C2S API allows illegal ban -> kick, which causes an implicit unban

[nexy7574]

While performing some moderation with Draupnir, I noticed that it managed to unban a user while I was doing a mass kick. After reporting this to the Draupnir team, they informed me that this was an issue with the server as the bot does not check membership before and simply calls the /rooms/:room_id/kick endpoint.

I tested this behaviour (banning, then kicking) on both the latest Synapse, and the latest Dendrite, and both returned a 403 error for the kick. Furthermore, the issue was queried in the matrix spec room, which added that the spec doc for /kick states 403 should be returned when:

403: You do not have permission to kick the user from the room. A meaningful errcode and description error text will be returned. Example reasons for rejections are:

The kicker is not currently in the room.
The kickee is not currently in the room.
The kicker’s power level is insufficient to kick users from the room.

However, this behaviour is not correctly followed in conduwuit. A kick following a ban will update the ban membership state to a leave membership state, which implicitly unbans the banned user.

[girlbossceo]

probably an upstream ruma bug really, but can just be fixed in conduwuit

[nexy7574]

Yeah can confirm, the same behaviour is present in conduit and other forks.

[nexy7574]

This issue has been fixed in Draupnir devel, so I'm going to close this issue and instead file it with ruma. The issue does still technically apply though so feel free to open it if you feel it's still relevant,