin users (if that's a technical requirement) or that the result of the upgrade is the same as before the upgrade (the user doing the upgrade is still moderator in both the old and the new rooms)

The default PL requirement for upgrading a room is 50 (moderator). This effectively makes this a potential privilege escalation bug if you don't change the default settings before promoting someone to moderator level.

Version information

• Version: 1.7.3

[turt2live]

Who can perform upgrades is controlled by power levels, which is moderator by default. In riot-web the minimum power level for this particular thing can be changed.

For an implementation note: The new room will need the power level of the person doing the upgrade to be 100 so it can create the room, but once it is done that it should absolutely be forcing the user to demote themselves in the new room.

It's very surprising that they are admin in the old room too - are you sure it's not just whatever client reading the wrong room?

[richvdh]

To clarify: this was not a known problem: that was a misunderstanding.

The problem is that the in-memory copy of the PL event in the original room is being modified, so the upgrading user appears to end up with PL 100. This is fixed by #6633 .

Annoyingly, this would have been picked up had we taken the time to land matrix-org/sytest#500 :/