We've been buried in this one for weeks, and honestly? We're proud of it. v1.3.0 is the "we love you, please stop accidentally nuking your users" release: a stack of guardrails around the scary buttons, a genuinely nasty bug that could erase an account mid-edit, a proper home for user reports, and a media preview that turned out to be a security fix wearing a feature's clothes.
The "are you sure?" release
Deactivate. Delete. Erase. Three buttons that used to do exactly what they promised the instant you clicked them, no questions asked, no take-backs. One slip of the mouse and an account was just... gone. They ask first now (#1214). You're welcome. Also, sorry.
And while we were in there, we found worse:
- Editing a non-MAS user could trigger a GDPR erase. Not deactivate. Erase. You go in to fix a typo in someone's display name, hit save, and their data is gone for good because an
erasedflag was hitching a ride where it had no business being. Fixed, flagged correctly, and wrapped in tests so it stays dead (#1213). If you don't run MAS, upgrade for this one alone. - Saving an edit on the user page sometimes just... didn't. Quietly. It does now (#1215).
- Setting a password or admin status in MAS mode could fail while cheerfully looking like it worked, because the error was getting swallowed. It speaks up now (#1200).
MAS finally lets you manage everyone
If you run Matrix Authentication Service, you've almost certainly tried to deactivate a bridge puppet or an appservice account and watched Ketesa just... refuse, because MAS doesn't own those users. Yeah. That was us. It's fixed (#1180), and not in one heroic commit either, but in three very honest ones: the fix, the case we missed, and the "okay, real safeguards this time" follow-up. Hybrid MAS-plus-appservice setups behave themselves now.
You also get the user type field back in MAS mode (a40d715), so you can actually tell what you're looking at when identity is split across Synapse and MAS.
Reports finally have somewhere to live
Matrix lets people report a whole user, not just one message, and until now those reports went precisely nowhere useful. There's a Reported users queue in the sidebar now, sitting right next to Reported events (#1168). One row per complaint, the reason in plain text, both people one click from their pages. One thing to know: deleting a report only clears the report. It doesn't touch the user. Acting on the person is still your call, on purpose. The whole walkthrough is in the user reports guide.
"Media preview improvements" (it was a security fix)
We shipped this as a preview tweak, and, look, we'll be straight with you: it's mostly us quietly closing an XSS hole (#1235). Opening media in a new tab is now limited to actual image types (PNG, JPEG, GIF, WebP, AVIF). Everything else, SVG very much included, downloads instead. Why? A blob: URL inherits Ketesa's own origin, so an SVG opened as a document could run script as Ketesa. We also stopped taking the server's word for the file type and check the real bytes, because a federated server will lie to your face about it. Bonus: a failed load shows you an error now instead of a sad, empty tab.
Small but satisfying
User filtering broke when system_users was switched off. An early bailout cut the filter short and the list just... ignored you, like you weren't even typing. It listens now (#1227).
The unglamorous half
Dependency bumps everywhere, CI cleanup, better test isolation, doc updates, and an internal login refactor that changes nothing you can see. Every release has this half. Ours just doesn't get a parade.
That's v1.3.0: fewer ways to hurt yourself, one less hole for the bad guys, and a reports queue that actually exists. As always, if something's off, come yell at us in the room. We read everything.
What's Changed
- fix: prevent unintended GDPR erase on user edit (non-MAS) by @3xplosiv3-official in #1213
- Bump docker/setup-buildx-action from 4.0.0 to 4.1.0 by @dependabot[bot] in #1202
- Fix client side filtering for Exclude system users not working by @troed in #1227
New Contributors
- @3xplosiv3-official made their first contribution in #1213
- @troed made their first contribution in #1227
Full Changelog: v1.2.1...v1.3.0
