Dodgy invites that cannot be rejected from server notice rooms

[samueldr]

Description

Steps to reproduce

Get an invite from System Alerts... This I don't know how this happens. My account is relatively old (I don't know its age exactly), but generally not in use.

I popped in since I received a private message, and saw that additional invite.

I believe the Bug report is two-fold:

(1) Dodgy invite UX

This looks extremely dodgy, considering I could register definitely legit notices from the server@matrix.org as an account and send invites.

I have no way to ascertain that this is a legit service from the server. I only have three bits of info; an avatar, a display name and a matrix uh... ID? (@server:matrix.org). There is no way to dig in more, see what it is, or information from the app telling me this is a legit thing, and not someone posing as a service from the server.

(2) Useless invite / choice

I am given two choices. [Accept] or [Reject]. I initially did not want to Accept an unverifiable interlocutor. I clicked reject.

Okay then. I guess the invite is broken or something. Let's add this to the pile of usability concerns. Unless I am a developer and look at the console log.

M_CANNOT_LEAVE_SERVER_NOTICE_ROOM

Oh, words intended for developers. That could have been explained in the message box rather than a generic useless message.

Failed to reject invite

You cannot leave a server notice room.

But wait, there's more!

Why is this a binary YES/NO choice which there is only one valid answer? Why give me anxiety about potentially opening the door to phishing attempts if whatever I choose my fate is sealed?

This might be a protocol or matrix thing rather than Riot, but why not just have the room exist in my rooms if I cannot reject the invite?

If this is such a thing, instead of making it an invite with a choice, word the invite in a way that makes sense in the context

Server Notice Room

The matrix server wants to open a Room with you.
This room will be used to send server notices to you.

Information about this room:

$NAME
$AVATAR
$ID

[I understand, join this room].

Or anything else, as long as it explains what is happening and that there is some kind of magic sauce in that invite, that it's not a scam or phishing attempt.

Version information

• Platform: web

For the web app:

• Browser: Firefox, 69
• OS: Linux
• URL: riot.im/app/

---

Failed to reject invite: M_CANNOT_LEAVE_SERVER_NOTICE_ROOM: You cannot reject this invite rageshake.js:108:31
    r rageshake.js:108
    onRejectButtonClicked RoomView.js:1521
    c bluebird.js:5290
    _settlePromiseFromHandler bluebird.js:3302
    _settlePromise bluebird.js:3359
    _rejectPromises bluebird.js:3469
    _settlePromises bluebird.js:3481
    p bluebird.js:190
    f bluebird.js:183
    _drainQueues bluebird.js:199
    drainQueues bluebird.js:69

[turt2live]

Unfortunately this is a duplicate of https://github.com/vector-im/riot-web/issues/6797 - see that issue for more details.

[joepie91]

I'm not sure it's a full duplicate; especially point 2 (an invite that cannot be rejected) seems unaddressed in that issue.

[turt2live]

Invites that can't be rejected certainly doesn't help it look any less like a phishing attempt, so I'd count it as part of the generally bad UX surrounding server notices.

[joepie91]

Does the "invites that cannot be rejected" thing only occur for server notices though, or is it a generally available flag/error that might occur in other circumstances as well? In the latter case, it'd probably be worth to keep around a separate issue for it.

[turt2live]

It's only for server notices, provided the homeserver is following the spec.