chore: Apply suggestions

This reverts commit 9b4845bf8d.

.forgejo/pull_request_template.md

@@ -0,0 +1,82 @@
+---
+name: 'New pull request'
+about: 'Open a new pull request to contribute to continuwuity'
+ref: 'main'
+---
+
+<!--
+In order to help reviewers know what your pull request does at a glance, you should ensure that
+
+1. Your PR title is a short, single sentence describing what you changed
+2. You have described in more detail what you have changed, why you have changed it, what the
+   intended effect is, and why you think this will be beneficial to the project.
+
+If you have made any potentially strange/questionable design choices, but didn't feel they'd benefit
+from code comments, please don't mention them here - after opening your pull request,
+go to "files changed", and click on the "+" symbol in the line number gutter,
+and attach comments to the lines that you think would benefit from some clarification.
+-->
+
+This pull request...
+
+<!-- Example:
+This pull request allows us to warp through time and space ten times faster than before by
+double-inverting the warp drive with hyperheated jump fluid, both making the drive faster and more
+efficient. This resolves the common issue where we have to wait more than 10 milliseconds to
+engage, use, and disengage the warp drive when travelling between galaxies.
+-->
+
+<!-- Closes: #... -->
+<!-- Fixes: #...  -->
+<!-- Uncomment the above line(s) if your pull request fixes an issue or closes another pull request
+by superseding it. Replace `#...` with the issue/pr number, such as `#123`. -->
+
+**Pull request checklist:**
+
+<!-- You need to complete these before your PR can be considered.
+If you aren't sure about some, feel free to ask for clarification in #dev:continuwuity.org. -->
+- [ ] This pull request targets the `main` branch, and the branch is named something other than
+      `main`.
+- [ ] I have written an appropriate pull request title and my description is clear.
+- [ ] I understand I am responsible for the contents of this pull request.
+- I have followed the [contributing guidelines][c1]:
+  - [ ] My contribution follows the [code style][c2], if applicable.
+  - [ ] I ran [pre-commit checks][c1pc] before opening/drafting this pull request.
+  - [ ] I have [tested my contribution][c1t] (or proof-read it for documentation-only changes)
+        myself, if applicable. This includes ensuring code compiles.
+  - [ ] My commit messages follow the [commit message format][c1cm] and are descriptive.
+  - [ ] I have written a [news fragment][n1] for this PR, if applicable<!--(can be done after hitting open!)-->.
+
+<!--
+Notes on these requirements:
+
+- While not required, we encourage you to sign your commits with GPG or SSH to attest the
+  authenticity of your changes.
+- While we allow LLM-assisted contributions, we do not appreciate contributions that are
+  low quality, which is typical of machine-generated contributions that have not had a lot of love
+  and care from a human. Please do not open a PR if all you have done is asked ChatGPT to tidy up
+  the codebase with a +-100,000 diff.
+- In the case of code style violations, reviewers may leave review comments/change requests
+  indicating what the ideal change would look like. For example, a reviewer may suggest you lower
+  a log level, or use `match` instead of `if/else` etc.
+- In the case of code style violations, pre-commit check failures, minor things like typos/spelling
+  errors, and in some cases commit format violations, reviewers may modify your branch directly,
+  typically by making changes and adding a commit. Particularly in the latter case, a reviewer may
+  rebase your commits to squash "spammy" ones (like "fix", "fix", "actually fix"), and reword
+  commit messages that don't satisfy the format.
+- Pull requests MUST pass the `Checks` CI workflows to be capable of being merged. This can only be
+  bypassed in exceptional circumstances.
+  If your CI flakes, let us know in matrix:r/dev:continuwuity.org.
+- Pull requests have to be based on the latest `main` commit before being merged. If the main branch
+  changes while you're making your changes, you should make sure you rebase on main before
+  opening a PR. Your branch will be rebased on main before it is merged if it has fallen behind.
+- We typically only do fast-forward merges, so your entire commit log will be included. Once in
+  main, it's difficult to get out cleanly, so put on your best dress, smile for the cameras!
+-->
+
+[c1]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/CONTRIBUTING.md
+[c2]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/docs/development/code_style.mdx
+[c1pc]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/CONTRIBUTING.md#pre-commit-checks
+[c1t]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/CONTRIBUTING.md#running-tests-locally
+[c1cm]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/CONTRIBUTING.md#commit-messages
+[n1]: https://towncrier.readthedocs.io/en/stable/tutorial.html#creating-news-fragments

docs/deploying/docker-compose.with-traefik.yml

@@ -114,6 +114,10 @@ services:
       TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE_ENTRYPOINT: web
       TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_STORAGE: "/etc/traefik/acme/acme.json"
 
+      # Since Traefik 3.6.3, paths with certain "encoded characters" are now blocked by default; we need a couple, or else things *will* break
+      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDSLASH: true
+      TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDHASH: true
+
       TRAEFIK_PROVIDERS_DOCKER: true
       TRAEFIK_PROVIDERS_DOCKER_ENDPOINT: "unix:///var/run/docker.sock"
       TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT: false

docs/public/.well-known/continuwuity/announcements

@@ -6,12 +6,10 @@
             "message": "Welcome to Continuwuity! Important announcements about the project will appear here."
         },
         {
-            "id": 3,
-            "message": "_taps microphone_ The Continuwuity 0.5.0-rc.7 release is now available, and it's better than ever! **177 commits**, **35 pull requests**, **11 contributors,** and a lot of new stuff!\n\nFor highlights, we've got:\n\n* 🕵️ Full Policy Server support to fight spam!\n* 🚀 Smarter room & space upgrades.\n* 🚫 User suspension tools for better moderation.\n* 🤖 reCaptcha support for safer open registration.\n* 🔍 Ability to disable read receipts & typing indicators.\n* ⚡ Sweeping performance improvements!\n\nGet the [full changelog and downloads on our Forgejo](https://forgejo.ellis.link/continuwuation/continuwuity/releases/tag/v0.5.0-rc.7) - and make sure you're in the [Announcements room](https://matrix.to/#/!releases:continuwuity.org/$hN9z6L2_dTAlPxFLAoXVfo_g8DyYXu4cpvWsSrWhmB0) to get stuff like this sooner."
-        },
-        {
-            "id": 5,
-            "message": "It's a bird! It's a plane! No, it's 0.5.0-rc.8.1!\n\nThis is a minor bugfix update to the rc8 which backports some important fixes from the latest main branch. If you still haven't updated to rc8, you should skip to main. Otherwise, you should upgrade to this bugfix release as soon as possible.\n\nBugfixes backported to this version:\n\n- Resolved several issues with state resolution v2.1 (room version 12)\n- Fixed issues with the `restricted` and `knock_restricted` join rules that would sometimes incorrectly disallow a valid join\n- Fixed the automatic support contact listing being a no-op\n- Fixed upgrading pre-v12 rooms to v12 rooms\n- Fixed policy servers sending the incorrect JSON objects (resulted in false positives)\n- Fixed debug build panic during MSC4133 migration\n\nIt is recommended, if you can and are comfortable with doing so, following updates to the main branch - we're in the run up to the full 0.5.0 release, and more and more bugfixes and new features are being pushed constantly. Please don't forget to join [#announcements:continuwuity.org](https://matrix.to/#/#announcements:continuwuity.org) to receive this news faster and be alerted to other important updates!"
+            "id": 6,
+            "mention_room": true,
+            "date": "2025-12-22",
+            "message": "Continuwuity v0.5.0 has been released. **The release contains a fix for the critical vulnerability [GHSA-22fw-4jq7-g8r8](https://github.com/continuwuity/continuwuity/security/advisories/GHSA-22fw-4jq7-g8r8). Update as soon as possible.**\n\nThis has been *actively exploited* to create fake leave events in the Continuwuity rooms. Please leave and rejoin the rooms to fix any issues this may have caused. \n\n - [Continuwuity (space)](https://matrix.to/#/!PxtzompFuodlyzdCDtV5lzjXs10XIHeOOaq_FYodHyk?via=ellis.link&via=gingershaped.computer&via=continuwuity.org)\n - [Continuwuity](https://matrix.to/#/!kn3VQSLcgWGUFm0FFRid4MinJ_aeZPjHQ0irXbHa3bU?via=ellis.link&via=gingershaped.computer&via=continuwuity.org)\n - [Continuwuity Announcements](https://matrix.to/#/!d7zDZg1Vu5nhkCi50jNfOIObD5fpfGhfl48SZWZek7k?via=ellis.link)\n - [Continuwuity Offtopic](https://matrix.to/#/!QlOomq-suHC9rJHfDFVdbcGg4HS2ojSQ0bo4W2JOGMM?via=ellis.link&via=gingershaped.computer&via=continuwuity.org)\n - [Continuwuity Development](https://matrix.to/#/!aAvealFbgiKTJGzumNbjuwDgt1tOkBKwiyfYqE3ouk0?via=ellis.link&via=explodie.org&via=continuwuity.org)\n"
         }
     ]
 }

flake.lock

@@ -3,11 +3,11 @@
     "advisory-db": {
       "flake": false,
       "locked": {
-        "lastModified": 1761112158,
-        "narHash": "sha256-RIXu/7eyKpQHjsPuAUODO81I4ni8f+WYSb7K4mTG6+0=",
+        "lastModified": 1766324728,
+        "narHash": "sha256-9C+WyE5U3y5w4WQXxmb0ylRyMMsPyzxielWXSHrcDpE=",
         "owner": "rustsec",
         "repo": "advisory-db",
-        "rev": "58f3aaec0e1776f4a900737be8cd7cb00972210d",
+        "rev": "c88b88c62bda077be8aa621d4e89d8701e39cb5d",
         "type": "github"
       },
       "original": {
@@ -18,11 +18,11 @@
     },
     "crane": {
       "locked": {
-        "lastModified": 1760924934,
-        "narHash": "sha256-tuuqY5aU7cUkR71sO2TraVKK2boYrdW3gCSXUkF4i44=",
+        "lastModified": 1766194365,
+        "narHash": "sha256-4AFsUZ0kl6MXSm4BaQgItD0VGlEKR3iq7gIaL7TjBvc=",
         "owner": "ipetkov",
         "repo": "crane",
-        "rev": "c6b4d5308293d0d04fcfeee92705017537cad02f",
+        "rev": "7d8ec2c71771937ab99790b45e6d9b93d15d9379",
         "type": "github"
       },
       "original": {
@@ -39,11 +39,11 @@
         "rust-analyzer-src": "rust-analyzer-src"
       },
       "locked": {
-        "lastModified": 1761115517,
-        "narHash": "sha256-Fev/ag/c3Fp3JBwHfup3lpA5FlNXfkoshnQ7dssBgJ0=",
+        "lastModified": 1766299592,
+        "narHash": "sha256-7u+q5hexu2eAxL2VjhskHvaUKg+GexmelIR2ve9Nbb4=",
         "owner": "nix-community",
         "repo": "fenix",
-        "rev": "320433651636186ea32b387cff05d6bbfa30cea7",
+        "rev": "381579dee168d5ced412e2990e9637ecc7cf1c5d",
         "type": "github"
       },
       "original": {
@@ -55,11 +55,11 @@
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1747046372,
-        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
+        "lastModified": 1765121682,
+        "narHash": "sha256-4VBOP18BFeiPkyhy9o4ssBNQEvfvv1kXkasAYd0+rrA=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
+        "rev": "65f23138d8d09a92e30f1e5c87611b23ef451bf3",
         "type": "github"
       },
       "original": {
@@ -74,11 +74,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1760948891,
-        "narHash": "sha256-TmWcdiUUaWk8J4lpjzu4gCGxWY6/Ok7mOK4fIFfBuU4=",
+        "lastModified": 1765835352,
+        "narHash": "sha256-XswHlK/Qtjasvhd1nOa1e8MgZ8GS//jBoTqWtrS1Giw=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "864599284fc7c0ba6357ed89ed5e2cd5040f0c04",
+        "rev": "a34fae9c08a15ad73f295041fec82323541400a9",
         "type": "github"
       },
       "original": {
@@ -89,11 +89,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1760878510,
-        "narHash": "sha256-K5Osef2qexezUfs0alLvZ7nQFTGS9DL2oTVsIXsqLgs=",
+        "lastModified": 1766070988,
+        "narHash": "sha256-G/WVghka6c4bAzMhTwT2vjLccg/awmHkdKSd2JrycLc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "5e2a59a5b1a82f89f2c7e598302a9cacebb72a67",
+        "rev": "c6245e83d836d0433170a16eb185cefe0572f8b8",
         "type": "github"
       },
       "original": {
@@ -105,11 +105,11 @@
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1754788789,
-        "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=",
+        "lastModified": 1765674936,
+        "narHash": "sha256-k00uTP4JNfmejrCLJOwdObYC9jHRrr/5M/a/8L2EIdo=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "a73b9c743612e4244d865a2fdee11865283c04e6",
+        "rev": "2075416fcb47225d9b68ac469a5c4801a9c4dd85",
         "type": "github"
       },
       "original": {
@@ -132,11 +132,11 @@
     "rust-analyzer-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1761077270,
-        "narHash": "sha256-O1uTuvI/rUlubJ8AXKyzh1WSWV3qCZX0huTFUvWLN4E=",
+        "lastModified": 1766253897,
+        "narHash": "sha256-ChK07B1aOlJ4QzWXpJo+y8IGAxp1V9yQ2YloJ+RgHRw=",
         "owner": "rust-lang",
         "repo": "rust-analyzer",
-        "rev": "39990a923c8bca38f5bd29dc4c96e20ee7808d5d",
+        "rev": "765b7bdb432b3740f2d564afccfae831d5a972e4",
         "type": "github"
       },
       "original": {
@@ -153,11 +153,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1760945191,
-        "narHash": "sha256-ZRVs8UqikBa4Ki3X4KCnMBtBW0ux1DaT35tgsnB1jM4=",
+        "lastModified": 1766000401,
+        "narHash": "sha256-+cqN4PJz9y0JQXfAK5J1drd0U05D5fcAGhzhfVrDlsI=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "f56b1934f5f8fcab8deb5d38d42fd692632b47c2",
+        "rev": "42d96e75aa56a3f70cab7e7dc4a32868db28e8fd",
         "type": "github"
       },
       "original": {

src/api/client/room/upgrade.rs

@@ -68,6 +68,12 @@ pub(crate) async fn upgrade_room_route(
 		return Err!(Request(UserSuspended("You cannot perform this action while suspended.")));
 	}
 
+	// Make sure this isn't the admin room
+	// Admin room upgrades are hacky and should be done manually instead.
+	if services.admin.is_admin_room(&body.room_id).await {
+		return Err!(Request(Forbidden("Upgrading the admin room this way is not allowed.")));
+	}
+
 	// First, check if the user has permission to upgrade the room (send tombstone
 	// event)
 	let old_room_state_lock = services.rooms.state.mutex.lock(&body.room_id).await;
@@ -266,7 +272,7 @@ pub(crate) async fn upgrade_room_route(
 			.room_state_keys(&body.room_id, event_type)
 			.await?;
 		for state_key in state_keys {
-			let event_content = match services
+			let mut event_content = match services
 				.rooms
 				.state_accessor
 				.room_state_get(&body.room_id, event_type, &state_key)
@@ -279,6 +285,21 @@ pub(crate) async fn upgrade_room_route(
 				// If the event content is empty, we skip it
 				continue;
 			}
+			// If this is a power levels event, and the new room version has creators,
+			// we need to make sure they dont appear in the users block of power levels.
+			if *event_type == StateEventType::RoomPowerLevels {
+				// TODO(v12): additional creators
+				let creators = vec![sender_user];
+				let mut power_levels_event_content: RoomPowerLevelsEventContent =
+					serde_json::from_str(event_content.get()).map_err(|_| {
+						err!(Request(BadJson("Power levels event content is not valid")))
+					})?;
+				for creator in creators {
+					power_levels_event_content.users.remove(creator);
+				}
+				event_content = to_raw_value(&power_levels_event_content)
+					.expect("event is valid, we just deserialized and modified it");
+			}
 
 			services
 				.rooms